[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl Kerberos authentication with subordinate

To: Dan White <dwhite@olp.net>
Subject: Re: sasl Kerberos authentication with subordinate
From: "Wu, James C." <James.C.Wu@disney.com>
Date: Tue, 1 Jan 2013 20:49:44 -0800
Accept-language: en-US
Acceptlanguage: en-US
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-language: en-US
In-reply-to: <20121231224423.GA6804@dan.olp.net>
Thread-index: Ac3opLHUQ0USTGGdRMeDzwnza6rLCw==
Thread-topic: sasl Kerberos authentication with subordinate
User-agent: Microsoft-MacOutlook/14.13.0.110805

Hi,

I did not run the 'su - james' as root user. So I am expecting it to ask
me for the password and trigger the authentication against ldap which
delegates the authentication to Kerberos via saslauthd.

The problem is that I can not get it to work for users in the subordinate
tree. 

I read the man page of pam-ldap and it mentioned that there is a referral
option, but after setting it to referral = yes, it still does not work.

Regards,


james

On 12/31/12 2:44 PM, "Dan White" <dwhite@olp.net> wrote:

>On 12/31/12 11:19 -0800, Wu, James C. wrote:
>>I am trying to set up an OpenLDAP and Kerberos authentication for testing
>>purpose. The setup contains a pair of internal ldap server and Kerberos
>>server and the pair of external ldap server and Kerberos server.
>>
>>I made the tree of the internal ldap server to be a subordinate of the
>>external server and enabled the saslauthd for authentication on both the
>>internal and the external ldap server to the respective Kerberos server.
>>
>>I have tested that the LDAP authentication through saslauthd using
>>Kerberos works well on both the internal ldap and Kerberos pair and the
>>external ldap Kerberos pair.
>>
>>However, when I point the client machine to the external ldap server and
>>the add the subordinate relationship, I could not get the authentication
>>for the uses in the internal ldap directory to work.
>>
>>For example, when I used "su - peter" where peter is a user in the
>>external ldap server and the password is
>>{SASL}peter@EXAMPLE.COM<mailto:%7bSASL%7dpeter@EXAMPLE.COM>. The
>>authentication works. However, when I use "su - James" where james is a
>>user defined in the internal ldap server with password
>>{SASL}james@SUB.EXAMPLE.COM<mailto:%7bSASL%7djames@SUB.EXAMPLE.COM>, then
>>the authentication failed. I check the log file, the internal server did
>>get the search request forwarded from the external ldap server and
>>returned the correct information back. However, I did not see the
>>saslauthd process on either the external or the internal ldap server get
>>any inquiry for the authentication.
>>
>>I tried to modify the /etc/krb5.conf and added the realms for both
>>EXAMPLE.COM and SUB.EXAMPLE.COM. Still, the authentication does not work
>>for users defined in the internal ldap server.
>>
>>Could anyone give me some hints for this issue?
>
>Assuming that you are running 'su - <user>' as the root user, that command
>should not trigger an authentication against saslauthd, or kerberos. Nor
>should is even consult your userPassword entry.
>
>Check the configuration of your nss ldap module, on the server you're
>running 'su' on. Use 'getent passwd <user>' to trouble shoot.
>
>-- 
>Dan White

Follow-Ups:
- Re: sasl Kerberos authentication with subordinate
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: olcToolthreads and slapadd -n0
Next by Date: Re: sasl Kerberos authentication with subordinate
Index(es):
- Chronological
- Thread