Re: Simple Bind pass-through to SASL/PLAIN

[Dan White <dwhite@olp.net>]

On 03/03/11 17:07 -0700, Zach Schimke wrote:
> Is there any trick to this?
>
> I am able to get SASL/PLAIN and SASL/GSSAPI binds to work perfectly 
> with my ldap server. What I want to get working is the authentication 
> pass-through.
>
> From what I can gather, it appears that LDAP should be able to 
> authenticate a simple bind, take a look at the userPassword attribute 
> (which contains '{SASL}username@REALM) and perform a SASL/PLAIN from 
> there.
>
> We want to avoid maintaining two separate passwords (LDAP and 
> Kerberos V) although some applications (like phpLDAPAdmin, Drupal, 
> etc) do not allow the use of Kerberos natively.
>
> /etc/sasl2/slapd.conf (using CentOS):
>    pwcheck_method: saslauthd
>
> Here's a snippet of my openldap.log during a simple bind:
>    Mar  3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 ACCEPT from 
> IP=149.169.147.254:56106 (IP=0.0.0.0:636)
>    Mar  3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 TLS 
> established tls_ssf=256 ssf=256
>    Mar  3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 BIND 
> dn="cn=test account,ou=people,o=mars" method=128
>    Mar  3 16:45:49 kdc1 slapd[28132]: send_ldap_result: conn=2009 
> op=0 p=3
>    Mar  3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 RESULT tag=97 
> err=49 text=
>    Mar  3 16:45:49 kdc1 slapd[28132]: connection_closing: readying 
> conn=2009 sd=39 for close
>    Mar  3 16:45:49 kdc1 slapd[28132]: connection_close: conn=2009 sd=-1
>    Mar  3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 closed 
> (connection lost)
>
> Anything I should double-check, modify, etc?

Verify that your openldap installation was compiled with
'--enable-spasswd'.

Try running saslauthd in debug mode to see if slapd is passing an
authentication attempt.

--
Dan White