Hi,
I'm so confused with the sasl passthrough implementation.
I set for the user test in my ldap tree the password {SASL}test@MY_REALM
Keytab:
[test@ldap-master001 /]#--> ls /etc/krb5.keytab -l
-rw-r----- 1 root openldap 1078 2011-11-11 11:56 /etc/krb5.keytab
SASL GSSAPI Auth: works well
[test@ldap-master001 /]#--> ldapwhoami
SASL/GSSAPI authentication started
SASL username: test@MY_REALM
SASL SSF: 56
SASL data security layer installed.
dn:uid=test,cn=mycomany.net,cn=gssapi,cn=auth
SASL SLAPD Config:
[root@ldap-master001 /]#---> cat /usr/lib/sasl2/slapd.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
keytab: /etc/krb5.keytab
testsaslauthd works well:
[root@ldap-master001 /]#---> testsaslauthd -u test -p MYPASSWORD -r MY_REALM -s
ldap
0: OK "Success."
sasl debug log:
saslauthd[26077] :do_auth : auth success: [user=test] [service=ldap]
[realm=MY_REALM] [mech=kerberos5]
saslauthd[26077] :do_request : response: OK
But the ldapsearch simplebind command takes 7-10s...
[test@ldap-master001 /]#--> ldapsearch -D
uid=test,ou=users,dc=my,dc=company -w MYPASSWORD
-s base -b ''
-x
ldap_bind: Invalid credentials (49)
And the sasl debug log shows:
saslauthd[26076] :do_auth : auth failure: [user=test] [service=ldap]
[realm=MY_REALM] [mech=kerberos5] [reason=saslauthd internal error]
WTF, why works testsaslauthd well but failed with ldap auth?
The kerberos server works well in both commands.....
root@ldap-master001:/usr/local/etc/openldap# /usr/local/libexec/slapd -V
@(#) $OpenLDAP: slapd 2.4.21 (Nov 10 2011 11:20:35) $
root@ldap-master001:/usr/local/src/openldap-2.4.21/servers/slapd
root@ldap-master001:/usr/local/etc/openldap# saslauthd -v
saslauthd: /usr/local/lib/liblber-2.4.so.2: no version information available
(required by saslauthd)
saslauthd: /usr/local/lib/libldap_r-2.4.so.2: no version information available
(required by saslauthd)
saslauthd 2.1.23
authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap
Thank you
