[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to get passthrough auth working with OpenLDAP and Kerberos



Raffael Sahli wrote:
On 26.01.2012 22:53, Chastity Blackwell wrote:
On Thu, 2012-01-26 at 15:23 -0500, Dan White wrote:
That indicates a mistake in your /etc/sasl2/slapd.conf, which should have:

saslauthd_path: /var/run/saslauthd/mux

not /var/run/sasl2/mux
Well, now I just feel like an idiot. :) That did move things along a
bit, though now I'm getting this error:

2012-01-26T13:48:28-08:00 ldapsandbox10-1-qa-sjc saslauthd[15889]:
do_auth         : auth failure: [user=chas@test.com] [service=ldap]
[realm=test.com] [mech=kerberos5] [reason=saslauthd internal error]

I'm guessing the problem here is that the realm should match my Kerberos
realm, which is called "KRBTEST", not test.com -- is this something that
needs to be fixed with an authz-regexp?
No, authz-regexp is to map a sasl dn to a real user account in your ldap
directory.

But your user is chas@test.com with a realm named test.com, your
userPassword should be {SASL}chas@KRBTEST

What the heck are you talking about? If the username is chas@test.com then that is what goes in the password:

  userpassword: {SASL}chas@test.com

If the realm is actually KRBTEST then the username should be chas@KRBTEST.

and also exists as a principal on your kerberos db ;)

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/