Hi,
In my home network, I have a MIT Kerberos installation backed by OpenLDAP. Because some of my apps do not work using GSSAPI, I would like to be able to log into them directly using LDAP.
So I tried to set-up Pass-through, but with no success. Here is what I did: * compiled OpenLDAP with --enable-spasswd (actually, it’s a Gentoo installation with use flag sasl), * setup Cyrus SASL to use Kerberos, * configured /usr/lib64/susl2/slapd.conf to use saslauth, * configured OpenLDAP with SASL host and secprops., * updated my user to have “userPassword:: e1NBU0x9c3RlcGhhbmVASE9NRS5MQU4=”, * restarted.
SASL seems to be working correctly:
testsaslauthd -u stephane -p mypassword
0: OK "Success."
But not LDAP :
ldapwhoami -x -D "uid=stephane,ou=user,dc=home,dc=lan" -Z -W
Enter LDAP Password: ldap_bind: Invalid credentials (49)
It seems to even not try to contact Cyrus SASL…
I searched for hours accross the Internet but could not find any clue. So if someone here could help me, I would really appreciate.
My LDAP config: # config dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /run/openldap/slapd.args olcLocalSSF: 256 olcLogLevel: stats olcPidFile: /run/openldap/slapd.pid olcSaslHost: localhost olcSaslSecProps: none
cat /usr/lib64/sasl2/slapd.conf
pwcheck_method: saslauthd mech_list: plain saslauthd_path: /var/run/saslauthd/mux
Here is an extract of the log I could get while attempting to bind:
TLS trace: SSL_accept:SSLv3/TLS write session ticket 62af4376 connection_read(17): unable to get TLS client DN, error=49 id=1012 62af4376 conn=1012 fd=17 TLS established tls_ssf=256 ssf=256 62af4376 daemon: activity on 1 descriptor 62af4376 daemon: activity on: 62af4376 daemon: epoll: listen=7 active_threads=0 tvp=NULL 62af4376 daemon: epoll: listen=8 active_threads=0 tvp=NULL 62af4376 daemon: epoll: listen=9 active_threads=0 tvp=NULL 62af437b daemon: activity on 1 descriptor 62af437b daemon: activity on: 17r 62af437b daemon: read active on 17 62af437b daemon: epoll: listen=7 active_threads=0 tvp=NULL 62af437b daemon: epoll: listen=8 active_threads=0 tvp=NULL 62af437b daemon: epoll: listen=9 active_threads=0 tvp=NULL 62af437b connection_get(17) 62af437b connection_get(17): got connid=1012 62af437b connection_read(17): checking for input on id=1012 ber_get_next tls_read: want=5, got=5 tls_read: want=97, got=97 ldap_read: want=8, got=8 ldap_read: want=72, got=72 ber_get_next: tag 0x30 len 78 contents: ber_dump: buf=0x7f6df81074e0 ptr=0x7f6df81074e0 end=0x7f6df810752e len=78 62af437b op tag 0x60, time 1655653243 ber_get_next tls_read: want=5 error=Resource temporarily unavailable ldap_read: want=8 error=Resource temporarily unavailable 62af437b conn=1012 op=1 do_bind 62af437b daemon: activity on 1 descriptor 62af437b daemon: activity on: ber_scanf fmt ({imt) ber: 62af437b daemon: epoll: listen=7 active_threads=0 tvp=NULL 62af437b daemon: epoll: listen=8 active_threads=0 tvp=NULL ber_dump: buf=0x7f6df81074e0 ptr=0x7f6df81074e3 end=0x7f6df810752e len=75 ber_scanf fmt (m}) ber: ber_dump: buf=0x7f6df81074e0 ptr=0x7f6df810751a end=0x7f6df810752e len=20 62af437b daemon: epoll: listen=9 active_threads=0 tvp=NULL 62af437b >>> dnPrettyNormal: <uid=stephane,ou=user,dc=home,dc=lan> => ldap_bv2dn(uid=stephane,ou=user,dc=home,dc=lan,0) <= ldap_bv2dn(uid=stephane,ou=user,dc=home,dc=lan)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=stephane,ou=user,dc=home,dc=lan)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=stephane,ou=user,dc=home,dc=lan)=0 62af437b <<< dnPrettyNormal: <uid=stephane,ou=user,dc=home,dc=lan>, <uid=stephane,ou=user,dc=home,dc=lan> 62af437b conn=1012 op=1 BIND dn="uid=stephane,ou=user,dc=home,dc=lan" method=128 62af437b do_bind: version=3 dn="uid=stephane,ou=user,dc=home,dc=lan" method=128 62af437b ==> mdb_bind: dn: uid=stephane,ou=user,dc=home,dc=lan 62af437b mdb_dn2entry("uid=stephane,ou=user,dc=home,dc=lan") 62af437b => mdb_dn2id("uid=stephane,ou=user,dc=home,dc=lan") 62af437b <= mdb_dn2id: got id=0xb 62af437b => mdb_entry_decode: 62af437b <= mdb_entry_decode 62af437b => access_allowed: result not in cache (userPassword) 62af437b => access_allowed: auth access to "uid=stephane,ou=user,dc=home,dc=lan" "userPassword" requested 62af437b => acl_get: [1] attr userPassword 62af437b => acl_mask: access to entry "uid=stephane,ou=user,dc=home,dc=lan", attr "userPassword" requested 62af437b => acl_mask: to value by "", (=0) 62af437b <= check a_dn_pat: cn=kerberos,ou=service,dc=home,dc=lan 62af437b <= check a_dn_pat: self 62af437b <= check a_dn_pat: anonymous 62af437b <= acl_mask: [3] applying auth(=xd) (stop) 62af437b <= acl_mask: [3] mask: auth(=xd) 62af437b => slap_access_allowed: auth access granted by auth(=xd) 62af437b => access_allowed: auth access granted by auth(=xd) 62af437b SASL Canonicalize [conn=1012]: authcid="stephane@HOME.LAN" 62af437b SASL Canonicalize [conn=1012]: authcid="stephane@HOME.LAN" 62af437b send_ldap_result: conn=1012 op=1 p=3 62af437b send_ldap_result: err=49 matched="" text="" 62af437b send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 14 bytes to sd 17 tls_write: want=36, written=36 ldap_write: want=14, written=14 62af437b conn=1012 op=1 RESULT tag=97 err=49 text= 62af437b daemon: activity on 1 descriptor 62af437b daemon: activity on: 17r 62af437b daemon: read active on 17 62af437b daemon: epoll: listen=7 active_threads=0 tvp=NULL 62af437b daemon: epoll: listen=8 active_threads=0 tvp=NULL 62af437b daemon: epoll: listen=9 active_threads=0 tvp=NULL 62af437b connection_get(17) 62af437b connection_get(17): got connid=1012 62af437b connection_read(17): checking for input on id=1012 ber_get_next tls_read: want=5, got=5 tls_read: want=24, got=24 ldap_read: want=8, got=7 ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x7f6e081065d0 ptr=0x7f6e081065d0 end=0x7f6e081065d5 len=5 62af437b op tag 0x42, time 1655653243 ber_get_next tls_read: want=5, got=5 tls_read: want=19, got=19 TLS trace: SSL3 alert read:warning:close notify ldap_read: want=8, got=0
62af437b ber_get_next on fd 17 failed errno=0 (Success) 62af437b connection_read(17): input error=-2 id=1012, closing. 62af437b connection_closing: readying conn=1012 sd=17 for close 62af437b connection_close: deferring conn=1012 sd=17 62af437b conn=1012 op=2 do_unbind 62af437b conn=1012 op=2 UNBIND 62af437b connection_resched: attempting closing conn=1012 sd=17 62af437b connection_close: conn=1012 sd=17 62af437b daemon: removing 17 tls_write: want=24, written=24 TLS trace: SSL3 alert write:warning:close notify 62af437b conn=1012 fd=17 closed 62af437b daemon: activity on 1 descriptor 62af437b daemon: activity on: 62af437b daemon: epoll: listen=7 active_threads=0 tvp=NULL 62af437b daemon: epoll: listen=8 active_threads=0 tvp=NULL 62af437b daemon: epoll: listen=9 active_threads=0 tvp=NULL
--On Saturday, July 9, 2022 8:01 PM +0200 Stéphane Veyret sveyret@gmail.com wrote:
Hi,
In my home network, I have a MIT Kerberos installation backed by OpenLDAP. Because some of my apps do not work using GSSAPI, I would like to be able to log into them directly using LDAP.
The way that SASL passthrough works is that you put the value {SASL} for the userPassword. This tells slapd to pass the user authentication to SASL to handle. You don't set an actual password value in the userPassword attribute.
So it should be:
userPassword: {SASL}
set via an ldapmodify operation (not an ldap v3 password modify operation).
Regards, Quanah
openldap-technical@openldap.org