[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos

To: Dan White <dwhite@olp.net>
Subject: Re: Authenticate to ldap using Kerberos
From: Wouter van Marle <wouter@squirrel-systems.com>
Date: Thu, 09 Sep 2010 12:17:28 +0800
Cc: openldap <openldap-technical@openldap.org>
In-reply-to: <20100909023432.GC2687@dan.olp.net>
References: <207bd0ddd5679c08fda7f7b3a0c606e5@squirrel-systems.com> <20100908171543.GD3297@dan.olp.net> <1283998880.31888.2.camel@cashew.squirrel> <20100909023432.GC2687@dan.olp.net>

On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote: 
> On 09/09/10 10:21 +0800, Wouter van Marle wrote:
> >> That requires pass-through authentication.
> >
> >I see.
> >Well with the above instructions nothing seems to have changed.
> >I have restarted saslauthd and slapd after making the changes, and when
> >now accessing the ldap addressbook using Evolution, I still have to use
> >the ldap stored password, not the krb password.
> >
> >Wouter.
> 
> To be a little more explicit, to enable pass-through authentication, you
> will need to replace the password (userPassword attribute) with:
> 
> userPassword: {SASL}username@realm

When I got it working I am considering to write some tutorial - maybe
useful. I haven't been able to find anything like it on the internet.
The above I have never seen; just once a suggestion to change the
password to {KERBEROS}username but well that also didn't work :)

It's much harder to get working than I ever expected, really. And even
more so I'm surprised that openldap doesn't support this "out of the
box", or with some minor settings.

Anyway I have changed my userPassword field (using GQ) to
{SASL}wouter@SQUIRREL 
It still doesn't work of course. 
Also not when I set it to {SASL}wouter

In syslog I found the following error related to my attempt to open the
address book in evolution:
Sep  9 12:15:32 acorn slapd[15925]: conn=14 op=43 SEARCH RESULT tag=101
err=0 nentries=59 text=
Sep  9 12:15:39 acorn slapd[15925]: conn=135 fd=54 ACCEPT from
IP=192.168.2.4:39863 (IP=0.0.0.0:389)
Sep  9 12:15:39 acorn slapd[15925]: conn=135 op=0 BIND
dn="uid=wouter,ou=People,dc=squirrel" method=128
Sep  9 12:15:39 acorn slapd[15925]: SASL [conn=135] Failure: cannot
connect to saslauthd server: Permission denied
Sep  9 12:15:39 acorn slapd[15925]: conn=135 op=0 RESULT tag=97 err=49
text=

So there is something in saslauthd that does not accept connections from
slapd. Now the big question is why? As I have no idea where to start
searching for this.

Wouter.

> 
> for instance:
> 
> dn: uid=jsmith,dc=example,dc=com
> ...
> userPassword: {SASL}jsmith
> 
> In this case, the user will have no valid password defined in LDAP (or at
> least not in the userPassword attribute).
> 
> When attempting to perform a non-sasl bind, slapd will use saslauthd to
> authenticate, by taking the username (from the userPassword field), and the
> password that was submitted.
>

Follow-Ups:
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Howard Chu <hyc@symas.com>

References:
- Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>

Prev by Date: GSSAPI Bind across trusted realms
Next by Date: Re: Authenticate to ldap using Kerberos
Index(es):
- Chronological
- Thread