OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Passwords :
Is there an alternative to {KERBEROS} passwords in current versions of slapd(8)?I tried to do this and ran into a number of minor issues, which I will try to document here. The main symptom was that simple binds returned a "Invalid credentials (49)" message.
Assuming you've already built Cyrus SASL you should have saslauthd. It may live in /usr/[local]/sbin/saslauthd, depending on your local environment. You need to be sure that the socket path (/usr/state/saslauthd/ was the default in my installation, but may be different for you) exists. The user that slapd runs as needs to have read/write access to this path. Start saslauthd like:
/usr/local/sbin/saslauthd -a kerberos5There are other options, including credential caching options (see the man page) that you may want to use.
You can test your saslauthd using the testsaslauthd program. This can be built by going to the saslauthd/ directory in the Cyrus SASL source distribution and running "make testsaslauthd". Run it like:
testsaslauthd -u username -p passwordYou may also need to provide the -r realm option if you're not using your default realm.
If you get a response like:
size read failedAnd your syslog has messages like:
saslauthd[30397]: auth_krb5: krb5_get_init_creds_password
saslauthd[30397]: do_auth: auth failure: [user=username]
[realm=MY.KERBEROS.REALM] [mech=kerberos5]
[reason=saslauthd internal error]
Then you may need a host service principal in your /etc/krb5.keytab. E.g. host/my.server.fqdn@MY.KERBEROS.REALM). In my case I only had the ldap service principal. Use ktutil to install this (back up your keytab file first).Otherwise you should get a response like:
0: OK "Success."If you get this far, but are still getting invalid credential messages from slapd, be sure you have a /usr/[local]/lib/sasl2/slapd.conf file. At minimum, this should contain:
pwcheck_method: saslauthdIf you're not using the default saslauthd socket path, it may also need something a line like:
saslauthd_path: /var/state/saslauthd/muxSee also the doc/options.html document that comes with Cyrus SASL.
At this point, I could do simple binds where I previously had a {KERBEROS} userPassword by changing that to {SASL}.
Hope this helps -- please use this info at your own risk; I do not warrant that it will work for you. ALSO NOTE THAT ALL OF THIS IS IN GENERAL DISCOURAGED AND SHOULD BE USED ONLY WHEN THE CLIENT DOES NOT SUPPORT A MORE SECURE AUTHENTICATION CAPABILITY, AND YOUR'RE STUCK DOING SIMPLE BINDS, AND WANT TO BE ABLE TO USE KERBEROS AUTHENTICATION OF CREDENTIALS. See the openldap-software list archives for much discussion of this.
Finally I would *strongly* suggest that you configure your ldap server to allow simple binds only for SSL/TLS protected connections.
I had one on my 'saslauthd_path:' line and spent the better part of the day wondering why things had stopped working
For example, my server had an entry in /etc/hosts like: x.x.x.x myserver.example.com.example.com
It should have read: x.x.x.x myserver.example.com
jeff@jeffrodriguez.com
once I figured that out, making this work was trivial.
danpritts@yahoo.com
Also, Francis Swasey notes on openldap-software mailing lists that he had to put the files in /usr/lib64/sasl. I'm guessing either the /usr/lib or /etc/sasl2 location will work.
danpritts@yahoo.com