Hi,
Actually 'peter' is not the right user t test against because its password in
the internal ldap server is defined as {SASL}[email protected]. It should be
{SASL}[email protected].
I tested againt another user mark whose password is {SASL}[email protected].
Both the ldapsearch and ldapwhoami worked well if I use the internal ldap
server. This is what I expected.
When I test againt the external server, using ldapwhoami -d -1 -x -H
ldap://externalldapserver -D "uid=mark,ou=People,ou=sub,dc=example,dc=com" -w
password
the ldap log shows this error message:
50e4f948 >>> dnPrettyNormal: <uid=mark,ou=People,ou=sub,dc=example,dc=com>
=> ldap_bv2dn(uid=mark,ou=People,ou=sub,dc=example,dc=com,0)
<= ldap_bv2dn(uid=mark,ou=People,ou=sub,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=mark,ou=People,ou=sub,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=mark,ou=people,ou=sub,dc=example,dc=com)=0
50e4f948 <<< dnPrettyNormal: <uid=mark,ou=People,ou=sub,dc=example,dc=com>,
<uid=mark, ou=people,ou=sub,dc=example,dc=com>
50e4f948 conn=1034 op=0 BIND dn="uid=mark,ou=People,ou=sub,dc=example,dc=com"
method=1 28
50e4f948 do_bind: version=3 dn="uid=mark,ou=People,ou=sub,dc=example,dc=com"
method=12 8
50e4f948 ==> bdb_bind: dn: uid=mark,ou=People,ou=sub,dc=example,dc=com
50e4f948 bdb_dn2entry("uid=mark,ou=people,ou=sub,dc=example,dc=com")
50e4f948 => bdb_dn2id("ou=people,ou=sub,dc=example,dc=com")
50e4f948 <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
(-309 88)
50e4f948 send_ldap_result: conn=1034 op=0 p=3
50e4f948 send_ldap_result: err=49 matched="" text=""
50e4f948 send_ldap_response: msgid=1 tag=97 err=49
Similary message is also shown when I run the ldapsearch command.
James
-----Original Message-----
From: Dan White [mailto:[email protected]]
Sent: Wednesday, January 02, 2013 7:18 PM
To: Wu, James C.
Cc: [email protected]
Subject: Re: sasl Kerberos authentication with subordinate
On 12/31/12 11:19 -0800, Wu, James C. wrote:
>I have tested that the LDAP authentication through saslauthd using
>Kerberos works well on both the internal ldap and Kerberos pair and the
>external ldap Kerberos pair.
How did you verify authentication was working with your internal server?
>For example, when I used "su - peter" where peter is a user in the
>external ldap server and the password is
>{SASL}[email protected]<mailto:%7bsasl%[email protected]>. The
>authentication works. However, when I use "su - James" where james is a
>user defined in the internal ldap server with password
>{SASL}[email protected]<mailto:%7bsasl%[email protected]>,
>then the authentication failed. I check the log file, the internal
>server did get the search request forwarded from the external ldap
>server and returned the correct information back. However, I did not
>see the saslauthd process on either the external or the internal ldap
>server get any inquiry for the authentication.
On 01/02/13 14:52 -0800, Wu, James C. wrote:
>When I add uid to the -D flag in the ldapwhoami, then it failed on both
>the external and internal ldap servers.
>
>ldapwhoami -x -H ldap://internalldap -D
>"uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password ldapwhoami
>-x -H ldap://externalldap -D
>"uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password
How does this second command (against your internal server) differ from the
above verification?
--
Dan White
