Re: using saslauthd to authenticate against multiple kerberos realms

From: Aleksandar Milivojevic (no email)
Date: Thu Dec 30 2004 - 14:23:40 EST

  • Next message: Philipp Schwab: "Re: saslpasswd2 and sasldblistusers2: error: /etc/sasldb2"

    Jeremy Rumpf wrote:
    > [snip]
    >
    >>Saslauthd is started as "saslauthd -a kerberos5 -r"
    >>
    >>I have host/foobar.domain.com/REALM1 and host/foobar.domain.com/REALM2
    >>keys in krb5.keytab file.
    >>
    >>On the KDC for REALM2, the error that gets logged is:
    >
    >
    > Try saslauthd without the -r switch. This causes it to append the username and
    > realm together for mechs that aren't realm aware.

    I've attempted it without -r (forgot to mention that in my first mail).
      With same results. Anyhow, I need to have -r switch, otherwise things
    don't work at all.

    The reason behind the need for -r switch is that saslauthd in question
    is used only by OpenLDAP slapd daemon through use of {SASL}user at REALM as
    userPassword attribute (instructing slapd to use saslauthd to check the
    password). That is also the mechanism how the correct Kerberos realm is
    choosen for the user. For some reason, when not using -r switch, thigs
    are not working at all. In logs I can see that username and realm are
    correctly passed to saslauthd, but password verification fails unless
    saslauthd is started with -r switch. I would expect that saslauthd
    would do "the right thing" internally when kerberos5 is used for
    password verification, but it doesn't.

    -- 
    Aleksandar Milivojevic <>    Pollard Banknote Limited
    Systems Administrator                           1499 Buffalo Place
    Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
    

  • Next message: Philipp Schwab: "Re: saslpasswd2 and sasldblistusers2: error: /etc/sasldb2"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD