Re: Authenticate to ldap using Kerberos

[Wouter van Marle <wouter@squirrel-systems.com>]

On 9 Sep 10, at 21:47, Dan White wrote:

> On 09/09/10 12:47 +0800, Wouter van Marle wrote:
> > Adding user `openldap' to group `sasl' ...
> > Adding user openldap to group sasl
> > Done.
>
> (Did you restart slapd?)

I don't remember... restarted it many times in the process :) I'm not 
used to need to restart apps in this situation.

> > > The issue is that the /var/run/saslauthd directory, where the
> > > saslauthd unix socket is located, is only accessible by group 'sasl' 
> > > (and
> > > root).
> >
> > True:
> > drwx--x--- 2 root       sasl       4096 2010-09-09 10:14 saslauthd
> >
> > Still the same permission denied error message in syslog!
>
> If I recall correctly, you mentioned running Postfix previously. Is it
> running chrooted? Have you customized the location of your saslauthd 
> mux?

Not chrooted; saslauthd mux is in the default location with proper 777 
permissions.

> If so, you'll need to add:
>
> saslauthd_path: /path/to/saslauthd
>
> What's the output of /etc/default/saslauthd (minus the comments)?

START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"

> Also, assuming IMAP is running on the same system, what's the output 
> of:
>
> grep sasl /etc/imapd.conf | sed 's/^sasl_//'

pwcheck_method: saslauthd pam
auto_transition: no
(after removing lots of comments with sasl in it)

> Is that substantially different from /usr/lib/sasl2/slapd.conf?
pwcheck_method: saslauthd
mech_list: plain login gssapi external
keytab: /etc/ldap/ldap.keytab

Most important difference is that pam is not mentioned here. But then 
from other mails I understand that slapd only wants to use saslauthd 
and not pam.

> To trouble shoot, find out where saslauthd is listening:
>
> # netstat -an | grep saslauthd
> unix  2      [ ACC ]     STREAM     LISTENING     9712 
> /var/run/saslauthd/mux

# netstat -an | grep saslauthd
unix  2      [ ACC ]     STREAM     LISTENING     85098910 
/var/run/saslauthd/mux

Cyrus uses saslauthd at least; that is working well. And saslauthd 
again talks to Kerberos.

For some reason it's still not possible for me to have slapd talk to 
pam or saslauthd for authentication.
And for some other reason the authors insist the only way to use 
kerberos authentication for slapd is gssapi.

OK well just been playing a bit with ldapsearch: it now takes 
sasl/gssapi by itself and I don't have to enter a password to get 
results out of the ldap database. So something has improved all in all:
$ ldapsearch -b 'ou=foobar,ou=addressbook,dc=squirrel'
SASL/GSSAPI authentication started
SASL username: wouter@SQUIRREL
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <ou=foobar,ou=addressbook,dc=squirrel> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 6
result: 32 No such object
matchedDN: ou=addressbook,dc=squirrel

# numResponses: 1
---------------------------------

Tls doesn't work, haven't bothered with that one too much yet.
And I still have a {CRYPT} password set for myself in the LDAP data 
base.
Interestingly according to klist I don't have a ticket, kinit doesn't 
give me a ticket, still it works.
Maybe because it's all the same computer. I have just one machine for 
server.

Wouter.

> Set your saslauthd_path appropriately:
>
> saslauthd_path: /var/run/saslauthd
> (minus the /mux)
>
> and correct any permissions problems to that directory. The mux itself
> should have 777 permissions:
>
> srwxrwxrwx 1 root root 0 2010-08-23 22:37 /var/run/saslauthd/mux
>
>
> --
> Dan White