I'm still having troubles with pass-through SASL on RHEL
testsaslauthd produces this message : 0: NO "authentication failed"
With this in the system log : saslauthd logs reason=Unknown
When saslauthd is launched in verbose mode and followed by testsaslauthd it prints :
connect() : No such file or directory
Tim
On Thu, Dec 24, 2015 at 1:46 PM, Timothy Keith timothy.g.keith@gmail.com wrote:
As per my ongoing LDAP SASL design question, can anyone recommend a good tutorial for pass-through authentication ?
Tim
On Tue, Dec 22, 2015 at 2:47 PM, Timothy Keith timothy.g.keith@gmail.com wrote:
Uwe, your assistance could be very helpful. I followed Open LDAP tutorials but could not determine why the SASL requests fail. I am a newcomer to LDAP.
Tim
On Mon, Dec 21, 2015 at 12:04 PM, Hering, Uwe uwe.hering@cgi.com wrote:
Hello Tim,
we have set up such a setup where one can authenticate against OpenLDAP which redirects the request via saslauthd/kerberos to an AD server. Within the AD a service account with corresponding keytab will be necessary.
If you are interested I can try to get the pieces of information together again.
Regards,
Uwe
-----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Timothy Keith Gesendet: Freitag, 18. Dezember 2015 01:33 An: openldap-technical@openldap.org Betreff: pass-through authentication
We are attempting to set up an LDAP server which will answer queries from an application. The database will contain metadata on a set of users in the application. The application will also query the server to authenticate the user’s password, however, this server will not house the password. That resides on another server, which our server will query. We do not have administrative rights to the other server.
The difficulty we are having now is setting up the pass-through authentication for the passwords. Any pointers in how to proceed with this would be greatly appreciated.
Regards,
Tim
Sorry, I had started the saslauthd incorrectly which is why I got the socket error.
This is tail of the latest saslauthd debug output :
ldap_sasl_interactive_bind: user selected: DIGEST-MD5 ldap_int_sasl_bind: DIGEST-MD5 ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 182.19.136.42:389 ldap_new_socket: 10 ldap_prepare_socket: 10 ldap_connect_to_host: Trying 182.19.136.42:389 ldap_pvt_connect: fd: 10 tm: 10 async: 0 ldap_ndelay_on: 10 attempting to connect: connect errno: 115 ldap_int_poll: fd: 10 tm: 10 ldap_is_sock_ready: 10 ldap_ndelay_off: 10 ldap_pvt_connect: 0 ldap_int_sasl_open: host=182.19.136.42 ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ldap_msgfree ldap_result ld 0x7f9f426f2990 msgid 1 wait4msg ld 0x7f9f426f2990 msgid 1 (timeout 10000000 usec) wait4msg continue ld 0x7f9f426f2990 msgid 1 all 1 ** ld 0x7f9f426f2990 Connections: * host: 182.19.136.42 port: 389 (default) refcnt: 2 status: Connected last used: Wed Dec 30 18:50:38 2015
** ld 0x7f9f426f2990 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x7f9f426f2990 request count 1 (abandoned 0) ** ld 0x7f9f426f2990 Response Queue: Empty ld 0x7f9f426f2990 response count 0 ldap_chkResponseList ld 0x7f9f426f2990 msgid 1 all 1 ldap_chkResponseList returns ld 0x7f9f426f2990 NULL ldap_int_select read1msg: ld 0x7f9f426f2990 msgid 1 all 1 read1msg: ld 0x7f9f426f2990 msgid 1 message type bind read1msg: ld 0x7f9f426f2990 0 new referrals read1msg: mark request completed, ld 0x7f9f426f2990 msgid 1 request done: ld 0x7f9f426f2990 msgid 1 res_errno: 7, res_error: <SASL(-4): no mechanism available: >, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_int_sasl_bind: DIGEST-MD5 ldap_parse_sasl_bind_result ldap_parse_result ldap_msgfree ldap_err2string
Tim
On Wed, Dec 30, 2015 at 6:29 PM, Timothy Keith timothy.g.keith@gmail.com wrote:
I'm still having troubles with pass-through SASL on RHEL
testsaslauthd produces this message : 0: NO "authentication failed"
With this in the system log : saslauthd logs reason=Unknown
When saslauthd is launched in verbose mode and followed by testsaslauthd it prints :
connect() : No such file or directory
Tim
On Thu, Dec 24, 2015 at 1:46 PM, Timothy Keith timothy.g.keith@gmail.com wrote:
As per my ongoing LDAP SASL design question, can anyone recommend a good tutorial for pass-through authentication ?
Tim
On Tue, Dec 22, 2015 at 2:47 PM, Timothy Keith <timothy.g.keith@gmail.com
wrote:
Uwe, your assistance could be very helpful. I followed Open LDAP tutorials but could not determine why the SASL requests fail. I am a newcomer to LDAP.
Tim
On Mon, Dec 21, 2015 at 12:04 PM, Hering, Uwe uwe.hering@cgi.com wrote:
Hello Tim,
we have set up such a setup where one can authenticate against OpenLDAP which redirects the request via saslauthd/kerberos to an AD server. Within the AD a service account with corresponding keytab will be necessary.
If you are interested I can try to get the pieces of information together again.
Regards,
Uwe
-----Ursprüngliche Nachricht----- Von: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Im Auftrag von Timothy Keith Gesendet: Freitag, 18. Dezember 2015 01:33 An: openldap-technical@openldap.org Betreff: pass-through authentication
We are attempting to set up an LDAP server which will answer queries from an application. The database will contain metadata on a set of users in the application. The application will also query the server to authenticate the user’s password, however, this server will not house the password. That resides on another server, which our server will query. We do not have administrative rights to the other server.
The difficulty we are having now is setting up the pass-through authentication for the passwords. Any pointers in how to proceed with this would be greatly appreciated.
Regards,
Tim
On 12/30/15 18:51 -0600, Timothy Keith wrote:
This is tail of the latest saslauthd debug output :
ldap_sasl_interactive_bind: user selected: DIGEST-MD5
res_errno: 7, res_error: <SASL(-4): no mechanism available: >, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_int_sasl_bind: DIGEST-MD5 ldap_parse_sasl_bind_result ldap_parse_result ldap_msgfree ldap_err2string
Is DIGEST-MD5 available on your ldap server? Try:
ldapsearch -LLL -x -H ldap://1.2.3.4 -s "base" -b "" supportedSASLMechanisms
Which should list the advertised sasl mechanisms.
Verify the digest-md5 mechanism is installed with saslpluginviewer/pluginviewer.
On 12/30/15 18:29 -0600, Timothy Keith wrote:
I'm still having troubles with pass-through SASL on RHEL
testsaslauthd produces this message : 0: NO "authentication failed"
Consult the cyrus sasl documentation, which for saslauthd is underneath the saslauthd directory within the source, as well as the manpage.
With this in the system log : saslauthd logs reason=Unknown
When saslauthd is launched in verbose mode and followed by testsaslauthd it prints :
connect() : No such file or directory
When running in debug mode, verify you're including the exact options with which saslauthd is normally running, with the -d option added. The mux location compiled into testsaslauthd is not matching where the mux is listening in this case, or the mux isn't listening.
On Thu, Dec 24, 2015 at 1:46 PM, Timothy Keith timothy.g.keith@gmail.com wrote:
As per my ongoing LDAP SASL design question, can anyone recommend a good tutorial for pass-through authentication ?
See section 14.5 of the Administrator's Guide, and read through the documentation at cyrussasl.org.
openldap-technical@openldap.org
-
Dan White -
Timothy Keith