Hopefully someone can help.
However, I've set things up as per various guidance (
here,
here,
here and
here) and it doesn't seem to work for me on Debian 10.
After configuring everything I can run the following successfully:
ldapsearch -x -H ldap://server.company.com:389 -D cn=ldapbind,cn=Users,DC=company,DC=com -w examplebindpassword -b '' -s base
ldapsearch -x -H ldap://server.company.com:389 -D cn=ldapbind,cn=Users,DC=company,DC=com -w examplebindpassword -b "OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com" "(userPrincipalName=testuser@company.com)"
ldapsearch -x -H ldap://server.company.com:389 -D "CN=Test User,OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com" -w exampleuserpassword -b "CN=Test User,OU=Users,OU=IT,OU=Departments,OU=Group,DC=company,DC=com"
-s base "(objectclass=*)"
These all return the correct results from Active Directory, so this works fine.
Finally, I can run:
and I get:
0: OK "Success."
So finally I create the same user in local OpenLDAP as
Test User and add the password as
{SASL}testuser@company.com and try to test pass-through authentication to AD:
ldapsearch -x -H ldap://localhost -b dc=testing-prod,dc=com -D uid=testuser,ou=users,dc=testing-prod,dc=com -w exampleuserpassword
But this doesn't work. I get the error:
ldap_bind: Invalid credentials (49)
So SASL passthrough just isn't working and it isn't reading the password attribute as such because if I do:
ldapsearch -x -H ldap://localhost -b dc=testing-prod,dc=com -D uid=testuser,ou=users,dc=testing-prod,dc=com -w {SASL}testuser@company.com
This returns the local LDAP user. So it's reading the password literally as a password instead of interpreting it as SASL passthrough to AD.
Have I missed some steps here? What am I missing?
I have checked that --enable-spasswd has been compiled in by running
ldd /usr/sbin/slapd:
linux-vdso.so.1 (0x00007ffcbd7b8000)
libldap_r-2.4.so.2 => /lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007f3e72bc2000)
liblber-2.4.so.2 => /lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007f3e72bb1000)
libdb-5.3.so => /lib/x86_64-linux-gnu/libdb-5.3.so (0x00007f3e729f5000)
libodbc.so.2 => /lib/x86_64-linux-gnu/libodbc.so.2 (0x00007f3e72785000)
libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f3e72768000)
libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f3e725bb000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f3e7257f000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f3e72565000)
libslapi-2.4.so.2 => /lib/x86_64-linux-gnu/libslapi-2.4.so.2 (0x00007f3e72543000)
libltdl.so.7 => /lib/x86_64-linux-gnu/libltdl.so.7 (0x00007f3e72538000)
libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f3e7252c000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f3e7250b000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3e72349000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f3e72344000)
libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007f3e72215000)
libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f3e721f6000)
libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (0x00007f3e72072000)
libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f3e71e5f000)
libnettle.so.6 => /lib/x86_64-linux-gnu/libnettle.so.6 (0x00007f3e71e25000)
libhogweed.so.4 => /lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007f3e71dec000)
libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f3e71d69000)
/lib64/ld-linux-x86-64.so.2 (0x00007f3e72dac000)
libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f3e71d50000)
libffi.so.6 => /lib/x86_64-linux-gnu/libffi.so.6 (0x00007f3e71d46000)
I can see libsasl2.so.2 there so I think that's fine.
And, I've also run both saslauthd and slapd in debug mode but I get no useful output that I can see. It looks like
saslauthd and slapd just aren't talking.