[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: can't get slapd to do pass-through authentication

Brent Bice <bbice@sgi.com> writes:

>    I've been trying to get Pass-Through authentication to work using a
> userPassword attribute of the form {SASL}username@realm. At this point
> I'm guessing but is there a way to tell slapd what pathspec to use to
> talk to saslauthd? (I'm guessing maybe it's using one path but
> saslauthd is using a different one for the socket file)
>    I've got saslauthd running ok and can authenticate using
> testsaslauthd so I'm fairly sure I'm ok there. And I've got openldap
> compiled with --enable-spasswd option so it ought to support the SASL
> pass-through option, right?
>    I ran saslauthd with debugging on so I can see every auth request
> and whether it succeeds or fails and I can see it when testsaslauth
> connects and succeeds.  But when I try to bind to slapd using the DN
> whose userPassword is {SASL}bbice@ldap the authentication to slapd
> fails and saslauthd doesn't show any authentication attempt at
> all. It's as if it's not even trying (or can't find) saslauthd.
>    I ran slapd with the -d 255 option and saved the output to a
> file. Here's all the lines containing the string sasl:
>>>> dnPretty: <cn=SASL>
> => ldap_bv2dn(cn=SASL,0)
> <= ldap_bv2dn(cn=SASL)=0
> <= ldap_dn2bv(cn=SASL)=0
> <<< dnPretty: <cn=SASL>
>>>> dnNormalize: <cn=SASL>
> <<< dnNormalize: <cn=sasl>
> ldap_sasl_bind_s
> ldap_sasl_bind
> SASL Canonicalize [conn=1000]: authcid="bbice@ldap"
> SASL Canonicalize [conn=1000]: authcid="bbice@ldap"
> SASL Canonicalize [conn=1001]: authcid="bbice@ldap"
> SASL Canonicalize [conn=1001]: authcid="bbice@ldap"
>    So if I'm reading that right, slapd does see that it's supposed to
> hand off the authentication to saslauthd and it has picked out the
> username and realm. But it doesn't seem to be connecting to or using
> saslauthd.
>    Any ideas?  What am I missing here?

Did you create a lib/sasl2/slapd.conf, or wherever your sasl
configuration files are located?


Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de