[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI vs GSS-SPNEGO

To: Dan White <dwhite@cafedemocracy.org>
Subject: Re: GSSAPI vs GSS-SPNEGO
From: Brendan Kearney <bpk678@gmail.com>
Date: Tue, 30 Dec 2014 11:09:08 -0500
Cc: Howard Chu <hyc@symas.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:in-reply-to:references :content-type:mime-version:content-transfer-encoding; bh=gB/TIoj6NGTEN9QxvqqhZbpA2UHU6I6W8Fdew/JBpaI=; b=JT3Euf4RfUNX0XSotlX9j6pzibp/VKhVF6LuBvsH9DcfkwRWb8ndnIlMSZgAHO6ErW 6GJPRE/yyKLxDUVLKxIHjUw1KUKY2JD5k0M7zewREb5PST+4KWZ7Ed8PHnZ5JvinetXc +4SftENoibnA4Wh+vwHE3xpAEF7WGKI1fLUPqYwISeowVZbusH1u5ee3qjes7A9pFYHx CsFxwCvxlTgfJea3ZS1Izy9OV6KKa3W5gjHqqKeZ1/3g3tnr3K4Un87fiBItPJnNjtEc f+Q0TkBdQKS5jZk84x/Qv7FTeAyMaIpwYI8oo6p6aDZnlyiBETxryWSh+dNRrVwmXvJF zl5A==
In-reply-to: <20141230153720.GC3977@dan.olp.net>
References: <1419613817.27764.6.camel@desktop.bpk2.com> <20141226205306.GB3952@dan.olp.net> <1419696915.27764.21.camel@desktop.bpk2.com> <549F700B.5020209@symas.com> <1419783896.23227.14.camel@desktop.bpk2.com> <20141229164929.GC3856@dan.olp.net> <1419953556.2652.5.camel@desktop.bpk2.com> <20141230153720.GC3977@dan.olp.net>

On Tue, 2014-12-30 at 09:37 -0600, Dan White wrote:
> On 12/30/14 10:32 -0500, Brendan Kearney wrote:
> >On Mon, 2014-12-29 at 10:49 -0600, Dan White wrote:
> >> http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
> >>
> >> Add 'pwcheck_method: saslauthd' to your libsasl slapd.conf file, and should
> >> need nothing else unless you're using a non standard location for your
> >> saslauthd mux.
> >>
> >> Verify that your slapd user has permissions to access the saslauthd mux,
> >> and verify your saslauthd config with testsaslauthd.
> >>
> >
> >i had the pwcheck_method directive in there, along with the path to one
> >of two saslauthd mux's.  /var/run/saslauthd/mux and /run/saslauthd/mux,
> >which both show up as "srwxrwxrwx" and are owned by root:root.  testing
> 
> Typically for the saslauthd mux, it's the parents' directory permissions
> that restrict access.
> 
> >using testsaslauthd works with my id, but i am not sure how to have
> >authentication work when the other process is binding with
> >"cn=user,dc=domain,dc=tld" and not a username.
> 
> dn: cn=user,dc=domain,dc=tld
> userPassword: {SASL}username@realm
> 

/run:
drwxr-xr-x  2 root    root     100 Dec 30 10:26 saslauthd

/var/run:
lrwxrwxrwx. 1 root root 6 Dec 10 21:46 /var/run -> ../run

so the ldap user would have read and execute permissions.  should i
change anything?

i do have a user for dhcpd setup in that way (dn:
uid=dhcpd,dc=bpk2,dc=com and userPassword: {SASL}dhcpd@BPK2.COM).  the
kerberos object does exist as well.

Follow-Ups:
- Re: GSSAPI vs GSS-SPNEGO
  - From: Dan White <dwhite@cafedemocracy.org>

References:
- GSSAPI vs GSS-SPNEGO
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Howard Chu <hyc@symas.com>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Dan White <dwhite@cafedemocracy.org>

Prev by Date: Re: GSSAPI vs GSS-SPNEGO
Next by Date: Re: GSSAPI vs GSS-SPNEGO
Index(es):
- Chronological
- Thread