[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos

On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote: 
> On 09/09/10 10:21 +0800, Wouter van Marle wrote:
> >> That requires pass-through authentication.
> >
> >I see.
> >Well with the above instructions nothing seems to have changed.
> >I have restarted saslauthd and slapd after making the changes, and when
> >now accessing the ldap addressbook using Evolution, I still have to use
> >the ldap stored password, not the krb password.
> >
> >Wouter.
> To be a little more explicit, to enable pass-through authentication, you
> will need to replace the password (userPassword attribute) with:
> userPassword: {SASL}username@realm

When I got it working I am considering to write some tutorial - maybe
useful. I haven't been able to find anything like it on the internet.
The above I have never seen; just once a suggestion to change the
password to {KERBEROS}username but well that also didn't work :)

It's much harder to get working than I ever expected, really. And even
more so I'm surprised that openldap doesn't support this "out of the
box", or with some minor settings.

Anyway I have changed my userPassword field (using GQ) to
It still doesn't work of course. 
Also not when I set it to {SASL}wouter

In syslog I found the following error related to my attempt to open the
address book in evolution:
Sep  9 12:15:32 acorn slapd[15925]: conn=14 op=43 SEARCH RESULT tag=101
err=0 nentries=59 text=
Sep  9 12:15:39 acorn slapd[15925]: conn=135 fd=54 ACCEPT from
IP= (IP=
Sep  9 12:15:39 acorn slapd[15925]: conn=135 op=0 BIND
dn="uid=wouter,ou=People,dc=squirrel" method=128
Sep  9 12:15:39 acorn slapd[15925]: SASL [conn=135] Failure: cannot
connect to saslauthd server: Permission denied
Sep  9 12:15:39 acorn slapd[15925]: conn=135 op=0 RESULT tag=97 err=49

So there is something in saslauthd that does not accept connections from
slapd. Now the big question is why? As I have no idea where to start
searching for this.


> for instance:
> dn: uid=jsmith,dc=example,dc=com
> ...
> userPassword: {SASL}jsmith
> In this case, the user will have no valid password defined in LDAP (or at
> least not in the userPassword attribute).
> When attempting to perform a non-sasl bind, slapd will use saslauthd to
> authenticate, by taking the username (from the userPassword field), and the
> password that was submitted.