[Date Prev][Date Next] [Chronological] [Thread] [Top]

Trying to get passthrough auth working with OpenLDAP and Kerberos

To: openldap-technical@openldap.org
Subject: Trying to get passthrough auth working with OpenLDAP and Kerberos
From: Chastity Blackwell <chas@aggregateknowledge.com>
Date: Wed, 25 Jan 2012 12:14:44 -0800

For the last two weeks I have been on a sojourn through the wonderful
world of LDAP, Kerberos, and SASL, which has had me banging my head
against the desk more often than not. Today I'm finally crying uncle and
asking for some help.

We're running Centos 5.4, currently with OpenLDAP for user info and
Kerberos for authentication, but we want to be able to use LDAP for
authentication on a bunch of devices that can't use Kerberos natively.
So I've been trying to get the passthrough auth working. So far, I think
I've made a lot of progress, but I've run into a wall. Kerberos and LDAP
are working in my testbed, and I can kinit and do an ldapwhoami no
problem. testsaslauthd also gives me a success when I run it. However,
when try to do a simple bind:

[chas@ldapsandbox]$ ldapwhoami -x -D
'uid=chas,ou=People,dc=test,dc=domain' -W
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
[chas@ldapsandbox]$ 

syslog shows this:

2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 fd=15 ACCEPT
from IP=10.17.136.50:55923 (IP=0.0.0.0:389)
2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 op=0 BIND
dn="uid=chas,ou=People,dc=test,dc=domain" method=128
2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: SASL [conn=6]
Failure: cannot connect to saslauthd server: No such file or directory
2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 op=0 RESULT
tag=97 err=49 text=
2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 fd=15 closed
(connection lost)

Meanwhile, the saslauthd I'm running with /usr/sbin/saslauthd -a
kerberos5 -d doesn't even show a connection or anything to the console.
Any idea why it can't connect to the saslauthd server?

Here's my OpenLDAP slapd.conf:

include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema
allow bind_v2
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

TLSCACertificateFile /etc/openldap/cacert.crt
TLSCertificateFile /etc/openldap/ldapsandbox.crt
TLSCertificateKeyFile /etc/openldap/ldapsandbox.key

authz-regexp uid=([^/]*),cn=gssapi,cn=auth uid=
$1,ou=People,dc=test,dc=domain

access to *
	by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
	by * read

database	bdb
suffix		"dc=test,dc=domain"

directory	/var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

And here's my /etc/sasl2/slapd.conf:

pwcheck_method: saslauthd
saslauthd_path: /var/run/sasl2/mux

Any ideas?

Follow-Ups:
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: How to enable monitoring in OpenLdap with cn=config Backend
Next by Date: Re: How to enable monitoring in OpenLdap with cn=config Backend
Index(es):
- Chronological
- Thread