On Mon, 2014-12-29 at 10:49 -0600, Dan White wrote:
On 12/28/14 11:24 -0500, Brendan Kearney wrote:
On Sun, 2014-12-28 at 02:50 +0000, Howard Chu wrote:
Brendan Kearney wrote:
i want to use the "pass-through" auth mechanism with sasl, so that i validate credentials against the kerberos database, and not have to maintain passwords in multiple places.
ok, then i have misunderstood PLAIN vs SIMPLE, it seems. i will back up and explain what i am trying to do.
apache, dhcp and freeradius can all use ldap for various functionality. they all use what i now believe to be SIMPLE auth, where they are using "cn=user,dc=domain,dc=tld" as ldap usernames. these processes are using ldap for authentication, whereas i have only kerberos authentication setup in my environment (and ldap authorization). my hope was that sasl could allow me to push the ldap authN request through to kerberos, and in essence proxy the authentication.
This is a valid use of pass-through in my opinion, but you'll want to protect the authentication as Howard mentioned over ldapi:/// ideally, or tls otherwise.
pass-through does not require that you advertise any other sasl mechanisms, such as plain, since it does not involve sasl over the wire. To use, see:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat...
Add 'pwcheck_method: saslauthd' to your libsasl slapd.conf file, and should need nothing else unless you're using a non standard location for your saslauthd mux.
Verify that your slapd user has permissions to access the saslauthd mux, and verify your saslauthd config with testsaslauthd.
i had the pwcheck_method directive in there, along with the path to one of two saslauthd mux's. /var/run/saslauthd/mux and /run/saslauthd/mux, which both show up as "srwxrwxrwx" and are owned by root:root. testing using testsaslauthd works with my id, but i am not sure how to have authentication work when the other process is binding with "cn=user,dc=domain,dc=tld" and not a username.