[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL auth not working

On 23/06/10 10:27 -0300, Diego Lima wrote:
I'm trying to set up openldap to authenticate using my kerberos
service, but I'm not having success so far. I've already set up MIT
Kerberos V and I can successfully get tickets from it:

root@filesystem:~# kinit diego.lima
Password for diego.lima@USERS:
root@filesystem:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: diego.lima@USERS

Valid starting     Expires            Service principal
06/23/10 09:44:49  06/23/10 19:44:49  krbtgt/USERS@USERS
	renew until 06/24/10 09:44:46

I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:

root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456
0: OK "Success."
The userPassword value translates to {SASL}diego.lima@USERS

When I try to do an authenticated search on LDAP I see the following:

# ldapsearch -D
krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b
dc=domain,dc=com,dc=br '(objectClass=*)' -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

When doing a SASL bind, you should specify the same username that you are
authentication with, for saslauthd. Use a '-U diego.lima@USERS' instead of
a -D option:

ldapwhoami -U diego.lima@USERS

I see nothing on the saslauthd output when I try to log in. Did I miss
anything? Please note that I'm trying to use the same kerberos
principal as my user, and this is intended. I did try adding another
user (account and posixAccount objectClasses) with a separate kerberos
principal and that did not work either.

By default, the cyrus sasl library will not use saslauthd. You'll need to
create a /usr/lib/sasl2/slapd.conf file with:

pwcheck_method: saslauthd

Dan White