[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MAC OS/X authentication against OpenLDAP 2.3 (Resolved)

To: OpenLDAP software list <openldap-software@OpenLDAP.org>
Subject: Re: MAC OS/X authentication against OpenLDAP 2.3 (Resolved)
From: Francis Swasey <Frank.Swasey@uvm.edu>
Date: Tue, 14 Feb 2006 09:12:01 -0500
In-reply-to: <Pine.SOL.4.58.0602111830460.956@toolbox.rutgers.edu>
References: <43ED21A9.3040606@uvm.edu> <Pine.SOL.4.58.0602111830460.956@toolbox.rutgers.edu>
User-agent: Thunderbird 1.5 (Macintosh/20051201)

Ah, the SASL mechanism is it... I had not configured the sasl-secprops to disable the SASL mechanisms that are not configured. In OL 2.2, attempting to use a mechanism that was not configured (/etc/sasldb2 doesn't exist) resulted in error code 80 (0x50 -- Internal Error). And that triggered the Mac to fall back and try a simple bind.

OL 2.3, in the same scenario returns error code 49 (0x31 -- Invalid Credentials) -- As far as I'm concerned, that's a lie... However, I'm certain someone discussed this on the developers list (which I don't follow closely) and it was decided that a failure because the SASL mechanism is not properly implemented should be deemed to be the same as if the mechanism was implemented and returned a failure.

Since I use {SASL}pricipal@realm (aka spasswd) to validate the passwords against the Kerberos environment and do provide GSSAPI mechanism, the trick for me was to find the correct setting of sasl-secprops to disable all the other SASL mechanisms that roll along for "free" with the RedHat installation.

fix: I needed to add

sasl-secprops noplain,noanonymous,noactive

to my slapd.conf file.

Frank

On 2/11/06 6:43 PM, Aaron Richton wrote:

If you're expecting the Macs to do simple binds, they're probably not.
(They probably did in earlier 2.3/2.2, but that was a bug in slapd.)
Either configure OpenLDAP to accept SASL binds, recompile --without-sasl,
or fake it with

access to dn.exact="" attrs=supportedSASLMechanisms by * none

any one of which will force DSLDAPv3 to downgrade to a simple bind.

On Fri, 10 Feb 2006, Francis Swasey wrote:

I have just gotten clobbered because I completed upgrading the last of
the ldap servers to 2.3.19 today and immediately all the Mac's on campus
were unable to authenticate....

Anyone else experience problems with Mac's authenticating against
OpenLDAP 2.3 when they were able to with OpenLDAP 2.2?


--
Frank Swasey                    | http://www.uvm.edu/~fcs
Senior IT Professional          | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
  "I am not young enough to know everything." - Oscar Wilde (1854-1900)

References:
- MAC OS/X authentication against OpenLDAP 2.3
  - From: Francis Swasey <Frank.Swasey@uvm.edu>
- Re: MAC OS/X authentication against OpenLDAP 2.3
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Re: pwdPolicy pwdMustChange enforcement
Next by Date: Re: migrating data from ldbm to bdb
Index(es):
- Chronological
- Thread