Fedora directory users - Aug 2005 - Problems with sasl authentication

Howdy,

I''ve tried unsuccessfully to get DS to authenticate users with sasl.
I have a slapd.conf in /var/lib/sasl2 that looks like this:

pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

and a sasl-mapping that looks like this:

Regex: .*
Search Base DN: ou=People, dc=my, dc=domain, dc=fi
Search Filter: (uid=&)

It looks like the sasl-mapping is ignored, and saslauthd with debugging
on shows no authentication requests. When I run testsaslauthd with valid
user information it seems to authenticate just fine. Does anybody have
any hints, or an example of a working setup?

FDS supports two SASL authentication mechanisms at present:

EXTERNAL
GSSAPI

It doesn''t use the /var/lib/sasl2/slapd.conf configuration style.

Kalle Kivistö wrote:
>Howdy,
>
>I''ve tried unsuccessfully to get DS to authenticate users with
sasl.
>I have a slapd.conf in /var/lib/sasl2 that looks like this:
>
>pwcheck_method: saslauthd
>saslauthd_path: /var/run/saslauthd/mux
>
>and a sasl-mapping that looks like this:
>
>Regex: .*
>Search Base DN: ou=People, dc=my, dc=domain, dc=fi
>Search Filter: (uid=&)
>
>It looks like the sasl-mapping is ignored, and saslauthd with debugging
>on shows no authentication requests. When I run testsaslauthd with valid
>user information it seems to authenticate just fine. Does anybody have
>any hints, or an example of a working setup?
>
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

FDS supports two SASL authentication mechanisms at present:

EXTERNAL
GSSAPI

It doesn''t use the /var/lib/sasl2/slapd.conf configuration style.

Kalle Kivistö wrote:
>Howdy,
>
>I''ve tried unsuccessfully to get DS to authenticate users with
sasl.
>I have a slapd.conf in /var/lib/sasl2 that looks like this:
>
>pwcheck_method: saslauthd
>saslauthd_path: /var/run/saslauthd/mux
>
>and a sasl-mapping that looks like this:
>
>Regex: .*
>Search Base DN: ou=People, dc=my, dc=domain, dc=fi
>Search Filter: (uid=&)
>
>It looks like the sasl-mapping is ignored, and saslauthd with debugging
>on shows no authentication requests. When I run testsaslauthd with valid
>user information it seems to authenticate just fine. Does anybody have
>any hints, or an example of a working setup?
>
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

On Fri, 2005-08-26 at 06:02 -0600, David Boreham wrote:
> FDS supports two SASL authentication mechanisms at present:
> 
> EXTERNAL
> GSSAPI
> 
> It doesn''t use the /var/lib/sasl2/slapd.conf configuration style.
Hmm... What I''m trying to accomplish here is a configuration where
users
authenticate to the ldap server with username/password (no kerberos
ticket) and their password is checked from kerberos. Is this possible
to do with the standard plugins? I''ve had a hard time trying to figure
out how to do this... =) The idea in this is that we''d like to have
a single service for authenticating users, even for services that do not
support kerberos.

If it''s not possible, I''ll look into writing a plugin that
does this.

>
>Hmm... What I''m trying to accomplish here is a configuration where
users
>authenticate to the ldap server with username/password (no kerberos
>ticket) and their password is checked from kerberos. Is this possible
>to do with the standard plugins? I''ve had a hard time trying to
figure
>out how to do this... =) The idea in this is that we''d like to have
>a single service for authenticating users, even for services that do not
>support kerberos.
>  
>
This isn''t supported in the current code.
>If it''s not possible, I''ll look into writing a plugin that
does this.
>  
>
Sounds good. First you''d need to figure out how to perform a proxied 
authentiation
against kerberos. With the existing SASL/GSSAPI mechanism we don''t need
to do
that because we''re simply passing through the authentication payload 
between GSSAPI
and the client. Presumably you''d need to do whatever
''kinit'' does, but
inside the DS.

David Boreham wrote:
>
>>
>>Hmm... What I''m trying to accomplish here is a configuration
where users
>>authenticate to the ldap server with username/password (no kerberos
>>ticket) and their password is checked from kerberos. Is this possible
>>to do with the standard plugins? I''ve had a hard time trying to
figure
>>out how to do this... =) The idea in this is that we''d like to
have
>>a single service for authenticating users, even for services that do not
>>support kerberos.
>>  
>>
> This isn''t supported in the current code.
If you just want to do LDAP SIMPLE BINDs with username/password 
(hopefully over a TLS connection), and use the Kerberos password instead 
of the userPassword attribute, you can use the PAM passthru bind 
plugin.  You will have to grab the Fedora DS source and build it.  What 
this does is pass the BIND authentication request to PAM, which you can 
configure to go to Kerberos for authentication.
>>If it''s not possible, I''ll look into writing a plugin
that does this.
>>  
>>
> Sounds good. First you''d need to figure out how to perform a
proxied
> authentiation
> against kerberos. With the existing SASL/GSSAPI mechanism we don''t
> need to do
> that because we''re simply passing through the authentication
payload
> between GSSAPI
> and the client. Presumably you''d need to do whatever
''kinit'' does, but
> inside the DS.
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>