For the last two weeks I have been on a sojourn through the wonderful world of LDAP, Kerberos, and SASL, which has had me banging my head against the desk more often than not. Today I'm finally crying uncle and asking for some help.
We're running Centos 5.4, currently with OpenLDAP for user info and Kerberos for authentication, but we want to be able to use LDAP for authentication on a bunch of devices that can't use Kerberos natively. So I've been trying to get the passthrough auth working. So far, I think I've made a lot of progress, but I've run into a wall. Kerberos and LDAP are working in my testbed, and I can kinit and do an ldapwhoami no problem. testsaslauthd also gives me a success when I run it. However, when try to do a simple bind:
[chas@ldapsandbox]$ ldapwhoami -x -D 'uid=chas,ou=People,dc=test,dc=domain' -W Enter LDAP Password: ldap_bind: Invalid credentials (49) [chas@ldapsandbox]$
syslog shows this:
2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 fd=15 ACCEPT from IP=10.17.136.50:55923 (IP=0.0.0.0:389) 2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 op=0 BIND dn="uid=chas,ou=People,dc=test,dc=domain" method=128 2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: SASL [conn=6] Failure: cannot connect to saslauthd server: No such file or directory 2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 op=0 RESULT tag=97 err=49 text= 2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 fd=15 closed (connection lost)
Meanwhile, the saslauthd I'm running with /usr/sbin/saslauthd -a kerberos5 -d doesn't even show a connection or anything to the console. Any idea why it can't connect to the saslauthd server?
Here's my OpenLDAP slapd.conf:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/openldap/cacert.crt TLSCertificateFile /etc/openldap/ldapsandbox.crt TLSCertificateKeyFile /etc/openldap/ldapsandbox.key
authz-regexp uid=([^/]*),cn=gssapi,cn=auth uid= $1,ou=People,dc=test,dc=domain
access to * by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by * read
database bdb suffix "dc=test,dc=domain"
directory /var/lib/ldap
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
And here's my /etc/sasl2/slapd.conf:
pwcheck_method: saslauthd saslauthd_path: /var/run/sasl2/mux
Any ideas?