Re: sasl Kerberos authentication with subordinate

[Dan White <dwhite@olp.net>]

On 01/02/13 11:43 -0800, Wu, James C. wrote:
> The getent passwd returns all the users defined in both the internal and
> the external ldap servers.  When I turned on the debug for pam_ldap, I saw
>
> su: pam_ldap: could not open secret file /etc/pam_ldap.secret (No such file or directory)
> su: pam_ldap: error trying to bind as user "uid=peter,ou=People,ou=sub,dc=example,dc=com" (Invalid credentials)

The first error would be generated when searching for the user's DN, which
succeeded (because you're using anonymous binds?). The second error means
that the responding server believes you've provided a bad password for
peter.

Can you tell which LDAP server is returning "Invalid Credentials"?

> But interesting enough, if I use 'su james' where james is an user in the
> external ldap, then I did not saw any warning or error logs.  So I am
> wondering why for users in external ldap, it does not require the secret
> file. In the /etc/pam_ldap.conf, I did not specify the bindpw value.

I presume that in your pam_ldap configuration, you're specifying only the
external LDAP servers, and that you have configured the external
servers to refer queries for the ou=sub,dc=example,dc=com tree to the
internal servers.

Try these to narrow down the problem:

ldapsearch -d -1 -x -H ldap://external_server -b "<base>" -D "<binddn>" -w "<bindpw>" "uid=peter" dn
ldapsearch -d -1 -x -H ldap://internal_server -b "<base>" -D "<binddn>" -w "<bindpw>" "uid=peter" dn

ldapwhoami -d -1 -x -H ldap://external_server -D "uid=peter,ou=People,ou=sub,dc=example,dc=com" -w
ldapwhoami -d -1 -x -H ldap://internal_server -D "uid=peter,ou=People,ou=sub,dc=example,dc=com" -w

Another approach is to proxy queries and binds, with the ldap backend
and/or pbind overlay. See slapd-ldap(5) and slapo-pbind(5).

--
Dan White