On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote:
On 09/09/10 10:21 +0800, Wouter van Marle wrote:
That requires pass-through authentication.
I see. Well with the above instructions nothing seems to have changed. I have restarted saslauthd and slapd after making the changes, and when now accessing the ldap addressbook using Evolution, I still have to use the ldap stored password, not the krb password.
Wouter.
To be a little more explicit, to enable pass-through authentication, you will need to replace the password (userPassword attribute) with:
userPassword: {SASL}username@realm
When I got it working I am considering to write some tutorial - maybe useful. I haven't been able to find anything like it on the internet. The above I have never seen; just once a suggestion to change the password to {KERBEROS}username but well that also didn't work :)
It's much harder to get working than I ever expected, really. And even more so I'm surprised that openldap doesn't support this "out of the box", or with some minor settings.
Anyway I have changed my userPassword field (using GQ) to {SASL}wouter@SQUIRREL It still doesn't work of course. Also not when I set it to {SASL}wouter
In syslog I found the following error related to my attempt to open the address book in evolution: Sep 9 12:15:32 acorn slapd[15925]: conn=14 op=43 SEARCH RESULT tag=101 err=0 nentries=59 text= Sep 9 12:15:39 acorn slapd[15925]: conn=135 fd=54 ACCEPT from IP=192.168.2.4:39863 (IP=0.0.0.0:389) Sep 9 12:15:39 acorn slapd[15925]: conn=135 op=0 BIND dn="uid=wouter,ou=People,dc=squirrel" method=128 Sep 9 12:15:39 acorn slapd[15925]: SASL [conn=135] Failure: cannot connect to saslauthd server: Permission denied Sep 9 12:15:39 acorn slapd[15925]: conn=135 op=0 RESULT tag=97 err=49 text=
So there is something in saslauthd that does not accept connections from slapd. Now the big question is why? As I have no idea where to start searching for this.
Wouter.
for instance:
dn: uid=jsmith,dc=example,dc=com ... userPassword: {SASL}jsmith
In this case, the user will have no valid password defined in LDAP (or at least not in the userPassword attribute).
When attempting to perform a non-sasl bind, slapd will use saslauthd to authenticate, by taking the username (from the userPassword field), and the password that was submitted.