On 15/11/11 12:00 +0100, Raffael Sahli wrote:
Date: Fri, 11 Nov 2011 08:41:21 -0600 From: dwhite@olp.net To: raffi.sahli@hotmail.com CC: openldap-technical@openldap.org Subject: Re: OpenLDAP SASL Passthrough
On 11/11/11 12:48 +0100, Raffael Sahli wrote:
testsaslauthd works well: [root@ldap-master001 /]#---> testsaslauthd -u test -p MYPASSWORD -r MY_REALM -s ldap
0: OK "Success."
sasl debug log: saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap] [realm=MY_REALM] [mech=kerberos5]
saslauthd[26077] :do_request : response: OK
And the sasl debug log shows:
saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap] [realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error]
For a more apples to apples comparison, try running testsaslauthd as the same user that your slapd process is running under. I can't see how this would be a permissions problem though.
Nop, same problem (or same success message ^^ ) with the slapd running user "openldap". saslauthd works with sasl user "test" running with user openldap or root, and ldapsearch with user "test" doesn't.....
For mech=kerberos5, there are several possible reasons for 'saslauthd internal error'. Each of them should log an explanation to syslog (to auth.err). You should see one of:
auth_krb5: could not generate ccache name auth_krb5: krb5_cc_resolve auth_krb5: krb5_kt_resolve auth_krb5: NULL password or username? auth_krb5: krb5_init_context auth_krb5: krb5_parse_name auth_krb5: could not generate ticket file name auth_krb5: krb5_cc_resolve auth_krb5: krb5_cc_initialize auth_krb5: krb5_get_init_creds_password: %d auth_krb5: krb5_cc_store_cred auth_krb5: k5support_verify_tgt