[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Simple Bind pass-through to SASL/PLAIN

I'm using openldap-2.3.32, loglevel = -1 (log grows at 2MB/minute), and neither of those tests work. I've even tried with and without the @REALM.

Zach Schimke
Mars Space Flight Facility

On 3/4/2011 1:48 PM, Dan White wrote:
On 04/03/11 13:22 -0700, Zach Schimke wrote:
It was complied with '--enable-spasswd', defined properly in portable.h, and I confirm that an ldd of the slapd binary show that it is linked to sasl.

   /* define to support SASL passwords */
   #define SLAPD_SPASSWD 1

BUT, the logs say nothing about SASL when a simple bind is performed to my account with a {SASL} userPassword.

What log level are you capturing at? What version of OpenLDAP are you

You said you were able to get a SASL PLAIN bind working, so I don't
believe you have a problem with your /etc/sasl2/slapd.conf config.

What happens if you provide the '{SASL}username@REALM' (or the value in
your userPassword attribute) as the password? Does it succeed?

On 3/4/2011 7:54 AM, Dan White wrote:
On 03/03/11 17:07 -0700, Zach Schimke wrote:
Is there any trick to this?

I am able to get SASL/PLAIN and SASL/GSSAPI binds to work perfectly with my ldap server. What I want to get working is the authentication pass-through.

From what I can gather, it appears that LDAP should be able to authenticate a simple bind, take a look at the userPassword attribute (which contains '{SASL}username@REALM) and perform a SASL/PLAIN from there.

We want to avoid maintaining two separate passwords (LDAP and Kerberos V) although some applications (like phpLDAPAdmin, Drupal, etc) do not allow the use of Kerberos natively.

/etc/sasl2/slapd.conf (using CentOS):
  pwcheck_method: saslauthd

Here's a snippet of my openldap.log during a simple bind:
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 ACCEPT from IP= (IP= Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 TLS established tls_ssf=256 ssf=256 Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 BIND dn="cn=test account,ou=people,o=mars" method=128 Mar 3 16:45:49 kdc1 slapd[28132]: send_ldap_result: conn=2009 op=0 p=3 Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 RESULT tag=97 err=49 text= Mar 3 16:45:49 kdc1 slapd[28132]: connection_closing: readying conn=2009 sd=39 for close
  Mar  3 16:45:49 kdc1 slapd[28132]: connection_close: conn=2009 sd=-1
Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 closed (connection lost)

Anything I should double-check, modify, etc?

Verify that your openldap installation was compiled with

Try running saslauthd in debug mode to see if slapd is passing an
authentication attempt.