Quanah Gibson-Mount wrote:
--On Thursday, August 05, 2010 2:00 PM -0700 Brent Bice bbice@sgi.com wrote:
I also notice when I export this record as an LDIF file the userPassword attribute has been hashed: userPassword:: e1NBU0x9YmJpY2VAbGRhcA==
This is not a hash. This is base64 encoding, as has been discussed a few thousand times on this list. ;) You simply need to decode it to see the actual value. This is per RFC.
(slaps forehead) I realized that a bit after I sent the email. I was thinking perhaps I didn't have the userPassword set right to convince slapd to use SASL pass-through authentication, but... it is set right so I still don't know why it's not contacting saslauthd. Hmph.
Dan White wrote: See if you can find out what --with-configdir option was passed to your cyrus sasl ./configure when it was compiled, which defaults to /usr/lib/sasl2 (regardless of where the libraries are actually installed).
I built all the sasl, openldap, openssl, zlib, etc from source. On all of them I set a --prefix to the same place (a directory containing this version of our LDAP server binaries). So I didn't specify a --with-configdir option but I'd expect it'd default to the prefix_dir/lib/sasl2/.
Aha! The config.status file contains this, however: s,@configdir@,/usr/lib/sasl2:/etc/sasl2,;t t
So perhaps it's not using my prefix_dir/lib/sasl2/slapd.conf file. I'll drop something in /usr/lib/sasl2 just to see if this is the case or I'll rebuild using an explicit --with-configdir.
If you were not creating it in the correct location, then libsasl would default to using sasldb auxprop for authentication. You could create a test user:
saslpasswd -c bbice
to see if sasldb is being used.
I don't think testsaslauthd uses libsasl itself, so if none of that works, you may still need to verify your libsasl is installed and linked correctly. sample-server and sample-client might help (create a /usr/lib/sasl2/sample.conf).
You might also try a direct SASL bind against the server to see if that works. Add 'sasl-secprops none' to your slapd.conf, then do:
ldapwhoami -Y PLAIN -U bbice ...
which should also use saslauthd to authenticate, with pwcheck_method: saslauthd.
Thanks for the tips! I'll try these out too.
Brent