Re: SASL pass-through fails

Sat, 17 Sep 2016 13:12:32 -0700 

Joshua Schaeffer wrote:

Hey all,

I've been using OpenLDAP and Kerberos for central authentication for a while
now, but I have a couple programs that can't use GSSAPI directly and I want to
setup SASL pass-through authentication to allow those services to use my
Kerberos passwords, but I'm having trouble getting saslauthd to work correctly.

I can authentication as myself using GSSAPI without any issue:

jschaeffer@zipmaster07 ~/Downloads $ ldapwhoami
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn:uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=com

But whenever I run the testsaslauthd command I can't get a successful
authentication:

root@baneling:~# testsaslauthd -u [email protected] -p <password>
0: NO "authentication failed"



When I debug the saslauthd daemon all i get is this:

root@baneling:~# saslauthd -a kerberos5 -m /var/run/saslauthd -n 5 -d
saslauthd[1121] :main            : num_procs  : 5
saslauthd[1121] :main            : mech_option: NULL
saslauthd[1121] :main            : run_path   : /var/run/saslauthd
saslauthd[1121] :main            : auth_mech  : kerberos5
saslauthd[1121] :ipc_init        : using accept lock file:
/var/run/saslauthd/mux.accept
saslauthd[1121] :detach_tty      : master pid is: 0
saslauthd[1121] :ipc_init        : listening on socket: /var/run/saslauthd/mux
saslauthd[1121] :main            : using process model
saslauthd[1121] :have_baby       : forked child: 1122
saslauthd[1122] :get_accept_lock : acquired accept lock
saslauthd[1121] :have_baby       : forked child: 1123
saslauthd[1121] :have_baby       : forked child: 1124
saslauthd[1121] :have_baby       : forked child: 1125
saslauthd[1122] :rel_accept_lock : released accept lock
saslauthd[1124] :get_accept_lock : acquired accept lock
saslauthd[1122] :do_auth         : auth failure:
[[email protected]] [service=imap] [realm=] [mech=kerberos5]
[reason=saslauthd internal error]

Kinda at a loss at what else I should look at. Any tips would be appreciated.
Your testsaslauthd is trying to use the imap service. If you don't have an imap service in your KDC, then of course it will fail. 



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to