Re: OpenLDAP authenticate the username/password with MS-AD?

To: Dan White <dwhite@olp.net>

Subject: Re: OpenLDAP authenticate the username/password with MS-AD?

From: OSHIM <mhoshim@gmail.com>

Date: Mon, 19 Jul 2010 22:07:54 +0600

Cc: Jonathan Clarke <jonathan@phillipoux.net>, "andrew.findlay@skills-1st.co.uk" <andrew.findlay@skills-1st.co.uk>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:message-id:references:to :x-mailer; bh=+VE0A/s7tcvCJKd8BLn0SQhyf10ctL7dZwhRbDjwsUE=; b=WKDkEUILgux02AKByve+P0PbelcikLUu+CYbq+tbMRy/DMVKDbIegH1zt7BruIkTA6 48ewMcFh8YOtJWGy7n9KXx7MJsW7uBFx5JW+dNWTW5atwyx2HZT9YwMMDyR0srC9DUxM AS9BpDn0x1I773p4mQPqcIfvWNuZa/psKt65g=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; b=pby1TBQCF8vN/UwjT2DY4kidTIr5lBqukfby909wUd6WaEKlemmO4jORi7fwaIW5Oa 7C5R5LwFyrLuH33IpKJFvGggnFEMUDnJNS9jVQ2wjhqn+aAGnoBD7DRWmNbYEw9BLTkm InKWLmXOMb7nXG+5EfqixHScO4D2m4bOThx3k=

In-reply-to: <20100719155742.GD2510@dan.olp.net>

References: <E4481F58-15BD-4F86-9F79-194097713D79@gmail.com> <20100718173105.GE12404@dan.olp.net> <4EBC8E86-1E19-46CD-964F-F57D35B2CCB5@gmail.com> <20100718185730.GF12404@dan.olp.net> <B6960B5A-ED62-4B22-B385-19DC27940265@gmail.com> <4C442DFA.4030405@phillipoux.net> <65EE30A8-5409-4842-8991-D252A3442473@gmail.com> <20100719155742.GD2510@dan.olp.net>

I have added into /etc/ldap/slapd.conf

sasl-host localhost

sasl-secprops none

and also have created usr/lib/sasl2/slapd.conf and have added following two lines

pwcheck_method: saslauthd
saslauthd_path: / var / run / saslauthd / mux

On Jul 19, 2010, at 9:57 PM, Dan White wrote:

On 19/07/10 21:18 +0600, OSHIM wrote:
i have configured saslauthd with openldap to authenticate MS AD
when I run testsaslauthd -u swioshim -p Test2010 then i got 0: OK "Success."
(swioshim is my MS AD user and Test2010 password coming from MS AD)

but when i run
ldapsearch -x -D "cn=swioshim,dc=myproject,dc=com" -W -b dc=myproject,dc=com

then getting error : ldap_bind: Invalid credentials (49)

please help

saslauthd will not be called for simple (non-sasl) binds. You will need to
tell ldapsearch to bind with SASL, such as:

ldapsearch -U swioshim -W -b dc=myproject,dc=com

You'll need to configure /usr/lib/sasl2/slapd.conf with:

pwcheck_method: saslauthd
mech_list: plain login

And if you want to map the derived authentication identity to a DN in your
slapd tree, then you'll need to configure appropriate authz-regexp
statements. See chapter 15 (Using SASL) of the OpenLDAP administrator's
guide.

--
Dan White