[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pass-through authentication

To: Brent Bice <bbice@sgi.com>
Subject: Re: pass-through authentication
From: Jonathan Clarke <jonathan@phillipoux.net>
Date: Fri, 20 Aug 2010 15:26:03 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <4C5343FE.5000501@sgi.com>
References: <4C5343FE.5000501@sgi.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2

On 30/07/2010 23:28, Brent Bice wrote:

  I tried to send this yesterday but didn't see it come back from the
list (and didn't see any replies). So I'll try once more. Apologies if
anyone gets this twice.

I've been trying to get Pass-Through authentication to work using a
userPassword attribute of the form {SASL}username@realm. Is there a way
to tell slapd what pathspec to use to talk to saslauthd? (I'm guessing
maybe it's using one path but saslauthd is using a different one for the
socket file)

I've got saslauthd running ok and can authenticate using testsaslauthd
so I'm fairly sure saslauthd is configured right and working. And I've
got openldap compiled with --enable-spasswd option so it ought to
support the SASL pass-through option, right?

I ran saslauthd with debugging on so I can see every auth request and
whether it succeeds or fails and I can see it when testsaslauth connects
and succeeds. But when I try to bind to slapd using the DN whose
userPassword is {SASL}bbice@ldap the authentication to slapd fails and
saslauthd doesn't show any authentication attempt at all. It's as if
it's not even trying (or can't find) saslauthd.

I ran slapd with the -d 255 option and saved the output to a file.
Here's all the lines containing the string sasl:
 >>> dnPretty: <cn=SASL>
=> ldap_bv2dn(cn=SASL,0)
<= ldap_bv2dn(cn=SASL)=0
<= ldap_dn2bv(cn=SASL)=0
<<< dnPretty: <cn=SASL>
 >>> dnNormalize: <cn=SASL>
<<< dnNormalize: <cn=sasl>
ldap_sasl_bind_s
ldap_sasl_bind
SASL Canonicalize [conn=1000]: authcid="bbice@ldap"
SASL Canonicalize [conn=1000]: authcid="bbice@ldap"
SASL Canonicalize [conn=1001]: authcid="bbice@ldap"
SASL Canonicalize [conn=1001]: authcid="bbice@ldap"

So if I'm reading that right, slapd does see that it's supposed to hand
off the authentication to saslauthd and it has picked out the username
and realm. But it doesn't seem to be connecting to or using saslauthd.

Any ideas? What am I missing here?

slapd reads a SASL configuration file, named slapd.conf, to figure outhow to communicate with saslauthd.

The default path for this file (by SASL standards) is/usr/lib/sasl2/slapd.conf, but some distributions may use other paths(Debian uses /etc/ldap/sasl/slapd.conf).

This file should contain at least "pwcheck_method: saslauthd", and bereadable by slapd.


Hope this helps,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------

References:
- pass-through authentication
  - From: Brent Bice <bbice@sgi.com>

Prev by Date: Re: OpenLDAP as a proxy for Active Directory (missing attributes)
Next by Date: Re: Syncrepl: Reliable method to ask a server for its own URL
Index(es):
- Chronological
- Thread