[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP + Kerberos not allowing simple binds

Robert wrote:

"Jose Gonzalez Gomez" <jgonzalez@opentechnet.com> wrote in message

Robert wrote:

   Then you should make that work before trying to use the {SASL} in
userPassword. Have you taken a look at log files? I think you may run
saslauthd with some verbose flag (-v?) so you may see the result of the
authentication attempt. You may also look at the log files generated by
sasl to see the cause of failed authentications.

The message generated by saslauthd looks like:

saslauthd[816]: do_auth         : auth failure: [user=user] [service=ldap]
[realm=DOMAIN.REALM] [mech=kerberos5] [reason=saslauthd internal error]

I have added the host/fully.qualified.domain-name and
ldap/fully.qualified.domain-name to both the system keytab, /etc/krb5.keytab
and the /etc/openldap/ldap.keytab files.  There is a file
/usr/local/lib/sasl2/slapd.conf which contains:

pwcheck_method: saslauthd
keytab: /etc/openldap/ldap.keytab
saslauthd_path: /var/run/saslauthd/mux

The strange thing is that if I supply the wrong password, testsaslauthd or
simple binding to the ldap directory fails immediately.  If I supply the
correct password for the principal, the verification process stalls for a
couple seconds, then it returns failure.  Another thing is that when I
supply the correct the correct dn and password, there is a credentials cache
/ ticket file in the temp directory.  The kdc log also shows that it issued
a ticket for the user but the authentication still fails.

I have googled away and found this exact issue and it was solved.  I can't
seem to get it solved on my end.  Anything that I missed?


There should be something more in the logs indicating the cause of the errors... a few things that may cause this... not using the canonical name of the machine, slapd not having access to the keytabs...