Schema Editing for UNIX-Relevant Attributes and SASL Delegation

[Jarett DeAngelis]

Hi all,

I am standing up a new OpenLDAP directory to serve as an SSSD authn/authz point 
for an HPC lab environment. This directory should delegate user/password 
authentication to a second LDAP directory via SASL. Following the directions 
from the LTB project 
<https://ltb-project.org/documentation/sasl_delegation.html#pass-through-authentication-on-one-ldap-directory>,
 as well as the standard OpenLDAP documentation 
<https://www.openldap.org/doc/admin26/security.html#SASL%20method>, I have set 
up a SASL daemon which I've confirmed works correctly. A few following 
questions:

Is there anything one needs to do beyond
edit /usr/lib/sasl2/slapd.conf to include "mech_list: plain, pwcheck_method: 
saslauthd, saslauthd_path: /var/run/sasl2/mux lines
configure saslauthd.conf to point to the directory server for delegation 
(already working)
edit the userPassword attribute of the user in question to be {SASL}user@domain?
It does not seem to be trying to delegate to SASL according to logs. And if I 
look in ApacheDirectoryStudio, while it looks like {SASL}user@domain there if I 
do an ldapsearch on the user it shows me a hash. So I'm not sure it's being 
stored correctly.  
There are some attributes missing from the default schema if one wants to use 
LDAP for UNIX/POSIX information. So I included 
/usr/local/openldap/etc/openldap/schema/nis.schema in order to add things like 
uidNumber and gidNumber to the schema, which adds posixAccount as a possible 
object type. But if I try to add a posixAccount user, or include a user's home 
directory with the homeDirectory attribute, I get "[LDAP result code 17 - 
undefinedAttributeType] homeDirectory: attribute type undefined." This seems to 
imply there's something else I need to do to add these attributes to the 
schema. I tried looking through the schema documentation 
<https://www.openldap.org/doc/admin26/schema.html> but none of it seems to 
apply to "here is how you add all the things that are missing by default." 
Because I noticed there were items missing from the inetOrgPerson definition 
(which was how I originally created my first user), I deleted that user, did 
the include and tried again. Now I cannot create a new user because of this 
homeDirectory attribute problem.

Thanks in advance!


--

                
Jarett T. DeAngelis, MS

Scientific Systems Engineer

Email: jar...@bioteam.net <mailto:jar...@bioteam.net> 
M: +1.646.417.2165

bioteam.net <https://www.bioteam.net/>