[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [OpenLDAP][Authentication] SASL

To: "David Magda" <dmagda@ee.ryerson.ca>
Subject: Re: [OpenLDAP][Authentication] SASL
From: "David Magda" <dmagda@ee.ryerson.ca>
Date: Mon, 1 Feb 2016 15:02:54 -0500
Cc: Timothy Keith <timothy.g.keith@gmail.com>, openldap-technical@openldap.org
In-reply-to: <2757FE21-16A6-488F-86BA-0668FB1EFDE5@ee.ryerson.ca>
References: <CAGraDoF0w4dpTqs4nmL3x5-1UY+zTYAfrY8t+Zavkz2S9rNc9A@mail.gmail.com> <CAGraDoGieaSmjqLJy_AZDLb71XoGRMYXqnhN245B7hq_LJoNjw@mail.gmail.com> <CAGraDoG0dj=LpoTWxLUWz1xUBQ8683GNvFSf48BTNkzUxpDZXg@mail.gmail.com> <CAGraDoHDJ_=uo3swgyna1evP7Z_nRQVi5dsG_hVb0SCPLOj6qw@mail.gmail.com> <20160108203428.GE3710@dan.olp.net> <CAGraDoHjmdv_3b-50GSZj7+fAHu5G6r4HnMF7hZt=vEHs5dsCw@mail.gmail.com> <20160121203127.GH3666@dan.olp.net> <DUB126-W296DD26EC509970DBC7C8ECCC40@phx.gbl> <CAGraDoFsCxwzRAzAYhR9waGLxpe-zoeTDnha0za=ozEAeEfXrw@mail.gmail.com> <DUB126-W957A963A373AE40CB94470CCC40@phx.gbl> <CAGraDoGxGkat-V5mNhZg6R45WoyrtVs5zDp4WhP-ZeVh15iKGw@mail.gmail.com> <800DD943824F8BB3D2E8CA8B@192.168.1.9> <DUB126-W533C4343A0B19C298FBDFECCC40@phx.gbl> <CAGraDoF=M1X2oqfU__vN_zTw+R68t+! _TMJQU7k6qpw9kSFTHow@mail.gmail.com> <CAGraDoFO2eHPfPW7kDiPC=JchxWfNyx+U6txBLxL4pZj6FnB_Q@mail.gmail.com> <2757FE21-16A6-488F-86BA-0668FB1EFDE5@ee.ryerson.ca>
User-agent: SquirrelMail/1.4.23 [SVN]

Also, if you're authenticating against AD, there are a few other things
that can be simplified in that tutorial. First, add the "-r" option to the
list of saslauthd(8) options so the username becomes foo@REALM.

After that you can have the following settings in your saslauthd.conf(5)
file:

    ldap_servers: ldaps://adldap1.ad.example.com
ldaps://adldap2.ad.example.com
    ldap_tls_check_peer: no
    ldap_use_sasl: no
    ldap_auth_method: fastbind
    ldap_filter: %u

The "fastbind" skips the search of the directory, and simply tries to bind
as username@REALM (which should map to users' AD principal because of
"-r"). This also removes the need for a service account to do the initial
bind-and-search.

On Sun, January 31, 2016 22:14, David Magda wrote:
> Try editing your system-wide ldap.conf(5) file to have:
>
> 	TLS_REQCERT	never
>
> “allow” should also work. Also make sure you have a valid setting for
> TLS_CACERT (and that the file actually exists and has some contents): if
> you tell LDAP software not to check validity, the cert path has to be
> there to be ignored.
>
>> On Jan 27, 2016, at 15:18, Timothy Keith <timothy.g.keith@gmail.com>
>> wrote:
>>
>> I am using this tutorial   : Pass-Trough authentication with SASL
>> http://ltb-project.org/wiki/documentation/general/sasl_delegation
>>
>> Tim

Follow-Ups:
- Re: [OpenLDAP][Authentication] SASL
  - From: Timothy Keith <timothy.g.keith@gmail.com>

References:
- Re: [OpenLDAP][Authentication] SASL
  - From: David Magda <dmagda@ee.ryerson.ca>

Prev by Date: Re: openldap on scientific linux
Next by Date: Re: problem with slapadd in migrating LDAP servers
Index(es):
- Chronological
- Thread