Hi,
In my home network, I have a MIT Kerberos installation backed by
OpenLDAP. Because some of my apps do not work using GSSAPI, I would
like to be able to log into them directly using LDAP.
So I tried to set-up Pass-through, but with no success. Here is what I did:
* compiled OpenLDAP with --enable-spasswd (actually, it’s a Gentoo
installation with use flag sasl),
* setup Cyrus SASL to use Kerberos,
* configured /usr/lib64/susl2/slapd.conf to use saslauth,
* configured OpenLDAP with SASL host and secprops.,
* updated my user to have “userPassword:: e1NBU0x9c3RlcGhhbmVASE9NRS5MQU4=”,
* restarted.
SASL seems to be working correctly:
> testsaslauthd -u stephane -p mypassword
0: OK "Success."
But not LDAP :
> ldapwhoami -x -D "uid=stephane,ou=user,dc=home,dc=lan" -Z -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
It seems to even not try to contact Cyrus SASL…
I searched for hours accross the Internet but could not find any clue.
So if someone here could help me, I would really appreciate.
My LDAP config:
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /run/openldap/slapd.args
olcLocalSSF: 256
olcLogLevel: stats
olcPidFile: /run/openldap/slapd.pid
olcSaslHost: localhost
olcSaslSecProps: none
> cat /usr/lib64/sasl2/slapd.conf
pwcheck_method: saslauthd
mech_list: plain
saslauthd_path: /var/run/saslauthd/mux
Here is an extract of the log I could get while attempting to bind:
TLS trace: SSL_accept:SSLv3/TLS write session ticket
62af4376 connection_read(17): unable to get TLS client DN, error=49 id=1012
62af4376 conn=1012 fd=17 TLS established tls_ssf=256 ssf=256
62af4376 daemon: activity on 1 descriptor
62af4376 daemon: activity on:
62af4376 daemon: epoll: listen=7 active_threads=0 tvp=NULL
62af4376 daemon: epoll: listen=8 active_threads=0 tvp=NULL
62af4376 daemon: epoll: listen=9 active_threads=0 tvp=NULL
62af437b daemon: activity on 1 descriptor
62af437b daemon: activity on: 17r
62af437b daemon: read active on 17
62af437b daemon: epoll: listen=7 active_threads=0 tvp=NULL
62af437b daemon: epoll: listen=8 active_threads=0 tvp=NULL
62af437b daemon: epoll: listen=9 active_threads=0 tvp=NULL
62af437b connection_get(17)
62af437b connection_get(17): got connid=1012
62af437b connection_read(17): checking for input on id=1012
ber_get_next
tls_read: want=5, got=5
tls_read: want=97, got=97
ldap_read: want=8, got=8
ldap_read: want=72, got=72
ber_get_next: tag 0x30 len 78 contents:
ber_dump: buf=0x7f6df81074e0 ptr=0x7f6df81074e0 end=0x7f6df810752e len=78
62af437b op tag 0x60, time 1655653243
ber_get_next
tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8 error=Resource temporarily unavailable
62af437b conn=1012 op=1 do_bind
62af437b daemon: activity on 1 descriptor
62af437b daemon: activity on:
ber_scanf fmt ({imt) ber:
62af437b daemon: epoll: listen=7 active_threads=0 tvp=NULL
62af437b daemon: epoll: listen=8 active_threads=0 tvp=NULL
ber_dump: buf=0x7f6df81074e0 ptr=0x7f6df81074e3 end=0x7f6df810752e len=75
ber_scanf fmt (m}) ber:
ber_dump: buf=0x7f6df81074e0 ptr=0x7f6df810751a end=0x7f6df810752e len=20
62af437b daemon: epoll: listen=9 active_threads=0 tvp=NULL
62af437b >>> dnPrettyNormal: <uid=stephane,ou=user,dc=home,dc=lan>
=> ldap_bv2dn(uid=stephane,ou=user,dc=home,dc=lan,0)
<= ldap_bv2dn(uid=stephane,ou=user,dc=home,dc=lan)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=stephane,ou=user,dc=home,dc=lan)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=stephane,ou=user,dc=home,dc=lan)=0
62af437b <<< dnPrettyNormal: <uid=stephane,ou=user,dc=home,dc=lan>,
<uid=stephane,ou=user,dc=home,dc=lan>
62af437b conn=1012 op=1 BIND dn="uid=stephane,ou=user,dc=home,dc=lan" method=128
62af437b do_bind: version=3 dn="uid=stephane,ou=user,dc=home,dc=lan" method=128
62af437b ==> mdb_bind: dn: uid=stephane,ou=user,dc=home,dc=lan
62af437b mdb_dn2entry("uid=stephane,ou=user,dc=home,dc=lan")
62af437b => mdb_dn2id("uid=stephane,ou=user,dc=home,dc=lan")
62af437b <= mdb_dn2id: got id=0xb
62af437b => mdb_entry_decode:
62af437b <= mdb_entry_decode
62af437b => access_allowed: result not in cache (userPassword)
62af437b => access_allowed: auth access to
"uid=stephane,ou=user,dc=home,dc=lan" "userPassword" requested
62af437b => acl_get: [1] attr userPassword
62af437b => acl_mask: access to entry
"uid=stephane,ou=user,dc=home,dc=lan", attr "userPassword" requested
62af437b => acl_mask: to value by "", (=0)
62af437b <= check a_dn_pat: cn=kerberos,ou=service,dc=home,dc=lan
62af437b <= check a_dn_pat: self
62af437b <= check a_dn_pat: anonymous
62af437b <= acl_mask: [3] applying auth(=xd) (stop)
62af437b <= acl_mask: [3] mask: auth(=xd)
62af437b => slap_access_allowed: auth access granted by auth(=xd)
62af437b => access_allowed: auth access granted by auth(=xd)
62af437b SASL Canonicalize [conn=1012]: authcid="[email protected]"
62af437b SASL Canonicalize [conn=1012]: authcid="[email protected]"
62af437b send_ldap_result: conn=1012 op=1 p=3
62af437b send_ldap_result: err=49 matched="" text=""
62af437b send_ldap_response: msgid=2 tag=97 err=49
ber_flush2: 14 bytes to sd 17
tls_write: want=36, written=36
ldap_write: want=14, written=14
62af437b conn=1012 op=1 RESULT tag=97 err=49 text=
62af437b daemon: activity on 1 descriptor
62af437b daemon: activity on: 17r
62af437b daemon: read active on 17
62af437b daemon: epoll: listen=7 active_threads=0 tvp=NULL
62af437b daemon: epoll: listen=8 active_threads=0 tvp=NULL
62af437b daemon: epoll: listen=9 active_threads=0 tvp=NULL
62af437b connection_get(17)
62af437b connection_get(17): got connid=1012
62af437b connection_read(17): checking for input on id=1012
ber_get_next
tls_read: want=5, got=5
tls_read: want=24, got=24
ldap_read: want=8, got=7
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x7f6e081065d0 ptr=0x7f6e081065d0 end=0x7f6e081065d5 len=5
62af437b op tag 0x42, time 1655653243
ber_get_next
tls_read: want=5, got=5
tls_read: want=19, got=19
TLS trace: SSL3 alert read:warning:close notify
ldap_read: want=8, got=0
62af437b ber_get_next on fd 17 failed errno=0 (Success)
62af437b connection_read(17): input error=-2 id=1012, closing.
62af437b connection_closing: readying conn=1012 sd=17 for close
62af437b connection_close: deferring conn=1012 sd=17
62af437b conn=1012 op=2 do_unbind
62af437b conn=1012 op=2 UNBIND
62af437b connection_resched: attempting closing conn=1012 sd=17
62af437b connection_close: conn=1012 sd=17
62af437b daemon: removing 17
tls_write: want=24, written=24
TLS trace: SSL3 alert write:warning:close notify
62af437b conn=1012 fd=17 closed
62af437b daemon: activity on 1 descriptor
62af437b daemon: activity on:
62af437b daemon: epoll: listen=7 active_threads=0 tvp=NULL
62af437b daemon: epoll: listen=8 active_threads=0 tvp=NULL
62af437b daemon: epoll: listen=9 active_threads=0 tvp=NULL
--
Bien cordialement, / Plej kore,
Stéphane Veyret
