Hello,

 

I need help with the following problem.

Our password authetication should use SASL but we don't see any requests in our Logs or by tcpdump.

 

The password authentication should work as follows

 

- userPassword-Attribute: {SASL}User@Domain

- saslauthd -> use PAM

- PAM -> use kerberos

- kerberos -> send request to Active-Directory Server

 

RPM list:

---------------------

lshxx0693:~ # rpm -qa | grep sasl

cyrus-sasl-gssapi-32bit-2.1.22-182.20.1

cyrus-sasl-gssapi-2.1.22-182.20.1

cyrus-sasl-2.1.22-182.20.1

cyrus-sasl-32bit-2.1.22-182.20.1

cyrus-sasl-digestmd5-2.1.22-182.20.1

cyrus-sasl-digestmd5-32bit-2.1.22-182.20.1

cyrus-sasl-devel-2.1.22-182.20.1

cyrus-sasl-saslauthd-2.1.22-182.19

 

lshxx0693:~ # rpm -qa | grep krb

krb5-1.6.3-133.49.64.1

krb5-32bit-1.6.3-133.49.64.1

pam_krb5-2.3.1-47.12.1

pam_krb5-32bit-2.3.1-47.12.1

krb5-doc-1.6.3-133.49.64.1

krb5-plugin-kdb-ldap-1.6.3-133.49.64.1

krb5-server-1.6.3-133.49.64.1

krb5-client-1.6.3-133.49.64.1

 

lshxx0693:~ # rpm -qa | grep ldap

openldap2-2.4.26-0.28.5

openldap2-client-2.4.26-0.28.5

openldap2-devel-2.4.26-0.28.5

pam_ldap-184-147.20

pam_ldap-32bit-184-147.20

nss_ldap-262-11.32.39.1

nss_ldap-32bit-262-11.32.39.1

libldap-2_4-2-2.4.26-0.28.5

libldap-2_4-2-32bit-2.4.26-0.28.5

libldapcpp1-0.3.0-0.9.29

libevoldap-2_4-2-2.4.12-4.19

yast2-ldap-2.17.8-0.7.61

yast2-ldap-client-2.17.38-0.7.2

yast2-ldap-server-2.17.44-0.5.1

 

lshxx0693:~ # rpm -qa | grep cyrus

cyrus-sasl-gssapi-2.1.22-182.20.1   

cyrus-sasl-gssapi-32bit-2.1.22-182.20.1

cyrus-sasl-saslauthd-2.1.22-182.19

cyrus-sasl-devel-2.1.22-182.20.1

cyrus-sasl-2.1.22-182.20.1

cyrus-sasl-32bit-2.1.22-182.20.1

cyrus-sasl-digestmd5-2.1.22-182.20.1

cyrus-sasl-digestmd5-32bit-2.1.22-182.20.1

 

 

Configuration files:

----------------------------

lshxx0693:~ # cat /etc/sasl2/slapd.conf

mech_list: plain login

pwcheck_method: saslauthd

 

lshxx0693:~ # cat /etc/sysconfig/saslauthd

SASLAUTHD_AUTHMECH=pam

SASLAUTHD_THREADS=5

SASLAUTHD_PARAMS="-r"

 

lshxx0693:~ # cat /etc/pam.d/ldap

auth     required          pam_krb5.so no_user_check

account required        pam_permit.so

 

lshxx0693:/etc/pam.d/ # cat common-account | egrep -v "^#"

account           requisite          pam_unix2.so

account           sufficient         pam_localuser.so

account           required          pam_ldap.so   use_first_pass

 

lshxx0693:/etc/pam.d/ # cat common-account-pc | egrep -v "^#"

account           requisite          pam_unix2.so

account           sufficient         pam_localuser.so

account           required          pam_ldap.so   use_first_pass

 

lshxx0693:/etc/pam.d/ # cat common-auth | egrep -v "^#"

auth     required          pam_env.so   

auth     sufficient         pam_unix2.so

auth     required          pam_ldap.so   use_first_pass

 

lshxx0693:/etc/pam.d/ # cat common-auth-pc | egrep -v "^#"

auth     required          pam_env.so   

auth     sufficient         pam_unix2.so

auth     required          pam_ldap.so   use_first_pass

 

shxx0693:/etc/pam.d/ # cat common-password | egrep -v "^#"

password        requisite          pam_pwcheck.so       nullok cracklib

password        sufficient         pam_unix2.so use_authtok nullok

password        required          pam_ldap.so   try_first_pass use_authtok

 

lshxx0693:/etc/pam.d/ # cat common-session | egrep -v "^#"

session  optional         pam_mkhomedir.so  

session            required          pam_limits.so

session            required          pam_unix2.so

session            optional           pam_ldap.so  

session            optional           pam_umask.so         

 

lshxx0693:/etc/pam.d/ # cat common-session-pc | egrep -v "^#"

session  optional         pam_mkhomedir.so  

session            required          pam_limits.so

session            required          pam_unix2.so

session            optional           pam_ldap.so  

session            optional           pam_umask.so         

 

lshxx0693:/etc/pam.d/ # cat common-password-pc | egrep -v "^#"

password        requisite          pam_pwcheck.so       nullok cracklib

password        sufficient         pam_unix2.so use_authtok nullok

password        required          pam_ldap.so   try_first_pass use_authtok

 

lshxx0693:~ # pam-config --verify

lshxx0693:~ #

 

 

lshxx0693:~ # cat /etc/krb5.conf

 

[libdefaults]

            default_realm = INT.IT.DPP

            dns_lookup_kdc = true

 

[realms]

            INT.IT.DPP = {

                kdc = 10.150.10.10

                kdc = 10.150.10.10

        }

 

[logging]

    default = SYSLOG:NOTICE:DAEMON

 

 

lshxx0693:~ # cat /etc/nsswitch.conf | egrep -v "#"

 

passwd:          compat

group:  files ldap

 

hosts:  files dns

networks:        files dns

 

services:         files ldap

protocols:        files

rpc:      files

ethers: files

netmasks:       files

netgroup:        files ldap

publickey:       files

 

bootparams:   files

automount:     files nis

aliases:            files ldap

passwd_compat:        ldap

 

 

 

Tell me, if you need more informations, please.

I would like to thank you in advance for your help.

 

 

Best wishes

S. Kuechler