From: Aleksandar Milivojevic (no email)
Date: Thu Dec 30 2004 - 14:23:40 EST
Jeremy Rumpf wrote:
> [snip]
>
>>Saslauthd is started as "saslauthd -a kerberos5 -r"
>>
>>I have host/foobar.domain.com/REALM1 and host/foobar.domain.com/REALM2
>>keys in krb5.keytab file.
>>
>>On the KDC for REALM2, the error that gets logged is:
>
>
> Try saslauthd without the -r switch. This causes it to append the username and
> realm together for mechs that aren't realm aware.
I've attempted it without -r (forgot to mention that in my first mail).
With same results. Anyhow, I need to have -r switch, otherwise things
don't work at all.
The reason behind the need for -r switch is that saslauthd in question
is used only by OpenLDAP slapd daemon through use of {SASL}user at REALM as
userPassword attribute (instructing slapd to use saslauthd to check the
password). That is also the mechanism how the correct Kerberos realm is
choosen for the user. For some reason, when not using -r switch, thigs
are not working at all. In logs I can see that username and realm are
correctly passed to saslauthd, but password verification fails unless
saslauthd is started with -r switch. I would expect that saslauthd
would do "the right thing" internally when kerberos5 is used for
password verification, but it doesn't.
-- Aleksandar Milivojevic <> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
|
|
|