|
Hi,
I'm so confused with the sasl passthrough implementation. I set for the user test in my ldap tree the password {SASL}test@MY_REALM Keytab: [test@ldap-master001 /]#--> ls /etc/krb5.keytab -l -rw-r----- 1 root openldap 1078 2011-11-11 11:56 /etc/krb5.keytab SASL GSSAPI Auth: works well [test@ldap-master001 /]#--> ldapwhoami SASL/GSSAPI authentication started SASL username: test@MY_REALM SASL SSF: 56 SASL data security layer installed. dn:uid=test,cn=mycomany.net,cn=gssapi,cn=auth SASL SLAPD Config: [root@ldap-master001 /]#---> cat /usr/lib/sasl2/slapd.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab testsaslauthd works well: [root@ldap-master001 /]#---> testsaslauthd -u test -p MYPASSWORD -r MY_REALM -s ldap 0: OK "Success." sasl debug log: saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap] [realm=MY_REALM] [mech=kerberos5] saslauthd[26077] :do_request : response: OK But the ldapsearch simplebind command takes 7-10s... [test@ldap-master001 /]#--> ldapsearch -D uid=test,ou=users,dc=my,dc=company -w MYPASSWORD -s base -b '' -x ldap_bind: Invalid credentials (49) And the sasl debug log shows: saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap] [realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error] WTF, why works testsaslauthd well but failed with ldap auth? The kerberos server works well in both commands..... root@ldap-master001:/usr/local/etc/openldap# /usr/local/libexec/slapd -V @(#) $OpenLDAP: slapd 2.4.21 (Nov 10 2011 11:20:35) $ root@ldap-master001:/usr/local/src/openldap-2.4.21/servers/slapd root@ldap-master001:/usr/local/etc/openldap# saslauthd -v saslauthd: /usr/local/lib/liblber-2.4.so.2: no version information available (required by saslauthd) saslauthd: /usr/local/lib/libldap_r-2.4.so.2: no version information available (required by saslauthd) saslauthd 2.1.23 authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap Thank you |