Hi, I've been running openLDAP with GSSAPI authentication for quite a while now and everything has been running quite fine. The last days I tried enabling SASL password auth as described in [1] Now password authentication works fine, but it seems that GSS somehow has been disabled:
root@ldap1 ~ # ldapsearch -x -H ldap:// -b '' -s base -LLL supportedSASLMechanisms dn:
While without SASL enabled I get:
root@ldap1 ~ # ldapsearch -x -H ldap:// -b '' -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
Is it possible to enable both, GSS and SASL pass through auth? I checked the dokumentation and couldn't find a clue if it is or not.
openLDAP version is 2.4.11 on Debian Lenny, Kerberos is MIT version 1.6 also on Lenny. Slapd config can be found here [2]
tia, Jörg Herzinger
[1] http://www.openldap.org/doc/admin24/security.html#Pass-Through authentication [2] https://github.com/joerg/global2000-puppet/blob/master/modules/ldapserver/te...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 22/12/2010, at 20:30, Jörg Herzinger wrote:
Hi, I've been running openLDAP with GSSAPI authentication for quite a while now and everything has been running quite fine. The last days I tried enabling SASL password auth as described in [1] Now password authentication works fine, but it seems that GSS somehow has been disabled:
root@ldap1 ~ # ldapsearch -x -H ldap:// -b '' -s base -LLL supportedSASLMechanisms dn:
While without SASL enabled I get:
root@ldap1 ~ # ldapsearch -x -H ldap:// -b '' -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
Is it possible to enable both, GSS and SASL pass through auth? I checked the dokumentation and couldn't find a clue if it is or not.
It is. I do it. Just follow both setups and they don't interfere with each other.
To clarify this means SASL passthrough (aka userPassword: {SASL}user@realm ) and GSSAPI you want, correct?
openLDAP version is 2.4.11 on Debian Lenny, Kerberos is MIT version 1.6 also on Lenny. Slapd config can be found here [2]
tia, Jörg Herzinger
[1] http://www.openldap.org/doc/admin24/security.html#Pass-Through authentication [2] https://github.com/joerg/global2000-puppet/blob/master/modules/ldapserver/te...
William Brown
pgp.mit.edu
Hi,
Am 2010-12-22 13:04, schrieb Indexer:
To clarify this means SASL passthrough (aka userPassword: {SASL}user@realm ) and GSSAPI you want, correct?
Yes, thanks, I figured it out. I did't get that using SASL means, that all authentication is forwarded to SASL and thus you have to configure it to use plain and gssapi auth. Before I used LDAP which seemed to be using the gss libraries directely and I didn't have to use saslauthd at all. And to document it, my /usr/lib/sasl2/slapd.conf now looks like this:
mech_list: plain gssapi pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
On 22/12/10 15:43 +0100, Jörg Herzinger wrote:
Hi,
Am 2010-12-22 13:04, schrieb Indexer:
To clarify this means SASL passthrough (aka userPassword: {SASL}user@realm ) and GSSAPI you want, correct?
Yes, thanks, I figured it out. I did't get that using SASL means, that all authentication is forwarded to SASL and thus you have to configure it to use plain and gssapi auth. Before I used LDAP which seemed to be using the gss libraries directely and I didn't have to use saslauthd at all. And to document it, my /usr/lib/sasl2/slapd.conf now looks like this:
mech_list: plain gssapi pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux
In the absence of this file, libsasl will offer all mechanisms that it can find and initialize, and that match your 'sasl-secprops noanonymous,noplain,noactive' configuration in /etc/ldap/slapd.conf. saslauthd is not necessary for direct GSSAPI authentication, which is why you didn't need this file in that case.
In fact, 'plain' is probably not necessary, and this config for /usr/lib/sasl2/slapd.conf should suffice:
pwcheck_method: saslauthd
On 22/12/10 11:00 +0100, Jörg Herzinger wrote:
Hi, I've been running openLDAP with GSSAPI authentication for quite a while now and everything has been running quite fine. The last days I tried enabling SASL password auth as described in [1] Now password authentication works fine, but it seems that GSS somehow has been disabled:
root@ldap1 ~ # ldapsearch -x -H ldap:// -b '' -s base -LLL supportedSASLMechanisms dn:
While without SASL enabled I get:
root@ldap1 ~ # ldapsearch -x -H ldap:// -b '' -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI
Is it possible to enable both, GSS and SASL pass through auth? I checked the dokumentation and couldn't find a clue if it is or not.
openLDAP version is 2.4.11 on Debian Lenny, Kerberos is MIT version 1.6 also on Lenny. Slapd config can be found here [2]
If you've strictly followed the pass-through section of the admin guide, you may have ran into a problem with this example sasl configuration:
mech_list: plain pwcheck_method: saslauthd saslauthd_path: /var/run/sasl2/mux
If that's what you've used, you should either comment out the mech_list line or add 'gssapi' to it.
If that's not the case, can you post your sasl slapd.conf? Are there any other changes involved in your configuration, other than modifying the userPassword attribute in your user entries?
openldap-technical@openldap.org
-
Dan White -
Indexer -
Jörg Herzinger