> Date: Fri, 11 Nov 2011 08:41:21 -0600
> From: dwhite@olp.net
> To: raffi.sahli@hotmail.com
> CC: openldap-technical@openldap.org
> Subject: Re: OpenLDAP SASL Passthrough
>
> On 11/11/11 12:48 +0100, Raffael Sahli wrote:
> >
> >Hi,
> >
> >I'm so confused with the sasl passthrough implementation.
> >
> >I set for the user test in my ldap tree the password {SASL}test@MY_REALM
> >
> >Keytab:
> >[test@ldap-master001 /]#--> ls /etc/krb5.keytab -l
> >
> >-rw-r----- 1 root openldap 1078 2011-11-11 11:56 /etc/krb5.keytab
>
> Happy 11-11-11 day.
^^
>
> >SASL GSSAPI Auth: works well
> >
> >[test@ldap-master001 /]#--> ldapwhoami
> >
> >SASL/GSSAPI authentication started
> >
> >SASL username: test@MY_REALM
> >SASL SSF: 56
> >
> >SASL data security layer installed.
> >
> >dn:uid=test,cn=mycomany.net,cn=gssapi,cn=auth
> >
> >
> >
> >
> >SASL SLAPD Config:
> >[root@ldap-master001 /]#---> cat /usr/lib/sasl2/slapd.conf
> >
> >pwcheck_method: saslauthd
> >
> >saslauthd_path: /var/run/saslauthd/mux
> >
> >keytab: /etc/krb5.keytab
> >
> >
> >
> >testsaslauthd works well:
> >[root@ldap-master001 /]#---> testsaslauthd -u test -p MYPASSWORD -r MY_REALM -s ldap
> >
> >0: OK "Success."
> >
> >
> >
> >sasl debug log:
> >saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap]
> >[realm=MY_REALM] [mech=kerberos5]
> >
> >saslauthd[26077] :do_request : response: OK
> >
> >
> >
> >
> >
> >But the ldapsearch simplebind command takes 7-10s...
> >
> >[test@ldap-master001 /]#--> ldapsearch -D
> >uid=test,ou=users,dc=my,dc=company -w MYPASSWORD
> >-s base -b ''
> >-x
> >ldap_bind: Invalid credentials (49)
> >
> >
> >
> >
> >And the sasl debug log shows:
> >
> >saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap]
> >[realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error]
>
> For a more apples to apples comparison, try running testsaslauthd as the
> same user that your slapd process is running under. I can't see how this
> would be a permissions problem though.
Nop, same problem (or same success message ^^ ) with the slapd running user "openldap".
saslauthd works with sasl user "test" running with user openldap or root, and ldapsearch with user "test" doesn't.....
> Try running saslauthd in debug mode to see if you get any additional
> errors.
Nop, just a success message with testsaslauthd:
> >saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap]
> >[realm=MY_REALM] [mech=kerberos5]
> >
> >saslauthd[26077] :do_request : response: OK
> >
and with ldap simple auth an error:
> >saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap]
> >[realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error]
> Do you see anything useful in your kdc logs?
Yes, but I think everything is fine...
I became this message on the kdc syslog with ldapsearch (simple bind + sasl pass..)
Nov 15 11:48:03 kerberos001 krb5kdc[25110]: AS_REQ (4 etypes {18 17 16 23}) 192.168.20.54: ISSUE: authtime 1321354083, etypes {rep=18 tkt=18 ses=18}, test@REALM for krbtgt/REALM@REALM
Nov 15 11:48:20 kerberos001 krb5kdc[25110]: DISPATCH: repeated (retransmitted?) request from 192.168.20.54, resending previous response
And with testsaslauthd (success), there are no no syslog entries on the kdc master..