Re: Preauth Issue with SASL-Passthrough and Kerberos Backend

[Dieter Klünter <dieter@dkluenter.de>]

Am Fri, 6 Oct 2017 13:43:34 +0200
schrieb Ulrich Tehrani <u_tehrani@yahoo.de>:

> Hi all,
> 
> i setup an  openldap server which is used as MIT-Kerebros backend.
> 
> User-Principals have - besides the kerberos attributes - appropriate
> objectclasses (e.g. simplesecurityObject, organizationalRole) to make
> also a  simple authentication with the attribut userpassword possible.
> 
> To consolidate both credentials i made a setup of SASL-Pasthrough with
> backend Kerberos. So i set  the value of the userpassword attribut to.
> 
> {SASL}<user>@<realm> and made the required configurations for the
> saslauthd.
> 
> With this configuration all kind of authentications will use  the
> kerberos-password.
> 
> I made various tests but there seems to be an issue with
> preauthentication in openldap.
> 
> 
> I got the follwoing result:
> 
>  =>testsaslauthd is always working if the preauth flag is on or off  
> 
> =>ldapsearch -x is only working with preauth-flag disabled.
>
> => It makes no difference if MIT Kerberos use its normal backend  
> 
> 
> Keep in mind: For clear  testing condtions  saslauthd-caching has to
> be disabled !
> 
> Don't use the -c Option in saslauthd - otherwise it could happen that
> your ldapsearch -x  is working because you had success with a former
> testsaslauthd-command !
> 
> Has someone a similar setup which is working with enabled preauth ?
> 
> Or does someone know if this is supported or not ?
> 
> I use LDAP 2.4.44 with cyrus-sasl-2.1.23.

I had set up such an environment, but in the end a kerberized
environment is easier to handle than a multitude of authentication
services. For security reason you should not mix User Data and Kerberos
Data. I would recommend to set up two different databases.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E