Hi, I did not run the 'su - james' as root user. So I am expecting it to ask me for the password and trigger the authentication against ldap which delegates the authentication to Kerberos via saslauthd.
The problem is that I can not get it to work for users in the subordinate tree. I read the man page of pam-ldap and it mentioned that there is a referral option, but after setting it to referral = yes, it still does not work. Regards, james On 12/31/12 2:44 PM, "Dan White" <[email protected]> wrote: >On 12/31/12 11:19 -0800, Wu, James C. wrote: >>I am trying to set up an OpenLDAP and Kerberos authentication for testing >>purpose. The setup contains a pair of internal ldap server and Kerberos >>server and the pair of external ldap server and Kerberos server. >> >>I made the tree of the internal ldap server to be a subordinate of the >>external server and enabled the saslauthd for authentication on both the >>internal and the external ldap server to the respective Kerberos server. >> >>I have tested that the LDAP authentication through saslauthd using >>Kerberos works well on both the internal ldap and Kerberos pair and the >>external ldap Kerberos pair. >> >>However, when I point the client machine to the external ldap server and >>the add the subordinate relationship, I could not get the authentication >>for the uses in the internal ldap directory to work. >> >>For example, when I used "su - peter" where peter is a user in the >>external ldap server and the password is >>{SASL}[email protected]<mailto:%7bsasl%[email protected]>. The >>authentication works. However, when I use "su - James" where james is a >>user defined in the internal ldap server with password >>{SASL}[email protected]<mailto:%7bsasl%[email protected]>, then >>the authentication failed. I check the log file, the internal server did >>get the search request forwarded from the external ldap server and >>returned the correct information back. However, I did not see the >>saslauthd process on either the external or the internal ldap server get >>any inquiry for the authentication. >> >>I tried to modify the /etc/krb5.conf and added the realms for both >>EXAMPLE.COM and SUB.EXAMPLE.COM. Still, the authentication does not work >>for users defined in the internal ldap server. >> >>Could anyone give me some hints for this issue? > >Assuming that you are running 'su - <user>' as the root user, that command >should not trigger an authentication against saslauthd, or kerberos. Nor >should is even consult your userPassword entry. > >Check the configuration of your nss ldap module, on the server you're >running 'su' on. Use 'getent passwd <user>' to trouble shoot. > >-- >Dan White
