Hi,

I'm so confused with the sasl passthrough implementation.

I set for the user test in my ldap tree the password {SASL}test@MY_REALM

Keytab:

[test@ldap-master001 /]#--> ls /etc/krb5.keytab  -l
-rw-r----- 1 root openldap 1078 2011-11-11 11:56 /etc/krb5.keytab


SASL GSSAPI Auth: works well
[test@ldap-master001 /]#--> ldapwhoami
SASL/GSSAPI authentication started
SASL username: test@MY_REALM
SASL SSF: 56
SASL data security layer installed.
dn:uid=test,cn=mycomany.net,cn=gssapi,cn=auth


SASL SLAPD Config:
[root@ldap-master001 /]#---> cat /usr/lib/sasl2/slapd.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
keytab: /etc/krb5.keytab


testsaslauthd works well:
[root@ldap-master001 /]#---> testsaslauthd -u test -p MYPASSWORD -r MY_REALM -s ldap
0: OK "Success."

sasl debug log:
saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap] [realm=MY_REALM] [mech=kerberos5]
saslauthd[26077] :do_request : response: OK




But the ldapsearch simplebind command takes 7-10s...

[test@ldap-master001 /]#--> ldapsearch -D uid=test,ou=users,dc=my,dc=company -w MYPASSWORD -s base -b ''  -x
ldap_bind: Invalid credentials (49)


And the sasl debug log shows:

saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap] [realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error]


WTF, why works testsaslauthd well but failed with ldap auth?
The kerberos server works well in both commands.....


root@ldap-master001:/usr/local/etc/openldap# /usr/local/libexec/slapd -V
@(#) $OpenLDAP: slapd 2.4.21 (Nov 10 2011 11:20:35) $
    root@ldap-master001:/usr/local/src/openldap-2.4.21/servers/slapd

root@ldap-master001:/usr/local/etc/openldap# saslauthd -v
saslauthd: /usr/local/lib/liblber-2.4.so.2: no version information available (required by saslauthd)
saslauthd: /usr/local/lib/libldap_r-2.4.so.2: no version information available (required by saslauthd)
saslauthd 2.1.23
authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap



Thank you