Hello,
I need help with the following problem.
Our password authetication should use SASL but we don't see any requests in our
Logs or by tcpdump.
The password authentication should work as follows
- userPassword-Attribute: {SASL}User@Domain
- saslauthd -> use PAM
- PAM -> use kerberos
- kerberos -> send request to Active-Directory Server
RPM list:
---------------------
lshxx0693:~ # rpm -qa | grep sasl
cyrus-sasl-gssapi-32bit-2.1.22-182.20.1
cyrus-sasl-gssapi-2.1.22-182.20.1
cyrus-sasl-2.1.22-182.20.1
cyrus-sasl-32bit-2.1.22-182.20.1
cyrus-sasl-digestmd5-2.1.22-182.20.1
cyrus-sasl-digestmd5-32bit-2.1.22-182.20.1
cyrus-sasl-devel-2.1.22-182.20.1
cyrus-sasl-saslauthd-2.1.22-182.19
lshxx0693:~ # rpm -qa | grep krb
krb5-1.6.3-133.49.64.1
krb5-32bit-1.6.3-133.49.64.1
pam_krb5-2.3.1-47.12.1
pam_krb5-32bit-2.3.1-47.12.1
krb5-doc-1.6.3-133.49.64.1
krb5-plugin-kdb-ldap-1.6.3-133.49.64.1
krb5-server-1.6.3-133.49.64.1
krb5-client-1.6.3-133.49.64.1
lshxx0693:~ # rpm -qa | grep ldap
openldap2-2.4.26-0.28.5
openldap2-client-2.4.26-0.28.5
openldap2-devel-2.4.26-0.28.5
pam_ldap-184-147.20
pam_ldap-32bit-184-147.20
nss_ldap-262-11.32.39.1
nss_ldap-32bit-262-11.32.39.1
libldap-2_4-2-2.4.26-0.28.5
libldap-2_4-2-32bit-2.4.26-0.28.5
libldapcpp1-0.3.0-0.9.29
libevoldap-2_4-2-2.4.12-4.19
yast2-ldap-2.17.8-0.7.61
yast2-ldap-client-2.17.38-0.7.2
yast2-ldap-server-2.17.44-0.5.1
lshxx0693:~ # rpm -qa | grep cyrus
cyrus-sasl-gssapi-2.1.22-182.20.1
cyrus-sasl-gssapi-32bit-2.1.22-182.20.1
cyrus-sasl-saslauthd-2.1.22-182.19
cyrus-sasl-devel-2.1.22-182.20.1
cyrus-sasl-2.1.22-182.20.1
cyrus-sasl-32bit-2.1.22-182.20.1
cyrus-sasl-digestmd5-2.1.22-182.20.1
cyrus-sasl-digestmd5-32bit-2.1.22-182.20.1
Configuration files:
----------------------------
lshxx0693:~ # cat /etc/sasl2/slapd.conf
mech_list: plain login
pwcheck_method: saslauthd
lshxx0693:~ # cat /etc/sysconfig/saslauthd
SASLAUTHD_AUTHMECH=pam
SASLAUTHD_THREADS=5
SASLAUTHD_PARAMS="-r"
lshxx0693:~ # cat /etc/pam.d/ldap
auth required pam_krb5.so no_user_check
account required pam_permit.so
lshxx0693:/etc/pam.d/ # cat common-account | egrep -v "^#"
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass
lshxx0693:/etc/pam.d/ # cat common-account-pc | egrep -v "^#"
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass
lshxx0693:/etc/pam.d/ # cat common-auth | egrep -v "^#"
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_ldap.so use_first_pass
lshxx0693:/etc/pam.d/ # cat common-auth-pc | egrep -v "^#"
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_ldap.so use_first_pass
shxx0693:/etc/pam.d/ # cat common-password | egrep -v "^#"
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so use_authtok nullok
password required pam_ldap.so try_first_pass use_authtok
lshxx0693:/etc/pam.d/ # cat common-session | egrep -v "^#"
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
session optional pam_ldap.so
session optional pam_umask.so
lshxx0693:/etc/pam.d/ # cat common-session-pc | egrep -v "^#"
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
session optional pam_ldap.so
session optional pam_umask.so
lshxx0693:/etc/pam.d/ # cat common-password-pc | egrep -v "^#"
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so use_authtok nullok
password required pam_ldap.so try_first_pass use_authtok
lshxx0693:~ # pam-config --verify
lshxx0693:~ #
lshxx0693:~ # cat /etc/krb5.conf
[libdefaults]
default_realm = INT.IT.DPP
dns_lookup_kdc = true
[realms]
INT.IT.DPP = {
kdc = 10.150.10.10
kdc = 10.150.10.10
}
[logging]
default = SYSLOG:NOTICE:DAEMON
lshxx0693:~ # cat /etc/nsswitch.conf | egrep -v "#"
passwd: compat
group: files ldap
hosts: files dns
networks: files dns
services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files
bootparams: files
automount: files nis
aliases: files ldap
passwd_compat: ldap
Tell me, if you need more informations, please.
I would like to thank you in advance for your help.
Best wishes
S. Kuechler
