I'm having a difficult time setting up pass-through authentication. I've set it up before but can't seem to get it to work this time. I've done the following:
- Created the slapd.conf for SASL. - Started and ensured saslauthd is running. - Added the openldap user to the sasl group. - Verified with testsaslauthd that SASL is working - Restarted slapd and the server just to make sure all settings/permissions are updated properly
However I always get a permission denied error message when slapd tries to contact saslauthd:
Feb 5 12:13:56 bllldap01 slapd[477]: SASL [conn=2866] Failure: cannot connect to saslauthd server: Permission denied
I've even temporarily enabled the shell on the openldap user and tested testsaslauthd which returned a successful result. I feel like I'm missing something obvious and maybe a fresh set of eyes can point that out. Below is all the relevant details of my system:
######################## # SASL & LDAP SETTINGS # ######################## jschaeffer@bllldap01:~$ ls -l /etc/ldap/sasl2/slapd.conf -rw-r--r-- 1 root root 65 Feb 5 12:45 /etc/ldap/sasl2/slapd.conf
jschaeffer@bllldap01:~$ cat /etc/ldap/sasl2/slapd.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
jschaeffer@bllldap01:~$ groups openldap openldap : openldap sasl ssl-cert
jschaeffer@bllldap01:~$ ls -ld /var/run/saslauthd/ drwx--x--- 2 root sasl 140 Feb 5 12:16 /var/run/saslauthd/
jschaeffer@bllldap01:~$ sudo ls -l /var/run/saslauthd/ total 968 -rw------- 1 root root 0 Feb 5 12:16 cache.flock -rw------- 1 root root 986112 Feb 5 12:16 cache.mmap srwxrwxrwx 1 root root 0 Feb 5 12:16 mux -rw------- 1 root root 0 Feb 5 12:16 mux.accept -rw------- 1 root root 4 Feb 5 12:16 saslauthd.pid
jschaeffer@bllldap01:~$ cat /etc/default/saslauthd | grep -E -v '(#|^$)' START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="kerberos5" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/run/saslauthd" export KRB5_KTNAME=/etc/krb5.keytab
jschaeffer@bllldap01:~$ ps aux | grep [s]asl root 472 0.0 0.0 100980 2956 ? Ss 12:16 0:00 /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5 root 473 0.0 0.0 109392 6516 ? S 12:16 0:00 /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5 root 474 0.0 0.0 100980 1056 ? S 12:16 0:00 /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5 root 475 0.0 0.0 100980 1056 ? S 12:16 0:00 /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5 root 476 0.0 0.0 100980 1056 ? S 12:16 0:00 /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5
jschaeffer@bllldap01:~$ ps aux | grep [s]lapd openldap 1236 0.0 4.7 2344672 737116 ? Ssl 13:19 0:00 /usr/sbin/slapd -h ldap:/// ldaps:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
jschaeffer@bllldap01:~$ sudo testsaslauthd -u jschaeffer@HARMONYWAVE.CLOUD -p ************ 0: OK "Success."
jschaeffer@bllldap01:~$ cat /etc/passwd | grep 'openldap' openldap:x:111:115:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/bash jschaeffer@bllldap01:~$ sudo su - openldap openldap@bllldap01:~$ testsaslauthd -u jschaeffer@HARMONYWAVE.CLOUD -p ************ 0: OK "Success."
################ # DEBUG OUTPUT # ################ Feb 5 12:13:53 bllldap01 slapd[477]: conn=2866 fd=40 ACCEPT from IP=[fd83:172:16:44::1000]:44920 (IP=[::]:389) Feb 5 12:13:53 bllldap01 slapd[477]: conn=2866 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 5 12:13:53 bllldap01 slapd[477]: conn=2866 op=0 STARTTLS Feb 5 12:13:53 bllldap01 slapd[477]: conn=2866 op=0 RESULT oid= err=0 text= Feb 5 12:13:53 bllldap01 slapd[477]: conn=2866 fd=40 TLS established tls_ssf=256 ssf=256 Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=69 SRCH base="ou=People,dc=harmonywave,dc=cloud" scope=2 deref=0 filter="(&(uid=radiomail)(objectClass$ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=69 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrinci$ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=69 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 5 12:13:55 bllldap01 slapd[477]: conn=2787 op=637 SRCH base="cn=HARMONYWAVE.CLOUD,cn=krbContainer,dc=harmonywave,dc=cloud" scope=2 deref=0 filter="($ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2787 op=637 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxt$ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2787 op=637 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=70 SRCH base="ou=People,dc=harmonywave,dc=cloud" scope=2 deref=0 filter="(&(uid=radiomail)(objectClass$ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=70 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrinci$ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=70 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 5 12:13:56 bllldap01 slapd[477]: conn=2866 op=1 BIND dn="uid=jschaeffer,ou=End Users,ou=People,dc=harmonywave,dc=cloud" method=128 Feb 5 12:13:56 bllldap01 slapd[477]: SASL [conn=2866] Failure: cannot connect to saslauthd server: Permission denied Feb 5 12:13:56 bllldap01 slapd[477]: conn=2866 op=1 RESULT tag=97 err=49 text= Feb 5 12:13:56 bllldap01 slapd[477]: conn=2866 op=2 UNBIND Feb 5 12:13:56 bllldap01 slapd[477]: conn=2866 fd=40 closed
jschaeffer@bllldap01:~$ sudo strace -f -p 1236 ... [{EPOLLIN, {u32=1975476364, u64=140507535597708}}], 1048576, 1409000) = 1 [pid 1237] epoll_ctl(7, EPOLL_CTL_MOD, 31, {0, {u32=1975476364, u64=140507535597708}}) = 0 [pid 1237] futex(0x5567c5bf4978, FUTEX_WAKE_PRIVATE, 1) = 1 [pid 1237] epoll_wait(7, <unfinished ...> [pid 1265] <... futex resumed> ) = 0 [pid 1265] futex(0x5567c5bf4928, FUTEX_WAKE_PRIVATE, 1) = 0 [pid 1265] read(31, "\27\3\3\0m", 5) = 5 [pid 1265] read(31, "\0\0\0\0\0\0\0\1*\215C]\226R#c(\250!j\255\254r\226'|\226y\0365\334\231"..., 109) = 109 [pid 1265] read(31, 0x7fc9f015e053, 5) = -1 EAGAIN (Resource temporarily unavailable) [pid 1265] epoll_ctl(7, EPOLL_CTL_MOD, 31, {EPOLLIN, {u32=1975476364, u64=140507535597708}}) = 0 [pid 1265] write(6, "0", 1) = 1 [pid 1237] <... epoll_wait resumed> [{EPOLLIN, {u32=1975476260, u64=140507535597604}}], 1048576, 1402000) = 1 [pid 1265] getpid( <unfinished ...> [pid 1237] read(5, <unfinished ...> [pid 1265] <... getpid resumed> ) = 1236 [pid 1237] <... read resumed> "0", 8192) = 1 [pid 1265] sendto(4, "<167>Feb 5 13:26:30 slapd[1236]"..., 132, MSG_NOSIGNAL, NULL, 0 <unfinished ...> [pid 1237] epoll_wait(7, <unfinished ...> [pid 1265] <... sendto resumed> ) = 132 [pid 1265] socket(AF_UNIX, SOCK_STREAM, 0) = 32 [pid 1265] connect(32, {sa_family=AF_UNIX, sun_path="/var/run/saslauthd/mux"}, 110) = -1 EACCES (Permission denied) [pid 1265] close(32) = 0 [pid 1265] getpid() = 1236 [pid 1265] sendto(4, "<167>Feb 5 13:26:30 slapd[1236]"..., 114, MSG_NOSIGNAL, NULL, 0) = 114 [pid 1265] write(31, "\27\3\3\0&\0\0\0\0\0\0\0\1\270\22\25\347\316\323\6\3721\375\200{\300\350\337E\371\221\206"..., 43) = 43 [pid 1265] getpid() = 1236 [pid 1265] sendto(4, "<167>Feb 5 13:26:30 slapd[1236]"..., 76, MSG_NOSIGNAL, NULL, 0) = 76 [pid 1265] futex(0x5567c5bf497c, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...> [pid 1237] <... epoll_wait resumed> [{EPOLLIN, {u32=1975476364, u64=140507535597708}}], 1048576, 1402000) = 1 [pid 1237] epoll_ctl(7, EPOLL_CTL_MOD, 31, {0, {u32=1975476364, u64=140507535597708}}) = 0 [pid 1237] futex(0x5567c5bf4978, FUTEX_WAKE_PRIVATE, 1) = 1 [pid 1237] epoll_wait(7, <unfinished ...> [pid 1238] <... futex resumed> ) = 0 [pid 1238] futex(0x5567c5bf4928, FUTEX_WAKE_PRIVATE, 1) = 0 [pid 1238] read(31, "\27\3\3\0\37", 5) = 5 [pid 1238] read(31, "\0\0\0\0\0\0\0\2L6Z\337[:\364z\331\361\277\350\31\33\354\316\20IP\375EI\0", 31) = 31 [pid 1238] read(31, "\25\3\3\0\32", 5) = 5 [pid 1238] read(31, "\0\0\0\0\0\0\0\3z\277}k\22\1775dS)BR\377\344\277\271\323\221", 26) = 26 [pid 1238] write(6, "0", 1) = 1 [pid 1237] <... epoll_wait resumed> [{EPOLLIN, {u32=1975476260, u64=140507535597604}}], 1048576, 1402000) = 1 [pid 1238] getpid( <unfinished ...> [pid 1237] read(5, <unfinished ...> [pid 1238] <... getpid resumed> ) = 1236 [pid 1237] <... read resumed> "0", 8192) = 1 [pid 1238] sendto(4, "<167>Feb 5 13:26:30 slapd[1236]"..., 56, MSG_NOSIGNAL, NULL, 0 <unfinished ...> [pid 1237] epoll_wait(7, <unfinished ...> [pid 1238] <... sendto resumed> ) = 56 [pid 1238] epoll_ctl(7, EPOLL_CTL_DEL, 31, 0x7fca743f60f4) = 0 [pid 1238] write(31, "\25\3\3\0\32\0\0\0\0\0\0\0\2\2431\246\345i\2013\31\0\f\t2\367: \270)\202", 31) = 31 [pid 1238] shutdown(31, SHUT_RDWR) = 0 [pid 1238] close(31) = 0 [pid 1238] getpid() = 1236 [pid 1238] sendto(4, "<167>Feb 5 13:26:30 slapd[1236]"..., 57, MSG_NOSIGNAL, NULL, 0) = 57 [pid 1238] futex(0x5567c5bf497c, FUTEX_WAIT_PRIVATE, 0, NULL^Cstrace: Process 1236 detached
5e3b2a11 connection_get(19): got connid=1003 5e3b2a11 connection_read(19): checking for input on id=1003 ber_get_next ber_get_next: tag 0x30 len 29 contents: 5e3b2a11 op tag 0x77, time 1580935697 ber_get_next 5e3b2a11 conn=1003 op=0 do_extended ber_scanf fmt ({m) ber: 5e3b2a11 send_ldap_extended: err=0 oid= len=0 5e3b2a11 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 19 5e3b2a11 connection_get(19): got connid=1003 5e3b2a11 connection_read(19): checking for input on id=1003 5e3b2a11 connection_read(19): unable to get TLS client DN, error=49 id=1003 5e3b2a19 connection_get(19): got connid=1003 5e3b2a19 connection_read(19): checking for input on id=1003 ber_get_next ber_get_next: tag 0x30 len 83 contents: 5e3b2a19 op tag 0x60, time 1580935705 ber_get_next 5e3b2a19 conn=1003 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: 5e3b2a19 >>> dnPrettyNormal: <uid=jschaeffer,ou=End Users,ou=People,dc=harmonywave,dc=cloud> 5e3b2a19 <<< dnPrettyNormal: <uid=jschaeffer,ou=End Users,ou=People,dc=harmonywave,dc=cloud>, <uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=cloud> 5e3b2a19 do_bind: version=3 dn="uid=jschaeffer,ou=End Users,ou=People,dc=harmonywave,dc=cloud" method=128 5e3b2a19 mdb_dn2entry("uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=cloud") 5e3b2a19 => mdb_dn2id("uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=cloud") 5e3b2a19 <= mdb_dn2id: got id=0x26 5e3b2a19 => mdb_entry_decode: 5e3b2a19 <= mdb_entry_decode 5e3b2a19 SASL [conn=1003] Failure: cannot connect to saslauthd server: Permission denied 5e3b2a19 send_ldap_result: conn=1003 op=1 p=3 5e3b2a19 send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 14 bytes to sd 19 5e3b2a19 connection_get(19): got connid=1003 5e3b2a19 connection_read(19): checking for input on id=1003 ber_get_next ber_get_next: tag 0x30 len 5 contents: 5e3b2a19 op tag 0x42, time 1580935705 ber_get_next 5e3b2a19 ber_get_next on fd 19 failed errno=0 (Success) 5e3b2a19 conn=1003 op=2 do_unbind 5e3b2a19 connection_close: conn=1003 sd=19
########### # OS INFO # ########### jschaeffer@bllldap01:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.3 LTS Release: 18.04 Codename: bionic