Hi all,

i setup an  openldap server which is used as MIT-Kerebros backend.

User-Principals have - besides the kerberos attributes - appropriate objectclasses (e.g. simplesecurityObject, organizationalRole) to make also a  simple authentication with the attribut userpassword possible.

To consolidate both credentials i made a setup of SASL-Pasthrough with backend Kerberos. So i set  the value of the userpassword attribut to.

{SASL}<user>@<realm> and made the required configurations for the saslauthd.

With this configuration all kind of authentications will use  the kerberos-password.

I made various tests but there seems to be an issue with preauthentication in openldap.

I got the follwoing result:

 =>testsaslauthd is always working if the preauth flag is on or off

=>ldapsearch -x is only working with preauth-flag disabled.

=> It makes no difference if MIT Kerberos use its normal backend

Keep in mind: For clear  testing condtions  saslauthd-caching has to be disabled !

Don't use the -c Option in saslauthd - otherwise it could happen that your ldapsearch -x  is working because you had success with a former testsaslauthd-command !

Has someone a similar setup which is working with enabled preauth ?

Or does someone know if this is supported or not ?

I use LDAP 2.4.44 with cyrus-sasl-2.1.23.

Thanks in advance.

Kind regards


Ulrich Tehrani
Am Ulrichshof 19
79189 Bad Krozingen