Re: SASL auth not working

[Dan White <dwhite@olp.net>]

On 23/06/10 10:27 -0300, Diego Lima wrote:
> I'm trying to set up openldap to authenticate using my kerberos
> service, but I'm not having success so far. I've already set up MIT
> Kerberos V and I can successfully get tickets from it:
>
> root@filesystem:~# kinit diego.lima
> Password for diego.lima@USERS:
> root@filesystem:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: diego.lima@USERS
>
> Valid starting     Expires            Service principal
> 06/23/10 09:44:49  06/23/10 19:44:49  krbtgt/USERS@USERS
> 	renew until 06/24/10 09:44:46
>
>
> I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:
>
> root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456
> 0: OK "Success."
 
> The userPassword value translates to {SASL}diego.lima@USERS
>
> When I try to do an authenticated search on LDAP I see the following:
>
> # ldapsearch -D
> krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b
> dc=domain,dc=com,dc=br '(objectClass=*)' -W
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)

When doing a SASL bind, you should specify the same username that you are
authentication with, for saslauthd. Use a '-U diego.lima@USERS' instead of
a -D option:

ldapwhoami -U diego.lima@USERS

> I see nothing on the saslauthd output when I try to log in. Did I miss
> anything? Please note that I'm trying to use the same kerberos
> principal as my user, and this is intended. I did try adding another
> user (account and posixAccount objectClasses) with a separate kerberos
> principal and that did not work either.

By default, the cyrus sasl library will not use saslauthd. You'll need to
create a /usr/lib/sasl2/slapd.conf file with:

pwcheck_method: saslauthd

--
Dan White