Re: [OpenLDAP][Authentication] SASL
I found this comment in the documentation :
The server must be built with the --enable-spasswd configuration
option to enable pass-through authentication.
I ran slapd with this option, it listed :
slapd -VVV
@(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2015 06:51:51) $
mockbuild@x86-028.build.eng.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd
Included static backends:
config
ldif
monitor
bdb
hdb
ldap
mdb
meta
null
passwd
relay
shell
sock
How can I know that slapd was built with -enable-spasswd ?
Tim
On Mon, Feb 1, 2016 at 2:02 PM, David Magda <dmagda(a)ee.ryerson.ca> wrote:
Also, if you're authenticating against AD, there are a few other
things
that can be simplified in that tutorial. First, add the "-r" option to the
list of saslauthd(8) options so the username becomes foo@REALM.
After that you can have the following settings in your saslauthd.conf(5)
file:
ldap_servers: ldaps://adldap1.ad.example.com
ldaps://adldap2.ad.example.com
ldap_tls_check_peer: no
ldap_use_sasl: no
ldap_auth_method: fastbind
ldap_filter: %u
The "fastbind" skips the search of the directory, and simply tries to bind
as username@REALM (which should map to users' AD principal because of
"-r"). This also removes the need for a service account to do the initial
bind-and-search.
On Sun, January 31, 2016 22:14, David Magda wrote:
> Try editing your system-wide ldap.conf(5) file to have:
>
> TLS_REQCERT never
>
> “allow” should also work. Also make sure you have a valid setting for
> TLS_CACERT (and that the file actually exists and has some contents): if
> you tell LDAP software not to check validity, the cert path has to be
> there to be ignored.
>
>> On Jan 27, 2016, at 15:18, Timothy Keith <timothy.g.keith(a)gmail.com>
>> wrote:
>>
>> I am using this tutorial : Pass-Trough authentication with SASL
>> http://ltb-project.org/wiki/documentation/general/sasl_delegation
>>
>> Tim