Hi,
I'm so confused with the sasl passthrough implementation.
I set for the user test in my ldap tree the password {SASL}test@MY_REALM
Keytab: [test@ldap-master001 /]#--> ls /etc/krb5.keytab -l
-rw-r----- 1 root openldap 1078 2011-11-11 11:56 /etc/krb5.keytab
SASL GSSAPI Auth: works well
[test@ldap-master001 /]#--> ldapwhoami
SASL/GSSAPI authentication started
SASL username: test@MY_REALM SASL SSF: 56
SASL data security layer installed.
dn:uid=test,cn=mycomany.net,cn=gssapi,cn=auth
SASL SLAPD Config: [root@ldap-master001 /]#---> cat /usr/lib/sasl2/slapd.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
keytab: /etc/krb5.keytab
testsaslauthd works well: [root@ldap-master001 /]#---> testsaslauthd -u test -p MYPASSWORD -r MY_REALM -s ldap
0: OK "Success."
sasl debug log: saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap] [realm=MY_REALM] [mech=kerberos5]
saslauthd[26077] :do_request : response: OK
But the ldapsearch simplebind command takes 7-10s...
[test@ldap-master001 /]#--> ldapsearch -D uid=test,ou=users,dc=my,dc=company -w MYPASSWORD -s base -b '' -x ldap_bind: Invalid credentials (49)
And the sasl debug log shows:
saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap] [realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error]
WTF, why works testsaslauthd well but failed with ldap auth? The kerberos server works well in both commands.....
root@ldap-master001:/usr/local/etc/openldap# /usr/local/libexec/slapd -V @(#) $OpenLDAP: slapd 2.4.21 (Nov 10 2011 11:20:35) $ root@ldap-master001:/usr/local/src/openldap-2.4.21/servers/slapd
root@ldap-master001:/usr/local/etc/openldap# saslauthd -v saslauthd: /usr/local/lib/liblber-2.4.so.2: no version information available (required by saslauthd) saslauthd: /usr/local/lib/libldap_r-2.4.so.2: no version information available (required by saslauthd) saslauthd 2.1.23 authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap
Thank you