[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Pass-though Authentication with Saslauthd and Kerberos

On Mon Jan 09 2012 at 19:38:05 CET, Andreas Ntaflos wrote:

> On 2012-01-06 22:10, Jeff B wrote:
> > Upon more reflection It appears to be a row locking problem in BDB.
> > In the example where I found the SASL pass though example their
> > kerberos principal data was not stored in the user's ldap record.
> > and the example where you could store your kerberos principal in the
> > same record as the user wasn't using pass though auth.   Combining the
> > two options got me here.

> For what it's worth, I can confirm that this problem only occurs whith
> the kdb5-ldap backend when the Kerberos principal is stored in the same
> DN as the user, i.e. using
> addprinc -x dn="uid=foo,ou=people,dc=example,dc=com" foo
> to create the principal. Separating the principal data from the user's
> DN makes SASL pass-through authentication work again.

I'm running OpenLDAP 2.4.31 in Multi-Master Replication mode with BDB
4.7.25.NC (with 4 patches) and am experiencing the same issue. (Have
tried with BDB 5.1.29 which doesn't change anything.) I have one slapd
running on Centos 6.2 (2.6.32-220.13.1.el6.x86_64 SMP x86_64) and the
other on OS/X 10.6.8. Kerberos is MIT krb5-1.10.1 on both.

If I launch saslsauthd with a KRB5_CONFIG pointing to a second KDC which
access a slapd mirror, all works fine.

When both KDC (with kldap back-end) and slapd run on the same machine,
and krb5.conf points to that KDC, saslauthd fails if the Kerberos
principal objects are in the user's DN:

        # /usr/sbin/saslauthd -d -a kerberos5  -m  /var/run/openldap

        saslauthd[96294] :main            : num_procs  : 5
        saslauthd[96294] :main            : mech_option: NULL
        saslauthd[96294] :main            : run_path   : /var/run/openldap
        saslauthd[96294] :main            : auth_mech  : kerberos5
        saslauthd[96294] :ipc_init        : using accept lock file: /var/run/openldap/mux.accept
        saslauthd[96294] :detach_tty      : master pid is: 0
        saslauthd[96294] :ipc_init        : listening on socket: /var/run/openldap/mux
        saslauthd[96294] :main            : using process model
        saslauthd[96294] :have_baby       : forked child: 96295
        saslauthd[96294] :have_baby       : forked child: 96296
        saslauthd[96295] :get_accept_lock : acquired accept lock
        saslauthd[96294] :have_baby       : forked child: 96297
        saslauthd[96294] :have_baby       : forked child: 96298

        saslauthd[96295] :rel_accept_lock : released accept lock
        saslauthd[96297] :get_accept_lock : acquired accept lock
        saslauthd[96295] :do_auth         : auth failure: [user=jpm] [service=ldap] [realm=MENS.DE] [mech=kerberos5] [reason=saslauthd internal error]

If, on the other hand, the kerberos principal data in LDAP is separate
from the user's entry, authentication works:

        saslauthd[96298] :rel_accept_lock : released accept lock
        saslauthd[96294] :get_accept_lock : acquired accept lock
        saslauthd[96298] :do_auth         : auth success: [user=f5] [service=ldap] [realm=MENS.DE] [mech=kerberos5]
        saslauthd[96298] :do_request      : response: OK 

Has anybody found a solution? I want to keep Kerberos principal data in
the users' entries.