[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [OpenLDAP][Authentication] SASL
- Subject: Re: [OpenLDAP][Authentication] SASL
- From: Timothy Keith <timothy.g.keith@gmail.com>
- Date: Sat, 6 Feb 2016 17:46:15 -0600
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type:content-transfer-encoding; bh=yUeC3XJqgMdR95Z/QuhH/PGkQSp7GMnQMtygPaQFmEE=; b=muk1swSMEd1kn1+FMEEM28513a5RiRsZPtfvNN3jWzMv+g4NKIqr66P3MLqFXbUpE5 ilgznK/b/yvAMPAh31m0LjBL/KNIvjbcoJ6tPU0zc6Bzju9vVA8J5ptwgwhnVfSZKJD4 eAT9rb7VKSgsl45hc2s/gpWX3PzM9VPqpHV6HlfsCs0z6CwyBauchCmgUyet8Js8YBxj WRxC42wwKI6rRnYI/JkQoi3ZnEktiAsfhtQhzfIN3lQp9ZmluGSbc8hueOP0EKwxQF+f LXU/m0zvp09sPLGtZFTFgRsnm8fn3bxJN5YcC9DS2d3l9uDQ+KwJsgwJ/o5edEnWQW/6 J+pg==
- In-reply-to: <0fb65f5c3399d1a2e36f2ed8e5d238c2.squirrel@webmail.ee.ryerson.ca>
- References: <CAGraDoF0w4dpTqs4nmL3x5-1UY+zTYAfrY8t+Zavkz2S9rNc9A@mail.gmail.com> <CAGraDoGieaSmjqLJy_AZDLb71XoGRMYXqnhN245B7hq_LJoNjw@mail.gmail.com> <CAGraDoG0dj=LpoTWxLUWz1xUBQ8683GNvFSf48BTNkzUxpDZXg@mail.gmail.com> <CAGraDoHDJ_=uo3swgyna1evP7Z_nRQVi5dsG_hVb0SCPLOj6qw@mail.gmail.com> <20160108203428.GE3710@dan.olp.net> <CAGraDoHjmdv_3b-50GSZj7+fAHu5G6r4HnMF7hZt=vEHs5dsCw@mail.gmail.com> <20160121203127.GH3666@dan.olp.net> <DUB126-W296DD26EC509970DBC7C8ECCC40@phx.gbl> <CAGraDoFsCxwzRAzAYhR9waGLxpe-zoeTDnha0za=ozEAeEfXrw@mail.gmail.com> <DUB126-W957A963A373AE40CB94470CCC40@phx.gbl> <CAGraDoGxGkat-V5mNhZg6R45WoyrtVs5zDp4WhP-ZeVh15iKGw@mail.gmail.com> <800DD943824F8BB3D2E8CA8B@192.168.1.9> <DUB126-W533C4343A0B19C298FBDFECCC40@phx.gbl> <CAGraDoFO2eHPfPW7kDiPC=JchxWfNyx+U6txBLxL4pZj6FnB_Q@mail.gmail.com> <2757FE21-16A6-488F-86BA-0668FB1EFDE5@ee.ryerson.ca> <0fb65f5c3399d1a2e36f2ed8e5d238c2.squirrel@webmail.ee.ryerson.ca>
I found this comment in the documentation :
The server must be built with the --enable-spasswd configuration
option to enable pass-through authentication.
I ran slapd with this option, it listed :
slapd -VVV
@(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2015 06:51:51) $
mockbuild@x86-028.build.eng.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd
Included static backends:
config
ldif
monitor
bdb
hdb
ldap
mdb
meta
null
passwd
relay
shell
sock
How can I know that slapd was built with -enable-spasswd ?
Tim
On Mon, Feb 1, 2016 at 2:02 PM, David Magda <dmagda@ee.ryerson.ca> wrote:
> Also, if you're authenticating against AD, there are a few other things
> that can be simplified in that tutorial. First, add the "-r" option to the
> list of saslauthd(8) options so the username becomes foo@REALM.
>
> After that you can have the following settings in your saslauthd.conf(5)
> file:
>
> ldap_servers: ldaps://adldap1.ad.example.com
> ldaps://adldap2.ad.example.com
> ldap_tls_check_peer: no
> ldap_use_sasl: no
> ldap_auth_method: fastbind
> ldap_filter: %u
>
> The "fastbind" skips the search of the directory, and simply tries to bind
> as username@REALM (which should map to users' AD principal because of
> "-r"). This also removes the need for a service account to do the initial
> bind-and-search.
>
> On Sun, January 31, 2016 22:14, David Magda wrote:
>> Try editing your system-wide ldap.conf(5) file to have:
>>
>> TLS_REQCERT never
>>
>> “allow” should also work. Also make sure you have a valid setting for
>> TLS_CACERT (and that the file actually exists and has some contents): if
>> you tell LDAP software not to check validity, the cert path has to be
>> there to be ignored.
>>
>>> On Jan 27, 2016, at 15:18, Timothy Keith <timothy.g.keith@gmail.com>
>>> wrote:
>>>
>>> I am using this tutorial : Pass-Trough authentication with SASL
>>> http://ltb-project.org/wiki/documentation/general/sasl_delegation
>>>
>>> Tim
>
>