Re: OpenLDAP SASL Passthrough

[Andreas Ntaflos <daff@pseudoterminal.org>]

On 18/11/11 12:03, Raffael Sahli wrote:
> I'm pretty sure the problem is not kerberos!

Hi,

I just had virtually the same problem with virtually the same error
messages and symptoms on an authentication server based on MIT Kerberos,
OpenLDAP and SASL. I was banging my head against the wall because
everything was configured exactly right, identical to two other systems
I set up recently that work just fine.

Keytab entries were correct, DNS resolution worked forwards and reverse,
permissions and group memberships were correct as well, testsaslauth
never complained, etc. There was no reason for SASL pass-through not to
work.

Turns out the problem was DNS-related after all. When creating the
realm, various internal principals are added, one of those is (or should
be) "kadmin/auth01.example.com@REALM" (auth01.example.com being the FQDN
of the Kerberos server). For some reason--probably a rogue entry in
/etc/hosts--this principal was created as "kadmin/auth01@REALM", i.e.
containing only the hostname, not the FQDN. Took me a whole week to
figure that out.

You might want to check your Kerberos principal names and see if you
might have ran into a similar problem.

HTH

Andreas