Re: Authenticate to ldap using Kerberos

[Wouter van Marle <wouter@squirrel-systems.com>]

On Wed, 2010-09-08 at 23:38 -0500, Dan White wrote:
> On 09/09/10 12:17 +0800, Wouter van Marle wrote:
> >Anyway I have changed my userPassword field (using GQ) to
> >{SASL}wouter@SQUIRREL
> >It still doesn't work of course.
> >Also not when I set it to {SASL}wouter
> >
> >In syslog I found the following error related to my attempt to open the
> >address book in evolution:
> >Sep  9 12:15:32 acorn slapd[15925]: conn=14 op=43 SEARCH RESULT tag=101
> >err=0 nentries=59 text=
> >Sep  9 12:15:39 acorn slapd[15925]: conn=135 fd=54 ACCEPT from
> >IP=192.168.2.4:39863 (IP=0.0.0.0:389)
> >Sep  9 12:15:39 acorn slapd[15925]: conn=135 op=0 BIND
> >dn="uid=wouter,ou=People,dc=squirrel" method=128
> >Sep  9 12:15:39 acorn slapd[15925]: SASL [conn=135] Failure: cannot
> >connect to saslauthd server: Permission denied
> >Sep  9 12:15:39 acorn slapd[15925]: conn=135 op=0 RESULT tag=97 err=49
> >text=
> >
> >So there is something in saslauthd that does not accept connections from
> >slapd. Now the big question is why? As I have no idea where to start
> >searching for this.
> >
> >Wouter.
> 
> You're close.
> 
> On Debian/Ubuntu, do:
> 
> adduser openldap sasl
# adduser openldap sasl
Adding user `openldap' to group `sasl' ...
Adding user openldap to group sasl
Done.

> The issue is that the /var/run/saslauthd directory, where the
> saslauthd unix socket is located, is only accessible by group 'sasl' (and
> root).

True:
drwx--x--- 2 root       sasl       4096 2010-09-09 10:14 saslauthd

Still the same permission denied error message in syslog!

Wouter.