I defined:
ldap_mech: PLAIN
I am new at LDAP , that is obvious I guess. But, I've been around Unix for
30 years.
This is the latest output from saslauthd in debug mode :
saslauthd[19271] :main : num_procs : 5
saslauthd[19271] :main : mech_option: NULL
saslauthd[19271] :main : run_path : /var/run/saslauthd
saslauthd[19271] :main : auth_mech : ldap
saslauthd[19271] :ipc_init : using accept lock file:
/var/run/saslauthd/mux.accept
saslauthd[19271] :detach_tty : master pid is: 0
saslauthd[19271] :ipc_init : listening on socket:
/var/run/saslauthd/mux
saslauthd[19271] :main : using process model
saslauthd[19271] :have_baby : forked child: 19272
saslauthd[19271] :have_baby : forked child: 19273
saslauthd[19271] :have_baby : forked child: 19274
saslauthd[19271] :have_baby : forked child: 19275
saslauthd[19271] :get_accept_lock : acquired accept lock
saslauthd[19271] :rel_accept_lock : released accept lock
saslauthd[19272] :get_accept_lock : acquired accept lock
ldap_sasl_interactive_bind: user selected: PLAIN
ldap_int_sasl_bind: PLAIN
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 182.19.136.42:389
ldap_new_socket: 10
ldap_prepare_socket: 10
ldap_connect_to_host: Trying 182.19.136.42:389
ldap_pvt_connect: fd: 10 tm: 10 async: 0
ldap_ndelay_on: 10
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 10 tm: 10
ldap_is_sock_ready: 10
ldap_ndelay_off: 10
ldap_pvt_connect: 0
ldap_int_sasl_open: host=182.19.136.42
ldap_msgfree
ldap_err2string
ldap_unbind
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
ldap_create
ldap_url_parse_ext(ldap:// 182.19.136.42:389)
ldap_sasl_interactive_bind: user selected: PLAIN
ldap_int_sasl_bind: PLAIN
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 182.19.136.42:389
ldap_new_socket: 10
ldap_prepare_socket: 10
ldap_connect_to_host: Trying 182.19.136.42:389
ldap_pvt_connect: fd: 10 tm: 10 async: 0
ldap_ndelay_on: 10
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 10 tm: 10
ldap_is_sock_ready: 10
ldap_ndelay_off: 10
ldap_pvt_connect: 0
ldap_int_sasl_open: host=182.19.136.42
ldap_msgfree
ldap_err2string
saslauthd[19271] :do_auth : auth failure: [user=testuser]
[service=slapd] [realm=] [mech=ldap] [reason=Unknown]
saslauthd[19271] :do_request : response: NO
Tim
On Thu, Dec 31, 2015 at 10:29 AM, Dan White <[email protected]>
wrote:
> On 12/17/15 18:32 -0600, Timothy Keith wrote:
>
>> We are attempting to set up an LDAP server which will answer queries
>> from an application. The database will contain metadata on a set of
>> users in the application. The application will also query the server
>> to authenticate the user’s password, however, this server will not
>> house the password. That resides on another server, which our server
>> will query. We do not have administrative rights to the other
>> server.
>>
>> The difficulty we are having now is setting up the pass-through
>> authentication for the passwords. Any pointers in how to proceed with
>> this would be greatly appreciated.
>>
>
> On 12/21/15 17:24 -0600, Timothy Keith wrote:
>
>> We have limited access to the servers. Same company, different IT
>> organization. Our LDAP requirement must be transparent to those servers.
>> We want to inherit the LDAP directory information from the Unix servers -
>> mostly the user Id and passwords, and add information that is needed by
>> applications that our servers will manage.
>>
>
> On 12/31/15 09:51 -0600, Timothy Keith wrote:
>
>> On Wed, Dec 30, 2015 at 7:04 PM, Dan White <[email protected]>
>> wrote:
>>
>>> On 12/30/15 18:51 -0600, Timothy Keith wrote:
>>>
>>> This is tail of the latest saslauthd debug output :
>>>>
>>>> ldap_sasl_interactive_bind: user selected: DIGEST-MD5
>>>>
>>>>
>>> res_errno: 7, res_error: <SASL(-4): no mechanism available: >,
>>> res_matched:
>>>
>>>> <>
>>>> ldap_free_request (origid 1, msgid 1)
>>>> ldap_int_sasl_bind: DIGEST-MD5
>>>> ldap_parse_sasl_bind_result
>>>> ldap_parse_result
>>>> ldap_msgfree
>>>> ldap_err2string
>>>>
>>>>
>>> Is DIGEST-MD5 available on your ldap server? Try:
>>>
>>> ldapsearch -LLL -x -H ldap://1.2.3.4 -s "base" -b ""
>>> supportedSASLMechanisms
>>> Which should list the advertised sasl mechanisms.
>>>
>>> Verify the digest-md5 mechanism is installed with
>>> saslpluginviewer/pluginviewer.
>>>
>>
>> Dan, that ldapsearch returns :
>> dn:
>> supportedSASLMechanisms: PLAIN
>>
>
> The server is only offering the PLAIN mechanism to you. It appears you're
> using saslauthd's ldap backend, and have explicitly configured 'ldap_mech:
> digest-md5' in your corresponding config. If that's correct, you could
> change that to PLAIN instead.
>
> Consider protecting the bind with tls if available.
>
> slapo-pbind may be a simpler alternative (to pass-through sasl
> authentication), depending on the specifics of your setup.
>
> --
> Dan White
>
