[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP SASL Passthrough

On 15/11/11 12:00 +0100, Raffael Sahli wrote:
Date: Fri, 11 Nov 2011 08:41:21 -0600
From: dwhite@olp.net
To: raffi.sahli@hotmail.com
CC: openldap-technical@openldap.org
Subject: Re: OpenLDAP SASL Passthrough

On 11/11/11 12:48 +0100, Raffael Sahli wrote:
>testsaslauthd works well:
>[root@ldap-master001 /]#---> testsaslauthd -u test -p MYPASSWORD -r MY_REALM -s ldap
>0: OK "Success."
>sasl debug log:
>saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap]
>[realm=MY_REALM] [mech=kerberos5]
>saslauthd[26077] :do_request : response: OK

>And the sasl debug log shows:
>saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap]
>[realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error]

For a more apples to apples comparison, try running testsaslauthd as the
same user that your slapd process is running under. I can't see how this
would be a permissions problem though.

Nop, same problem (or same success message ^^ ) with the slapd running
user "openldap".  saslauthd works with sasl user "test" running with user
openldap or root, and ldapsearch with user "test" doesn't.....

For mech=kerberos5, there are several possible reasons for 'saslauthd
internal error'. Each of them should log an explanation to syslog (to
auth.err). You should see one of:

auth_krb5: could not generate ccache name
auth_krb5: krb5_cc_resolve
auth_krb5: krb5_kt_resolve
auth_krb5: NULL password or username?
auth_krb5: krb5_init_context
auth_krb5: krb5_parse_name
auth_krb5: could not generate ticket file name
auth_krb5: krb5_cc_resolve
auth_krb5: krb5_cc_initialize
auth_krb5: krb5_get_init_creds_password: %d
auth_krb5: krb5_cc_store_cred
auth_krb5: k5support_verify_tgt

Dan White