[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Pass-though Authentication with Saslauthd and Kerberos
- To: openldap-technical@openldap.org
- Subject: Pass-though Authentication with Saslauthd and Kerberos
- From: Jeff B <jeffb.list@gmail.com>
- Date: Mon, 19 Dec 2011 23:08:41 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=sizBVR3aQPLkghMjMaKsqZ3FvWVjp6N3yOODx1e/JIg=; b=CYHCEUIN1HpXQ+rzQlAKf4zwdMUfxPE/3DbZyftQfRx9E9/jEhzjab/mrYXWB4x3BD 4+jbdJLCwIo/xGXjq7a0sgVkfcEZvOJkjcgZCIbz9XRu5p/NGUf8T1VItazXxk+V1PCe P7OlljIVR8zuHt6YiBJUL31l6ADRSyN1qfXco=
I'm attempting to get pass-though auth to work against saslauthd and
kerberos and while the problem seems to be in sasl I think it's most
likely to be seen in this type of configuration with opendap which I
why I chose this mailing list.
When I run testsaslauthd it works but when I run ldapsearch it fails.
But the curious thing is where it is failing. in doing straces of
saslauthd and packet traces I've found that when ldapsearch calls
salsauthd, and not when I run saslauthd kerberos does not deliver the
AS-REP packets till just after saslauthd times out.
I can't find any difference in how I'm invoking saslauthd with
testdaslauthd and how ldapsearch is invoking saslauthd. However the
packet traces are quite different as you will see below.
I've seen these kind of errors here and there on google but no
resolutions that I can find.
(http://www.openldap.org/lists/openldap-software/200602/msg00278.html)
Centos 6
openldap-2.4.23-15.el6_1.3.x86_64
openldap-clients-2.4.23-15.el6_1.3.x86_64
openldap-servers-2.4.23-15.el6_1.3.x86_64
openldap-devel-2.4.23-15.el6_1.3.x86_64
krb5-server-1.9-9.el6_1.2.x86_64
krb5-server-ldap-1.9-9.el6_1.2.x86_64
krb5-workstation-1.9-9.el6_1.2.x86_64
krb5-libs-1.9-9.el6_1.2.x86_64
cyrus-sasl-2.1.23-8.el6.x86_64
cyrus-sasl-lib-2.1.23-8.el6.x86_64
cyrus-sasl-gssapi-2.1.23-8.el6.x86_64
cyrus-sasl-plain-2.1.23-8.el6.x86_64
cyrus-sasl-devel-2.1.23-8.el6.x86_64
My slapd.conf contains nothing regarding kerberos / sasl /
pass-through authentication. I'm using a slapd.conf file for the time
being till i get it all worked out and plan on converting it to a
cn=config configuration.
In my DIT the userPassword field contains: {SASL}myuser@MYREALM where
myuser and my realm are replaced with the proper values.
/etc/sasl2/slapd.conf:
mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
/etc/sysconfig/saslauthd
KRB5_KTNAME=/etc/krb5.keytab
SOCKETDIR=/var/run/saslauthd
MECH=kerberos5
Which builds a daemon command line of:
/usr/sbin/saslauthd -m /var/run/saslauthd -a kerberos5
My system keytab is:
/etc/krb5.keytab (root.ldap 0640)
host/my.hostname@realm
ldap/my.hostname@realm
My socket parent dir is:
/var/run/saslauthd (root.ldap 0770)
When I run testsaslauthd I get a packet trace between saslauthd and
kerberos is all UDP and works:
> AS-REQ
< KRB5KDC_ERR_PREAUTH_REQUIRED (25)
> AS-REQ
< AS-REP
> TGS-REQ
< TGS-REP
When I run ldapsearch the packet trace between saslauthd and kerberos
is UDP and TCP communication. None of the kerberos replies come back
for 18 seconds, the time it takes saslauthd to time out.
> AS-REQ
< KRB5KDC_ERR_PREAUTH_REQUIRED (25)
> AS-REQ
> TCP SYN
< TCP SYN, ACK
> TCP ACK
> TCP AS-REQ
< TCP ACK
> AS-REQ
> AS-REQ
> TCP FIN, ACK <-- saslauthd times out and the AS-REPS all come back at once.
< AS-REP
< AS-REP
< AS-REP
< TCP AS-REP
> TCP RST
an strace of saslauthd supports this timeout theory as it shows the
the timeouts and backoffs.
I can't find any info regarding saslauthd and TCP or UDP or timeouts
like this. Any ideas?