[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Pass-though Authentication with Saslauthd and Kerberos

I have narrowed this down the problem described below to what I think
is a lock in the bdb database.

Against the same slapd I have an ldapbind that is waiting from the
client to complete but kerberos is trying to do an ldapmodify to the
same slapd before sending the AS-REP back to LDAP Passthough kerberos
client that will complete the bind.

It seems  that a ldapbind in flight blocks ldapmodify, but not
ldapsearches. And this configuration requires to complete an
ldapmodify before it completes the bind.

So how do I get the ldapbind to not block the modify, by using more
threads, or finer grained locking?  I've done some searching but don't
see a solution.

On Mon, Dec 19, 2011 at 11:08 PM, Jeff B <jeffb.list@gmail.com> wrote:
> I'm attempting to get pass-though auth to work against saslauthd and
> kerberos and while the problem seems to be in sasl I think it's most
> likely to be seen in this type of configuration with opendap which I
> why I chose this mailing list.
> When I run testsaslauthd it works but when I run ldapsearch it fails.
> But the curious thing is where it is failing.  in doing straces of
> saslauthd and packet traces I've found that when ldapsearch calls
> salsauthd, and not when I run saslauthd kerberos does not deliver the
> AS-REP packets till just after saslauthd times out.
> I can't find any difference in how I'm invoking saslauthd with
> testdaslauthd and how ldapsearch is invoking saslauthd. However the
> packet traces are quite different as you will see below.
> I've seen these kind of errors here and there on google but no
> resolutions that I can find.
> (http://www.openldap.org/lists/openldap-software/200602/msg00278.html)
> Centos 6
> openldap-2.4.23-15.el6_1.3.x86_64
> openldap-clients-2.4.23-15.el6_1.3.x86_64
> openldap-servers-2.4.23-15.el6_1.3.x86_64
> openldap-devel-2.4.23-15.el6_1.3.x86_64
> krb5-server-1.9-9.el6_1.2.x86_64
> krb5-server-ldap-1.9-9.el6_1.2.x86_64
> krb5-workstation-1.9-9.el6_1.2.x86_64
> krb5-libs-1.9-9.el6_1.2.x86_64
> cyrus-sasl-2.1.23-8.el6.x86_64
> cyrus-sasl-lib-2.1.23-8.el6.x86_64
> cyrus-sasl-gssapi-2.1.23-8.el6.x86_64
> cyrus-sasl-plain-2.1.23-8.el6.x86_64
> cyrus-sasl-devel-2.1.23-8.el6.x86_64
> My slapd.conf contains nothing regarding kerberos / sasl /
> pass-through authentication.  I'm using a slapd.conf file for the time
> being till i get it all worked out and plan on converting it to a
> cn=config configuration.
> In my DIT the userPassword field contains:  {SASL}myuser@MYREALM where
> myuser and my realm are replaced with the proper values.
> /etc/sasl2/slapd.conf:
> mech_list: plain
> pwcheck_method: saslauthd
> saslauthd_path: /var/run/saslauthd/mux
> /etc/sysconfig/saslauthd
> KRB5_KTNAME=/etc/krb5.keytab
> SOCKETDIR=/var/run/saslauthd
> MECH=kerberos5
> Which builds a daemon command line of:
> /usr/sbin/saslauthd -m /var/run/saslauthd -a kerberos5
> My system keytab is:
> /etc/krb5.keytab   (root.ldap 0640)
> host/my.hostname@realm
> ldap/my.hostname@realm
> My socket parent dir is:
> /var/run/saslauthd  (root.ldap 0770)
> When I run testsaslauthd I get a packet trace between saslauthd and
> kerberos is all UDP and works:
> < AS-REP
> When I run ldapsearch the packet trace between saslauthd and kerberos
> is UDP and TCP communication.  None of the kerberos replies come back
> for 18 seconds, the time it takes saslauthd to time out.
>> TCP FIN, ACK   <-- saslauthd times out and the AS-REPS all come back at once.
> < AS-REP
> < AS-REP
> < AS-REP
> an strace of saslauthd supports this timeout theory as it shows the
> the timeouts and backoffs.
> I can't find any info regarding saslauthd and TCP or UDP or timeouts
> like this.  Any ideas?