Re: Trying to get passthrough auth working with OpenLDAP and Kerberos

[Chastity Blackwell <chas@aggregateknowledge.com>]

On Fri, 2012-01-27 at 14:56 -0500, Dan White wrote:
> On 01/27/12 10:43 -0800, Chastity Blackwell wrote:
> >Huh...well, what do you know, that works. Why is that though? I thought
> >you had to specify a realm for it to work?
> 
> Whether or not you use a realm is up to you. If you have multiple kerberos
> realms, then you're going to need to specify one.
> 
> However, the reason this works is that:
> 
> >[chas@ldapsandbox ~]$ /usr/sbin/testsaslauthd -u chas -p test -s ldap
> >0: OK "Success."
> 
> is simply passing a username to saslauthd, with no realm or domain.  The
> kerberos backend, via your kerberos libraries, is using the default realm
> to authenticate you.
> 
> To further trouble shoot why '{SASL}user@realm' does not work, you should
> first verify that it works with testsaslauthd (-u chas@REALM), and if it
> doesn't, bring the problem over to the cyrus-sasl@lists.andrew.cmu.edu
> list.
> 

All right, that makes a lot of sense. I think actually I must have had
something bad in the LDAP entry for me; replacing it with
{SASL}chas@KRBTEST works as intended now. So, it looks like most of my
problem was a lot of little errors that were tripping me up. I feel a
bit stupid, but on the other hand, it's good to know I was at least on
the right track. Thanks for all your help!