Re: Simple Bind pass-through to SASL/PLAIN
On 04/03/11 13:22 -0700, Zach Schimke wrote:
It was complied with '--enable-spasswd', defined properly in
portable.h, and I confirm that an ldd of the slapd binary show that
it is linked to sasl.
include/portable.h:
/* define to support SASL passwords */
#define SLAPD_SPASSWD 1
BUT, the logs say nothing about SASL when a simple bind is performed
to my account with a {SASL} userPassword.
What log level are you capturing at? What version of OpenLDAP are you
using?
You said you were able to get a SASL PLAIN bind working, so I don't
believe you have a problem with your /etc/sasl2/slapd.conf config.
What happens if you provide the '{SASL}username@REALM' (or the value in
your userPassword attribute) as the password? Does it succeed?
On 3/4/2011 7:54 AM, Dan White wrote:
>On 03/03/11 17:07 -0700, Zach Schimke wrote:
>>Is there any trick to this?
>>
>>I am able to get SASL/PLAIN and SASL/GSSAPI binds to work
>>perfectly with my ldap server. What I want to get working is the
>>authentication pass-through.
>>
>>From what I can gather, it appears that LDAP should be able to
>>authenticate a simple bind, take a look at the userPassword
>>attribute (which contains '{SASL}username@REALM) and perform a
>>SASL/PLAIN from there.
>>
>>We want to avoid maintaining two separate passwords (LDAP and
>>Kerberos V) although some applications (like phpLDAPAdmin,
>>Drupal, etc) do not allow the use of Kerberos natively.
>>
>>/etc/sasl2/slapd.conf (using CentOS):
>> pwcheck_method: saslauthd
>>
>>Here's a snippet of my openldap.log during a simple bind:
>> Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 ACCEPT from
>>IP=149.169.147.254:56106 (IP=0.0.0.0:636)
>> Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 TLS
>>established tls_ssf=256 ssf=256
>> Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 BIND
>>dn="cn=test account,ou=people,o=mars" method=128
>> Mar 3 16:45:49 kdc1 slapd[28132]: send_ldap_result: conn=2009
>>op=0 p=3
>> Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 op=0 RESULT
>>tag=97 err=49 text=
>> Mar 3 16:45:49 kdc1 slapd[28132]: connection_closing:
>>readying conn=2009 sd=39 for close
>> Mar 3 16:45:49 kdc1 slapd[28132]: connection_close: conn=2009 sd=-1
>> Mar 3 16:45:49 kdc1 slapd[28132]: conn=2009 fd=39 closed
>>(connection lost)
>>
>>Anything I should double-check, modify, etc?
>
>Verify that your openldap installation was compiled with
>'--enable-spasswd'.
>
>Try running saslauthd in debug mode to see if slapd is passing an
>authentication attempt.
>
--
Dan White
BTC Broadband
Ph 918.366.0248 (direct) main: (918)366-8000
Fax 918.366.6610 email: dwhite(a)olp.net
http://www.btcbroadband.com