(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Passwords : (Answer) Is there an alternative to {KERBEROS} passwords in current versions of slapd(8)?
Beginning with OpenLDAP 2.1.23, the --enable-kpasswd configuration option has been removed. If you've been using this so that you can have userPassword attributes that look like {KERBEROS}principal@MY.KERBEROS.REALM, the the alterative is to use the --enable-spasswd configuration option and saslauthd and the {SASL} password scheme.
I tried to do this and ran into a number of minor issues, which I will try to document here. The main symptom was that simple binds returned a "Invalid credentials (49)" message.
Assuming you've already built Cyrus SASL you should have saslauthd. It may live in /usr/[local]/sbin/saslauthd, depending on your local environment. You need to be sure that the socket path (/usr/state/saslauthd/ was the default in my installation, but may be different for you) exists. The user that slapd runs as needs to have read/write access to this path. Start saslauthd like:
  /usr/local/sbin/saslauthd -a kerberos5
There are other options, including credential caching options (see the man page) that you may want to use.
You can test your saslauthd using the testsaslauthd program. This can be built by going to the saslauthd/ directory in the Cyrus SASL source distribution and running "make testsaslauthd". Run it like:
  testsaslauthd -u username -p password
You may also need to provide the -r realm option if you're not using your default realm.
If you get a response like:
  size read failed
And your syslog has messages like:
  saslauthd[30397]: auth_krb5: krb5_get_init_creds_password
  saslauthd[30397]: do_auth: auth failure: [user=username]
    [realm=MY.KERBEROS.REALM] [mech=kerberos5]
    [reason=saslauthd internal error]
Then you may need a host service principal in your /etc/krb5.keytab. E.g. host/my.server.fqdn@MY.KERBEROS.REALM). In my case I only had the ldap service principal. Use ktutil to install this (back up your keytab file first).
Otherwise you should get a response like:
  0: OK "Success."
If you get this far, but are still getting invalid credential messages from slapd, be sure you have a /usr/[local]/lib/sasl2/slapd.conf file. At minimum, this should contain:
  pwcheck_method: saslauthd
If you're not using the default saslauthd socket path, it may also need something a line like:
  saslauthd_path: /var/state/saslauthd/mux
See also the doc/options.html document that comes with Cyrus SASL.
At this point, I could do simple binds where I previously had a {KERBEROS} userPassword by changing that to {SASL}.
Hope this helps -- please use this info at your own risk; I do not warrant that it will work for you. ALSO NOTE THAT ALL OF THIS IS IN GENERAL DISCOURAGED AND SHOULD BE USED ONLY WHEN THE CLIENT DOES NOT SUPPORT A MORE SECURE AUTHENTICATION CAPABILITY, AND YOUR'RE STUCK DOING SIMPLE BINDS, AND WANT TO BE ABLE TO USE KERBEROS AUTHENTICATION OF CREDENTIALS. See the openldap-software list archives for much discussion of this.
Finally I would *strongly* suggest that you configure your ldap server to allow simple binds only for SSL/TLS protected connections.
Be careful that you don't have any trailing spaces in your /usr/[local]/lib/sasl2/slapd.conf file.
I had one on my 'saslauthd_path:' line and spent the better part of the day wondering why things had stopped working
This error can also occur if your hostname is incorrect or if the entry for your the host's IP address in /etc/hosts is incorrect.
For example, my server had an entry in /etc/hosts like: x.x.x.x myserver.example.com.example.com
It should have read: x.x.x.x myserver.example.com
jeff@jeffrodriguez.com
Note that Red Hat has relocated the sasl configuration files; look in /etc/sasl2 instead of /usr/lib/sasl2.
once I figured that out, making this work was trivial.
danpritts@yahoo.com
adding search bait for previous answer: RHEL RHEL5 SASL /usr/lib/sasl.
Also, Francis Swasey notes on openldap-software mailing lists that he had to put the files in /usr/lib64/sasl. I'm guessing either the /usr/lib or /etc/sasl2 location will work.
danpritts@yahoo.com
[Append to This Answer]
Previous: (Answer) How do I specify the crypt(3) salt format to use?
Next: (Answer) Does OpenLDAP support password policies?
This document is: http://www.openldap.org/faq/index.cgi?file=944
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org