Hi,
Hopefully someone can help.
I'm trying to get SASL passthrough working in OpenLDAP to Active Directory. AD is the primary directory but I need Linux users to be able to authenticate to AD (via OpenLDAP) such that they don't have to manage multiple passwords.
However, I've set things up as per various guidance (herehttps://www.openldap.com/doc/admin21/sasl.html, herehttps://archive.camratus.com/2017/01/24/openldap-lsc-active-directory-sync-and-login-pass-through/, herehttps://www.ltb-project.org/documentation/sasl_delegation.html and herehttps://www.hellovinoth.com/pass-through-openldap-authentication-using-sasl-to-active-directory-on-centos/) and it doesn't seem to work for me on Debian 10.
After configuring everything I can run the following successfully:
ldapsearch -x -H ldap://server.company.com:389 -D cn=ldapbind,cn=Users,DC=company,DC=com -w examplebindpassword -b '' -s base
ldapsearch -x -H ldap://server.company.com:389 -D cn=ldapbind,cn=Users,DC=company,DC=com -w examplebindpassword -b "OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com" "(userPrincipalName=testuser@company.com)"
ldapsearch -x -H ldap://server.company.com:389 -D "CN=Test User,OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com" -w exampleuserpassword -b "CN=Test User,OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com" -s base "(objectclass=*)"
These all return the correct results from Active Directory, so this works fine.
Finally, I can run:
sudo testsaslauthd -u testuser@company.commailto:grahambrooke@thomas-march.com -p exampleuserpassword
and I get:
0: OK "Success."
So finally I create the same user in local OpenLDAP as Test User and add the password as {SASL}testuser@company.commailto:{SASL}testuser@thomas-march.com and try to test pass-through authentication to AD:
ldapsearch -x -H ldap://localhost -b dc=testing-prod,dc=com -D uid=testuser,ou=users,dc=testing-prod,dc=com -w exampleuserpassword
But this doesn't work. I get the error:
ldap_bind: Invalid credentials (49)
So SASL passthrough just isn't working and it isn't reading the password attribute as such because if I do:
ldapsearch -x -H ldap://localhost -b dc=testing-prod,dc=com -D uid=testuser,ou=users,dc=testing-prod,dc=com -w {SASL}testuser@company.com
This returns the local LDAP user. So it's reading the password literally as a password instead of interpreting it as SASL passthrough to AD.
Have I missed some steps here? What am I missing?
I have checked that --enable-spasswd has been compiled in by running ldd /usr/sbin/slapd:
linux-vdso.so.1 (0x00007ffcbd7b8000) libldap_r-2.4.so.2 => /lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007f3e72bc2000) liblber-2.4.so.2 => /lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007f3e72bb1000) libdb-5.3.so => /lib/x86_64-linux-gnu/libdb-5.3.so (0x00007f3e729f5000) libodbc.so.2 => /lib/x86_64-linux-gnu/libodbc.so.2 (0x00007f3e72785000) libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f3e72768000) libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f3e725bb000) libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f3e7257f000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f3e72565000) libslapi-2.4.so.2 => /lib/x86_64-linux-gnu/libslapi-2.4.so.2 (0x00007f3e72543000) libltdl.so.7 => /lib/x86_64-linux-gnu/libltdl.so.7 (0x00007f3e72538000) libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f3e7252c000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f3e7250b000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3e72349000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f3e72344000) libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007f3e72215000) libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f3e721f6000) libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (0x00007f3e72072000) libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f3e71e5f000) libnettle.so.6 => /lib/x86_64-linux-gnu/libnettle.so.6 (0x00007f3e71e25000) libhogweed.so.4 => /lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007f3e71dec000) libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f3e71d69000) /lib64/ld-linux-x86-64.so.2 (0x00007f3e72dac000) libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f3e71d50000) libffi.so.6 => /lib/x86_64-linux-gnu/libffi.so.6 (0x00007f3e71d46000)
I can see libsasl2.so.2 there so I think that's fine.
And, I've also run both saslauthd and slapd in debug mode but I get no useful output that I can see. It looks like saslauthd and slapd just aren't talking.
Any help or pointers are really appreciated.
t04s
/---