[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP + Kerberos not allowing simple binds

"Jose Gonzalez Gomez" <jgonzalez@opentechnet.com> wrote in message
> Robert wrote:
> >
>     Then you should make that work before trying to use the {SASL} in
> userPassword. Have you taken a look at log files? I think you may run
> saslauthd with some verbose flag (-v?) so you may see the result of the
> authentication attempt. You may also look at the log files generated by
> sasl to see the cause of failed authentications.

The message generated by saslauthd looks like:

saslauthd[816]: do_auth         : auth failure: [user=user] [service=ldap]
[realm=DOMAIN.REALM] [mech=kerberos5] [reason=saslauthd internal error]

I have added the host/fully.qualified.domain-name and
ldap/fully.qualified.domain-name to both the system keytab, /etc/krb5.keytab
and the /etc/openldap/ldap.keytab files.  There is a file
/usr/local/lib/sasl2/slapd.conf which contains:

pwcheck_method: saslauthd
keytab: /etc/openldap/ldap.keytab
saslauthd_path: /var/run/saslauthd/mux

The strange thing is that if I supply the wrong password, testsaslauthd or
simple binding to the ldap directory fails immediately.  If I supply the
correct password for the principal, the verification process stalls for a
couple seconds, then it returns failure.  Another thing is that when I
supply the correct the correct dn and password, there is a credentials cache
/ ticket file in the temp directory.  The kdc log also shows that it issued
a ticket for the user but the authentication still fails.

I have googled away and found this exact issue and it was solved.  I can't
seem to get it solved on my end.  Anything that I missed?