On Fri, 2012-01-27 at 14:56 -0500, Dan White wrote:
On 01/27/12 10:43 -0800, Chastity Blackwell wrote:
Huh...well, what do you know, that works. Why is that though? I thought you had to specify a realm for it to work?
Whether or not you use a realm is up to you. If you have multiple kerberos realms, then you're going to need to specify one.
However, the reason this works is that:
[chas@ldapsandbox ~]$ /usr/sbin/testsaslauthd -u chas -p test -s ldap 0: OK "Success."
is simply passing a username to saslauthd, with no realm or domain. The kerberos backend, via your kerberos libraries, is using the default realm to authenticate you.
To further trouble shoot why '{SASL}user@realm' does not work, you should first verify that it works with testsaslauthd (-u chas@REALM), and if it doesn't, bring the problem over to the cyrus-sasl@lists.andrew.cmu.edu list.
All right, that makes a lot of sense. I think actually I must have had something bad in the LDAP entry for me; replacing it with {SASL}chas@KRBTEST works as intended now. So, it looks like most of my problem was a lot of little errors that were tripping me up. I feel a bit stupid, but on the other hand, it's good to know I was at least on the right track. Thanks for all your help!