On 12/30/15 08:40 +0000, Küchler, Simon wrote:
Our password authetication should use SASL but we don't see any requests in our Logs or by tcpdump.
The password authentication should work as follows
- userPassword-Attribute: {SASL}User@Domain
- saslauthd -> use PAM
- PAM -> use kerberos
- kerberos -> send request to Active-Directory Server
Configuration files:
lshxx0693:~ # cat /etc/sasl2/slapd.conf mech_list: plain login pwcheck_method: saslauthd
lshxx0693:~ # cat /etc/sysconfig/saslauthd SASLAUTHD_AUTHMECH=pam SASLAUTHD_THREADS=5 SASLAUTHD_PARAMS="-r"
lshxx0693:~ # cat /etc/pam.d/ldap auth required pam_krb5.so no_user_check account required pam_permit.so
lshxx0693:~ # cat /etc/krb5.conf
[libdefaults] default_realm = INT.IT.DPP dns_lookup_kdc = true
[realms] INT.IT.DPP = { kdc = 10.150.10.10 kdc = 10.150.10.10 }
[logging] default = SYSLOG:NOTICE:DAEMON
Is testsaslauthd successful? If not, address that first (on the cyrus sasl mailing list).
If you're still having issues, run saslauthd in debug mode, and verify your slapd process is communicating with the saslauthd mux. Verify it is writable by the slapd process.