Hi,
Actually 'peter' is not the right user t test against because its password in the internal ldap server is defined as {SASL}peter@EXAMPLE.COM. It should be {SASL}peter@SUB.EXAMPLE.COM.
I tested againt another user mark whose password is {SASL}mark@SUB.EXAMPLE.COM. Both the ldapsearch and ldapwhoami worked well if I use the internal ldap server. This is what I expected.
When I test againt the external server, using ldapwhoami -d -1 -x -H ldap://externalldapserver -D "uid=mark,ou=People,ou=sub,dc=example,dc=com" -w password
the ldap log shows this error message:
50e4f948 >>> dnPrettyNormal: <uid=mark,ou=People,ou=sub,dc=example,dc=com> => ldap_bv2dn(uid=mark,ou=People,ou=sub,dc=example,dc=com,0) <= ldap_bv2dn(uid=mark,ou=People,ou=sub,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=mark,ou=People,ou=sub,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=mark,ou=people,ou=sub,dc=example,dc=com)=0 50e4f948 <<< dnPrettyNormal: <uid=mark,ou=People,ou=sub,dc=example,dc=com>, <uid=mark, ou=people,ou=sub,dc=example,dc=com> 50e4f948 conn=1034 op=0 BIND dn="uid=mark,ou=People,ou=sub,dc=example,dc=com" method=1 28 50e4f948 do_bind: version=3 dn="uid=mark,ou=People,ou=sub,dc=example,dc=com" method=12 8 50e4f948 ==> bdb_bind: dn: uid=mark,ou=People,ou=sub,dc=example,dc=com 50e4f948 bdb_dn2entry("uid=mark,ou=people,ou=sub,dc=example,dc=com") 50e4f948 => bdb_dn2id("ou=people,ou=sub,dc=example,dc=com") 50e4f948 <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-309 88) 50e4f948 send_ldap_result: conn=1034 op=0 p=3 50e4f948 send_ldap_result: err=49 matched="" text="" 50e4f948 send_ldap_response: msgid=1 tag=97 err=49
Similary message is also shown when I run the ldapsearch command.
James
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Wednesday, January 02, 2013 7:18 PM To: Wu, James C. Cc: openldap-technical@openldap.org Subject: Re: sasl Kerberos authentication with subordinate
On 12/31/12 11:19 -0800, Wu, James C. wrote:
I have tested that the LDAP authentication through saslauthd using Kerberos works well on both the internal ldap and Kerberos pair and the external ldap Kerberos pair.
How did you verify authentication was working with your internal server?
For example, when I used "su - peter" where peter is a user in the external ldap server and the password is {SASL}peter@EXAMPLE.COMmailto:%7bSASL%7dpeter@EXAMPLE.COM. The authentication works. However, when I use "su - James" where james is a user defined in the internal ldap server with password {SASL}james@SUB.EXAMPLE.COMmailto:%7bSASL%7djames@SUB.EXAMPLE.COM, then the authentication failed. I check the log file, the internal server did get the search request forwarded from the external ldap server and returned the correct information back. However, I did not see the saslauthd process on either the external or the internal ldap server get any inquiry for the authentication.
On 01/02/13 14:52 -0800, Wu, James C. wrote:
When I add uid to the -D flag in the ldapwhoami, then it failed on both the external and internal ldap servers.
ldapwhoami -x -H ldap://internalldap -D "uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password ldapwhoami -x -H ldap://externalldap -D "uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password
How does this second command (against your internal server) differ from the above verification?
-- Dan White