Re: Authenticate to ldap using Kerberos

[Dan White <dwhite@olp.net>]

On 09/09/10 12:17 +0800, Wouter van Marle wrote:
> Anyway I have changed my userPassword field (using GQ) to
> {SASL}wouter@SQUIRREL
> It still doesn't work of course.
> Also not when I set it to {SASL}wouter
>
> In syslog I found the following error related to my attempt to open the
> address book in evolution:
> Sep  9 12:15:32 acorn slapd[15925]: conn=14 op=43 SEARCH RESULT tag=101
> err=0 nentries=59 text=
> Sep  9 12:15:39 acorn slapd[15925]: conn=135 fd=54 ACCEPT from
> IP=192.168.2.4:39863 (IP=0.0.0.0:389)
> Sep  9 12:15:39 acorn slapd[15925]: conn=135 op=0 BIND
> dn="uid=wouter,ou=People,dc=squirrel" method=128
> Sep  9 12:15:39 acorn slapd[15925]: SASL [conn=135] Failure: cannot
> connect to saslauthd server: Permission denied
> Sep  9 12:15:39 acorn slapd[15925]: conn=135 op=0 RESULT tag=97 err=49
> text=
>
> So there is something in saslauthd that does not accept connections from
> slapd. Now the big question is why? As I have no idea where to start
> searching for this.
>
> Wouter.

You're close.

On Debian/Ubuntu, do:

adduser openldap sasl

The issue is that the /var/run/saslauthd directory, where the
saslauthd unix socket is located, is only accessible by group 'sasl' (and
root).

--
Dan White