[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: can't get slapd to do pass-through authentication

To: Dan White <dwhite@olp.net>
Subject: Re: can't get slapd to do pass-through authentication
From: Brent Bice <bbice@sgi.com>
Date: Thu, 05 Aug 2010 17:39:53 -0700
Cc: openldap-technical@openldap.org
In-reply-to: <20100805221125.GC2671@dan.olp.net>
References: <4C521855.70307@sgi.com> <87wrs9v8oi.fsf@magenta.l4b.de> <4C59E195.4040908@sgi.com> <20100805014722.GD2613@dan.olp.net> <4C5B2663.5090103@sgi.com> <20100805221125.GC2671@dan.olp.net>
User-agent: Thunderbird 2.0.0.24 (X11/20100411)

Many thanks to everyone here. I've got it working now. The firstpart of the solution was finding out (thanks Dan!) that cyrus-sasldoesn't use prefix_dir/lib/sasl2/slapd.conf when you build from sourceunless you explicitly set --with-configdir (Aha!).

After temporarily linking /usr/lib/sasl2 to my prefix_dir/lib/sasl2,it still wasn't working but that was because I'd messed with so manydifferent settings in the sasl slapd.conf. Re-reading the openldap docson pass-thru authentication and going back to this worked:

mech_list: plain
pwcheck_method:	saslauthd
saslauthd_path:	/var/state/saslauthd/mux
sasl-secprops: none

Brent

Dan White wrote:

On 05/08/10 14:00 -0700, Brent Bice wrote:

   I created a lib/sasl2/slapd.conf file again and in it specified:
pwcheck_method:    saslauthd
saslauthd_path:    /var/state/saslauthd/mux
If testsaslauth works without specifying a '-f' option, then youshouldn't
need to specify saslauthd_path.
I didn't think so either. I put it in just in case slapd wastrying to figure out where the socket was by reading this file.


Is that /usr/lib/sasl2/slapd.conf?

See if you can find out what --with-configdir option was passed to your
cyrus sasl ./configure when it was compiled, which defaults to
/usr/lib/sasl2 (regardless of where the libraries are actually installed).

If you were not creating it in the correct location, then libsasl would
default to using sasldb auxprop for authentication. You could create a test
user:

saslpasswd -c bbice

to see if sasldb is being used.

I don't think testsaslauthd uses libsasl itself, so if none of that works,
you may still need to verify your libsasl is installed and linked
correctly. sample-server and sample-client might help (create a
/usr/lib/sasl2/sample.conf).

You might also try a direct SASL bind against the server to see if that
works. Add 'sasl-secprops none' to your slapd.conf, then do:

ldapwhoami -Y PLAIN -U bbice ...

which should also use saslauthd to authenticate, with pwcheck_method:
saslauthd.

References:
- can't get slapd to do pass-through authentication
  - From: Brent Bice <bbice@sgi.com>
- Re: can't get slapd to do pass-through authentication
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: can't get slapd to do pass-through authentication
  - From: Brent Bice <bbice@sgi.com>
- Re: can't get slapd to do pass-through authentication
  - From: Dan White <dwhite@olp.net>
- Re: can't get slapd to do pass-through authentication
  - From: Brent Bice <bbice@sgi.com>
- Re: can't get slapd to do pass-through authentication
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: can't get slapd to do pass-through authentication
Next by Date: RE: PROBLEM: can't use SASL to authentication openldap client
Index(es):
- Chronological
- Thread