On Mon, 2014-12-29 at 10:49 -0600, Dan White wrote:
On 12/28/14 11:24 -0500, Brendan Kearney wrote:
>On Sun, 2014-12-28 at 02:50 +0000, Howard Chu wrote:
>> Brendan Kearney wrote:
>> > i want to use the "pass-through" auth mechanism with sasl, so
that i
>> > validate credentials against the kerberos database, and not have to
>> > maintain passwords in multiple places.
>
>ok, then i have misunderstood PLAIN vs SIMPLE, it seems. i will back up
>and explain what i am trying to do.
>
>apache, dhcp and freeradius can all use ldap for various functionality.
>they all use what i now believe to be SIMPLE auth, where they are using
>"cn=user,dc=domain,dc=tld" as ldap usernames. these processes are using
>ldap for authentication, whereas i have only kerberos authentication
>setup in my environment (and ldap authorization). my hope was that sasl
>could allow me to push the ldap authN request through to kerberos, and
>in essence proxy the authentication.
This is a valid use of pass-through in my opinion, but you'll want to
protect the authentication as Howard mentioned over ldapi:/// ideally, or
tls otherwise.
pass-through does not require that you advertise any other sasl mechanisms,
such as plain, since it does not involve sasl over the wire. To use, see:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenti...
Add 'pwcheck_method: saslauthd' to your libsasl slapd.conf file, and should
need nothing else unless you're using a non standard location for your
saslauthd mux.
Verify that your slapd user has permissions to access the saslauthd mux,
and verify your saslauthd config with testsaslauthd.
i had the pwcheck_method directive in there, along with the path to one
of two saslauthd mux's. /var/run/saslauthd/mux and /run/saslauthd/mux,
which both show up as "srwxrwxrwx" and are owned by root:root. testing
using testsaslauthd works with my id, but i am not sure how to have
authentication work when the other process is binding with
"cn=user,dc=domain,dc=tld" and not a username.