-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Wednesday, January 02, 2013 7:18 PM
To: Wu, James C.
Cc: openldap-technical(a)openldap.org
Subject: Re: sasl Kerberos authentication with subordinate
On 12/31/12 11:19 -0800, Wu, James C. wrote:
I have tested that the LDAP authentication through saslauthd using
Kerberos works well on both the internal ldap and Kerberos pair and the
external ldap Kerberos pair.
How did you verify authentication was working with your internal server?
I verified the authentication by pointing the ldap server that the client uses to the
internal ldap server and check the logs messages of slapd and saslauthd and the result of
'su - user'
For example, when I used "su - peter" where peter is a user
in the
external ldap server and the password is
{SASL}peter@EXAMPLE.COM<mailto:%7bSASL%7dpeter@EXAMPLE.COM>. The
authentication works. However, when I use "su - James" where james is a
user defined in the internal ldap server with password
{SASL}james@SUB.EXAMPLE.COM<mailto:%7bSASL%7djames@SUB.EXAMPLE.COM>,
then the authentication failed. I check the log file, the internal
server did get the search request forwarded from the external ldap
server and returned the correct information back. However, I did not
see the saslauthd process on either the external or the internal ldap
server get any inquiry for the authentication.
On 01/02/13 14:52 -0800, Wu, James C. wrote:
When I add uid to the -D flag in the ldapwhoami, then it failed on
both
the external and internal ldap servers.
ldapwhoami -x -H ldap://internalldap -D
"uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password ldapwhoami
-x -H ldap://externalldap -D
"uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password
How does this second command (against your internal server) differ from the above
verification?
--
Dan White