Re: Pass-though Authentication with Saslauthd and Kerberos

[Tim Mooney <Tim.Mooney@ndsu.edu>]

In regard to: Pass-though Authentication with Saslauthd and Kerberos, Jeff...:

> I'm attempting to get pass-though auth to work against saslauthd and
> kerberos

I have this exact configuration working, thanks in great measure to
people on this list and a lot of tinkering.

I note a few differences between your config and mine; I'm not certain
which, if any, of the differences are important, but I'll point them out.

> Centos 6
> openldap-2.4.23-15.el6_1.3.x86_64
> openldap-clients-2.4.23-15.el6_1.3.x86_64
> openldap-servers-2.4.23-15.el6_1.3.x86_64
> openldap-devel-2.4.23-15.el6_1.3.x86_64
> krb5-server-1.9-9.el6_1.2.x86_64
> krb5-server-ldap-1.9-9.el6_1.2.x86_64
> krb5-workstation-1.9-9.el6_1.2.x86_64
> krb5-libs-1.9-9.el6_1.2.x86_64
> cyrus-sasl-2.1.23-8.el6.x86_64
> cyrus-sasl-lib-2.1.23-8.el6.x86_64
> cyrus-sasl-gssapi-2.1.23-8.el6.x86_64
> cyrus-sasl-plain-2.1.23-8.el6.x86_64
> cyrus-sasl-devel-2.1.23-8.el6.x86_64

I'm using locally-built openldap RPMs on RHEL 5, and have openldap 2.4.25
installed currently.

> /etc/sasl2/slapd.conf:
> mech_list: plain
> pwcheck_method: saslauthd
> saslauthd_path: /var/run/saslauthd/mux

I have two differences in my /etc/sasl2/slapd.conf from yours.

1) my mech_list is

	mech_list: kerberos5 external

2) I specify

	sasl-host: my-ldap-server-fqdn-here


> /etc/sysconfig/saslauthd
> KRB5_KTNAME=/etc/krb5.keytab
> SOCKETDIR=/var/run/saslauthd
> MECH=kerberos5

Mine is similar, though I'm not specifying the krb5.keytab file for
saslauthd.

For as useful as SASL is, it takes a while to come up to speed on how to
configure it.  I wish it was as well documented as openldap is.

Tim
--
Tim Mooney                                             Tim.Mooney@ndsu.edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, IACC Building                             701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164