Re: GSSAPI vs GSS-SPNEGO

[Dan White <dwhite@cafedemocracy.org>]

On 12/30/14 10:32 -0500, Brendan Kearney wrote:
> On Mon, 2014-12-29 at 10:49 -0600, Dan White wrote:
> > http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
> >
> > Add 'pwcheck_method: saslauthd' to your libsasl slapd.conf file, and should
> > need nothing else unless you're using a non standard location for your
> > saslauthd mux.
> >
> > Verify that your slapd user has permissions to access the saslauthd mux,
> > and verify your saslauthd config with testsaslauthd.
>
> i had the pwcheck_method directive in there, along with the path to one
> of two saslauthd mux's.  /var/run/saslauthd/mux and /run/saslauthd/mux,
> which both show up as "srwxrwxrwx" and are owned by root:root.  testing

Typically for the saslauthd mux, it's the parents' directory permissions
that restrict access.

> using testsaslauthd works with my id, but i am not sure how to have
> authentication work when the other process is binding with
> "cn=user,dc=domain,dc=tld" and not a username.

dn: cn=user,dc=domain,dc=tld
userPassword: {SASL}username@realm

--
Dan White