Re: Simple Bind pass-through to SASL/PLAIN

On 04/03/11 13:22 -0700, Zach Schimke wrote: > It was complied with '--enable-spasswd', defined properly in > portable.h, and I confirm that an ldd of the slapd binary show that > it is linked to sasl. > > include/portable.h: > /* define to support SASL passwords */ > #define SLAPD_SPASSWD 1 > > BUT, the logs say nothing about SASL when a simple bind is performed > to my account with a {SASL} userPassword. What log level are you capturing at? What version of OpenLDAP are you using? You said you were able to get a SASL PLAIN bind working, so I don't believe you have a problem with your /etc/sasl2/slapd.conf config. What happens if you provide the '{SASL}username@REALM' (or the value in your userPassword attribute) as the password? Does it succeed? > On 3/4/2011 7:54 AM, Dan White wrote: >> On 03/03/11 17:07 -0700, Zach Schimke wrote: >>> Is there any trick to this? >>> >>> I am able to get SASL/PLAIN and SASL/GSSAPI binds to work perfectly >>> with my ldap server. What I want to get working is the >>> authentication pass-through. >>> >>> From what I can gather, it appears that LDAP should be able to >>> authenticate a simple bind, take a look at the userPassword >>> attribute (which contains '{SASL}username@REALM) and perform a >>> SASL/PLAIN from there. >>> >>> We want to avoid maintaining two separate passwords (LDAP and >>> Kerberos V) although some applications (like phpLDAPAdmin, Drupal, >>> etc) do not allow the use of Kerberos natively. >>> >>> /etc/sasl2/slapd.conf (using CentOS): >>> pwcheck_method: saslauthd >>> >>> Here's a snippet of my openldap.log during a simple bind: >>> Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 ACCEPT from >>> IP=149.169.147.254:56106 (IP=0.0.0.0:636) >>> Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 TLS >>> established tls_ssf=256 ssf=256 >>> Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 BIND >>> dn="cn=test account,ou=people,o=mars" method=128 >>> Mar 3 16:45:49 kdc1 slapd[28132]: send_ldap_result: conn=2009 >>> op=0 p=3 >>> Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 RESULT tag=97 >>> err=49 text= >>> Mar 3 16:45:49 kdc1 slapd[28132]: connection_closing: readying >>> conn=2009 sd=39 for close >>> Mar 3 16:45:49 kdc1 slapd[28132]: connection_close: conn=2009 sd=-1 >>> Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 closed >>> (connection lost) >>> >>> Anything I should double-check, modify, etc? >> >> Verify that your openldap installation was compiled with >> '--enable-spasswd'. >> >> Try running saslauthd in debug mode to see if slapd is passing an >> authentication attempt. >> >