-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Wednesday, January 02, 2013 7:18 PM To: Wu, James C. Cc: openldap-technical@openldap.org Subject: Re: sasl Kerberos authentication with subordinate
On 12/31/12 11:19 -0800, Wu, James C. wrote:
I have tested that the LDAP authentication through saslauthd using Kerberos works well on both the internal ldap and Kerberos pair and the external ldap Kerberos pair.
How did you verify authentication was working with your internal server?
I verified the authentication by pointing the ldap server that the client uses to the internal ldap server and check the logs messages of slapd and saslauthd and the result of 'su - user'
For example, when I used "su - peter" where peter is a user in the external ldap server and the password is {SASL}peter@EXAMPLE.COMmailto:%7bSASL%7dpeter@EXAMPLE.COM. The authentication works. However, when I use "su - James" where james is a user defined in the internal ldap server with password {SASL}james@SUB.EXAMPLE.COMmailto:%7bSASL%7djames@SUB.EXAMPLE.COM, then the authentication failed. I check the log file, the internal server did get the search request forwarded from the external ldap server and returned the correct information back. However, I did not see the saslauthd process on either the external or the internal ldap server get any inquiry for the authentication.
On 01/02/13 14:52 -0800, Wu, James C. wrote:
When I add uid to the -D flag in the ldapwhoami, then it failed on both the external and internal ldap servers.
ldapwhoami -x -H ldap://internalldap -D "uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password ldapwhoami -x -H ldap://externalldap -D "uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password
How does this second command (against your internal server) differ from the above verification?
-- Dan White