I'm having a difficult time setting up pass-through authentication. I've set it up before but can't seem to get it to work this time. I've done the following:
- Created the slapd.conf for SASL. - Started and ensured saslauthd is running. - Added the openldap user to the sasl group. - Verified with testsaslauthd that SASL is working - Restarted slapd and the server just to make sure all settings/permissions are updated properly
However I always get a permission denied error message when slapd tries to contact saslauthd:
Feb 5 12:13:56 bllldap01 slapd[477]: SASL [conn=2866] Failure: cannot connect to saslauthd server: Permission denied
I've even temporarily enabled the shell on the openldap user and tested testsaslauthd which returned a successful result. I feel like I'm missing something obvious and maybe a fresh set of eyes can point that out. Below is all the relevant details of my system:
######################## # SASL & LDAP SETTINGS # ######################## jschaeffer@bllldap01:~$ ls -l /etc/ldap/sasl2/slapd.conf -rw-r--r-- 1 root root 65 Feb 5 12:45 /etc/ldap/sasl2/slapd.conf
jschaeffer@bllldap01:~$ cat /etc/ldap/sasl2/slapd.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
jschaeffer@bllldap01:~$ groups openldap openldap : openldap sasl ssl-cert
jschaeffer@bllldap01:~$ ls -ld /var/run/saslauthd/ drwx--x--- 2 root sasl 140 Feb 5 12:16 /var/run/saslauthd/
jschaeffer@bllldap01:~$ sudo ls -l /var/run/saslauthd/ total 968 -rw------- 1 root root 0 Feb 5 12:16 cache.flock -rw------- 1 root root 986112 Feb 5 12:16 cache.mmap srwxrwxrwx 1 root root 0 Feb 5 12:16 mux -rw------- 1 root root 0 Feb 5 12:16 mux.accept -rw------- 1 root root 4 Feb 5 12:16 saslauthd.pid
jschaeffer@bllldap01:~$ cat /etc/default/saslauthd | grep -E -v '(#|^$)' START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="kerberos5" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/run/saslauthd" export KRB5_KTNAME=/etc/krb5.keytab
jschaeffer@bllldap01:~$ ps aux | grep [s]asl root 472 0.0 0.0 100980 2956 ? Ss 12:16 0:00 /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5 root 473 0.0 0.0 109392 6516 ? S 12:16 0:00 /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5 root 474 0.0 0.0 100980 1056 ? S 12:16 0:00 /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5 root 475 0.0 0.0 100980 1056 ? S 12:16 0:00 /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5 root 476 0.0 0.0 100980 1056 ? S 12:16 0:00 /usr/sbin/saslauthd -a kerberos5 -c -m /var/run/saslauthd -n 5
jschaeffer@bllldap01:~$ ps aux | grep [s]lapd openldap 1236 0.0 4.7 2344672 737116 ? Ssl 13:19 0:00 /usr/sbin/slapd -h ldap:/// ldaps:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
jschaeffer@bllldap01:~$ sudo testsaslauthd -u jschaeffer@HARMONYWAVE.CLOUD -p ************ 0: OK "Success."
jschaeffer@bllldap01:~$ cat /etc/passwd | grep 'openldap' openldap:x:111:115:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/bash jschaeffer@bllldap01:~$ sudo su - openldap openldap@bllldap01:~$ testsaslauthd -u jschaeffer@HARMONYWAVE.CLOUD -p ************ 0: OK "Success."
################ # DEBUG OUTPUT # ################ Feb 5 12:13:53 bllldap01 slapd[477]: conn=2866 fd=40 ACCEPT from IP=[fd83:172:16:44::1000]:44920 (IP=[::]:389) Feb 5 12:13:53 bllldap01 slapd[477]: conn=2866 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 5 12:13:53 bllldap01 slapd[477]: conn=2866 op=0 STARTTLS Feb 5 12:13:53 bllldap01 slapd[477]: conn=2866 op=0 RESULT oid= err=0 text= Feb 5 12:13:53 bllldap01 slapd[477]: conn=2866 fd=40 TLS established tls_ssf=256 ssf=256 Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=69 SRCH base="ou=People,dc=harmonywave,dc=cloud" scope=2 deref=0 filter="(&(uid=radiomail)(objectClass$ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=69 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrinci$ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=69 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 5 12:13:55 bllldap01 slapd[477]: conn=2787 op=637 SRCH base="cn=HARMONYWAVE.CLOUD,cn=krbContainer,dc=harmonywave,dc=cloud" scope=2 deref=0 filter="($ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2787 op=637 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxt$ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2787 op=637 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=70 SRCH base="ou=People,dc=harmonywave,dc=cloud" scope=2 deref=0 filter="(&(uid=radiomail)(objectClass$ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=70 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrinci$ Feb 5 12:13:55 bllldap01 slapd[477]: conn=2846 op=70 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 5 12:13:56 bllldap01 slapd[477]: conn=2866 op=1 BIND dn="uid=jschaeffer,ou=End Users,ou=People,dc=harmonywave,dc=cloud" method=128 Feb 5 12:13:56 bllldap01 slapd[477]: SASL [conn=2866] Failure: cannot connect to saslauthd server: Permission denied Feb 5 12:13:56 bllldap01 slapd[477]: conn=2866 op=1 RESULT tag=97 err=49 text= Feb 5 12:13:56 bllldap01 slapd[477]: conn=2866 op=2 UNBIND Feb 5 12:13:56 bllldap01 slapd[477]: conn=2866 fd=40 closed
jschaeffer@bllldap01:~$ sudo strace -f -p 1236 ... [{EPOLLIN, {u32=1975476364, u64=140507535597708}}], 1048576, 1409000) = 1 [pid 1237] epoll_ctl(7, EPOLL_CTL_MOD, 31, {0, {u32=1975476364, u64=140507535597708}}) = 0 [pid 1237] futex(0x5567c5bf4978, FUTEX_WAKE_PRIVATE, 1) = 1 [pid 1237] epoll_wait(7, <unfinished ...> [pid 1265] <... futex resumed> ) = 0 [pid 1265] futex(0x5567c5bf4928, FUTEX_WAKE_PRIVATE, 1) = 0 [pid 1265] read(31, "\27\3\3\0m", 5) = 5 [pid 1265] read(31, "\0\0\0\0\0\0\0\1*\215C]\226R#c(\250!j\255\254r\226'|\226y\0365\334\231"..., 109) = 109 [pid 1265] read(31, 0x7fc9f015e053, 5) = -1 EAGAIN (Resource temporarily unavailable) [pid 1265] epoll_ctl(7, EPOLL_CTL_MOD, 31, {EPOLLIN, {u32=1975476364, u64=140507535597708}}) = 0 [pid 1265] write(6, "0", 1) = 1 [pid 1237] <... epoll_wait resumed> [{EPOLLIN, {u32=1975476260, u64=140507535597604}}], 1048576, 1402000) = 1 [pid 1265] getpid( <unfinished ...> [pid 1237] read(5, <unfinished ...> [pid 1265] <... getpid resumed> ) = 1236 [pid 1237] <... read resumed> "0", 8192) = 1 [pid 1265] sendto(4, "<167>Feb 5 13:26:30 slapd[1236]"..., 132, MSG_NOSIGNAL, NULL, 0 <unfinished ...> [pid 1237] epoll_wait(7, <unfinished ...> [pid 1265] <... sendto resumed> ) = 132 [pid 1265] socket(AF_UNIX, SOCK_STREAM, 0) = 32 [pid 1265] connect(32, {sa_family=AF_UNIX, sun_path="/var/run/saslauthd/mux"}, 110) = -1 EACCES (Permission denied) [pid 1265] close(32) = 0 [pid 1265] getpid() = 1236 [pid 1265] sendto(4, "<167>Feb 5 13:26:30 slapd[1236]"..., 114, MSG_NOSIGNAL, NULL, 0) = 114 [pid 1265] write(31, "\27\3\3\0&\0\0\0\0\0\0\0\1\270\22\25\347\316\323\6\3721\375\200{\300\350\337E\371\221\206"..., 43) = 43 [pid 1265] getpid() = 1236 [pid 1265] sendto(4, "<167>Feb 5 13:26:30 slapd[1236]"..., 76, MSG_NOSIGNAL, NULL, 0) = 76 [pid 1265] futex(0x5567c5bf497c, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...> [pid 1237] <... epoll_wait resumed> [{EPOLLIN, {u32=1975476364, u64=140507535597708}}], 1048576, 1402000) = 1 [pid 1237] epoll_ctl(7, EPOLL_CTL_MOD, 31, {0, {u32=1975476364, u64=140507535597708}}) = 0 [pid 1237] futex(0x5567c5bf4978, FUTEX_WAKE_PRIVATE, 1) = 1 [pid 1237] epoll_wait(7, <unfinished ...> [pid 1238] <... futex resumed> ) = 0 [pid 1238] futex(0x5567c5bf4928, FUTEX_WAKE_PRIVATE, 1) = 0 [pid 1238] read(31, "\27\3\3\0\37", 5) = 5 [pid 1238] read(31, "\0\0\0\0\0\0\0\2L6Z\337[:\364z\331\361\277\350\31\33\354\316\20IP\375EI\0", 31) = 31 [pid 1238] read(31, "\25\3\3\0\32", 5) = 5 [pid 1238] read(31, "\0\0\0\0\0\0\0\3z\277}k\22\1775dS)BR\377\344\277\271\323\221", 26) = 26 [pid 1238] write(6, "0", 1) = 1 [pid 1237] <... epoll_wait resumed> [{EPOLLIN, {u32=1975476260, u64=140507535597604}}], 1048576, 1402000) = 1 [pid 1238] getpid( <unfinished ...> [pid 1237] read(5, <unfinished ...> [pid 1238] <... getpid resumed> ) = 1236 [pid 1237] <... read resumed> "0", 8192) = 1 [pid 1238] sendto(4, "<167>Feb 5 13:26:30 slapd[1236]"..., 56, MSG_NOSIGNAL, NULL, 0 <unfinished ...> [pid 1237] epoll_wait(7, <unfinished ...> [pid 1238] <... sendto resumed> ) = 56 [pid 1238] epoll_ctl(7, EPOLL_CTL_DEL, 31, 0x7fca743f60f4) = 0 [pid 1238] write(31, "\25\3\3\0\32\0\0\0\0\0\0\0\2\2431\246\345i\2013\31\0\f\t2\367: \270)\202", 31) = 31 [pid 1238] shutdown(31, SHUT_RDWR) = 0 [pid 1238] close(31) = 0 [pid 1238] getpid() = 1236 [pid 1238] sendto(4, "<167>Feb 5 13:26:30 slapd[1236]"..., 57, MSG_NOSIGNAL, NULL, 0) = 57 [pid 1238] futex(0x5567c5bf497c, FUTEX_WAIT_PRIVATE, 0, NULL^Cstrace: Process 1236 detached
5e3b2a11 connection_get(19): got connid=1003 5e3b2a11 connection_read(19): checking for input on id=1003 ber_get_next ber_get_next: tag 0x30 len 29 contents: 5e3b2a11 op tag 0x77, time 1580935697 ber_get_next 5e3b2a11 conn=1003 op=0 do_extended ber_scanf fmt ({m) ber: 5e3b2a11 send_ldap_extended: err=0 oid= len=0 5e3b2a11 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 19 5e3b2a11 connection_get(19): got connid=1003 5e3b2a11 connection_read(19): checking for input on id=1003 5e3b2a11 connection_read(19): unable to get TLS client DN, error=49 id=1003 5e3b2a19 connection_get(19): got connid=1003 5e3b2a19 connection_read(19): checking for input on id=1003 ber_get_next ber_get_next: tag 0x30 len 83 contents: 5e3b2a19 op tag 0x60, time 1580935705 ber_get_next 5e3b2a19 conn=1003 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: 5e3b2a19 >>> dnPrettyNormal: <uid=jschaeffer,ou=End Users,ou=People,dc=harmonywave,dc=cloud> 5e3b2a19 <<< dnPrettyNormal: <uid=jschaeffer,ou=End Users,ou=People,dc=harmonywave,dc=cloud>, <uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=cloud> 5e3b2a19 do_bind: version=3 dn="uid=jschaeffer,ou=End Users,ou=People,dc=harmonywave,dc=cloud" method=128 5e3b2a19 mdb_dn2entry("uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=cloud") 5e3b2a19 => mdb_dn2id("uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=cloud") 5e3b2a19 <= mdb_dn2id: got id=0x26 5e3b2a19 => mdb_entry_decode: 5e3b2a19 <= mdb_entry_decode 5e3b2a19 SASL [conn=1003] Failure: cannot connect to saslauthd server: Permission denied 5e3b2a19 send_ldap_result: conn=1003 op=1 p=3 5e3b2a19 send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 14 bytes to sd 19 5e3b2a19 connection_get(19): got connid=1003 5e3b2a19 connection_read(19): checking for input on id=1003 ber_get_next ber_get_next: tag 0x30 len 5 contents: 5e3b2a19 op tag 0x42, time 1580935705 ber_get_next 5e3b2a19 ber_get_next on fd 19 failed errno=0 (Success) 5e3b2a19 conn=1003 op=2 do_unbind 5e3b2a19 connection_close: conn=1003 sd=19
########### # OS INFO # ########### jschaeffer@bllldap01:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.3 LTS Release: 18.04 Codename: bionic
Hi Josh, thanks for including plenty of details in your post.
Have you checked (via e.g. dmesg) whether it's AppArmor getting in your way? The apparmor profile for slapd might need saslauthd socket added. Please file a bug in Launchpad if that turns out to be the case.
On 2/7/20 14:18, Ryan Tandy wrote:
Have you checked (via e.g. dmesg) whether it's AppArmor getting in your way? The apparmor profile for slapd might need saslauthd socket added.
Thanks for pointing this out, I had a feeling I was just missing something simple and it does look like it is AppArmor related:
[3286126.294693] audit: type=1400 audit(1581111901.079:31863): apparmor="DENIED" operation="connect" namespace="root//lxd-bllldap01_<var-lib-lxd>" profile="/usr/sbin/slapd" name="/run/saslauthd/mux" pid=37876 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=100111 ouid=100000
Note that I have deployed slapd inside an LXD container so I'm not sure if this affects if/how AppArmor needs to be modified. I'm currently playing around with my container settings to try and give slapd the proper permissions.
Please file a bug in Launchpad if that turns out to be the case.
I went to https://launchpad.net/openldap but the "Report a bug" link is grayed out. I've not submitted anything before so any guidance would be appreciated.
On Fri, Feb 07, 2020 at 04:31:01PM -0700, Joshua Schaeffer wrote:
I went to https://launchpad.net/openldap but the "Report a bug" link is grayed out. I've not submitted anything before so any guidance would be appreciated.
Run "ubuntu-bug slapd" on the system where you're having the problem. Or, go to https://launchpad.net/ubuntu/+source/openldap and use the Report a Bug link there.
(This is the page for the package; your link was the page for the upstream project, which does not use Launchpad for bug tracking.)
--On Thursday, February 6, 2020 4:58 PM -0700 Joshua Schaeffer jschaeffer@harmonywave.com wrote:
Feb 5 12:13:56 bllldap01 slapd[477]: SASL [conn=2866] Failure: cannot connect to saslauthd server: Permission denied
slapd is being denied access, as reported:
[pid 1265] connect(32, {sa_family=AF_UNIX, sun_path="/var/run/saslauthd/mux"}, 110) = -1 EACCES (Permission denied)
Could be SELinux or file permissions, etc. This is what you need to resolve.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org