On Tue, 2014-12-30 at 09:37 -0600, Dan White wrote:
On 12/30/14 10:32 -0500, Brendan Kearney wrote:
On Mon, 2014-12-29 at 10:49 -0600, Dan White wrote:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat...
Add 'pwcheck_method: saslauthd' to your libsasl slapd.conf file, and should need nothing else unless you're using a non standard location for your saslauthd mux.
Verify that your slapd user has permissions to access the saslauthd mux, and verify your saslauthd config with testsaslauthd.
i had the pwcheck_method directive in there, along with the path to one of two saslauthd mux's. /var/run/saslauthd/mux and /run/saslauthd/mux, which both show up as "srwxrwxrwx" and are owned by root:root. testing
Typically for the saslauthd mux, it's the parents' directory permissions that restrict access.
using testsaslauthd works with my id, but i am not sure how to have authentication work when the other process is binding with "cn=user,dc=domain,dc=tld" and not a username.
dn: cn=user,dc=domain,dc=tld userPassword: {SASL}username@realm
/run: drwxr-xr-x 2 root root 100 Dec 30 10:26 saslauthd
/var/run: lrwxrwxrwx. 1 root root 6 Dec 10 21:46 /var/run -> ../run
so the ldap user would have read and execute permissions. should i change anything?
i do have a user for dhcpd setup in that way (dn: uid=dhcpd,dc=bpk2,dc=com and userPassword: {SASL}dhcpd@BPK2.COM). the kerberos object does exist as well.