Re: same SASL config that works on CentOS5 & 6 fails on CentOS7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Thanks!  That has got me to a solution

On my C5/C6 boxes running

ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W

worked giving:

SASL/DIGEST-MD5 authentication started
SASL username: per2
SASL SSF: 0
u:FOOBAR\per2

But on my C7 machines I would get

SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: 80090303: LdapErr: DSID-0C090520, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, v1db1

Looking at the debug output on the C5/C6 boxes I saw in the dump section
something that said

digest-uri="ldap/dc8.foobar.org"

while in the same section on a C7 box I saw

digest-uri="ldap/ldap.foobar.org"

A "host ldap.partners.org" gives back 4 IP address which match
the dc8, dc3, dc12, and dc10 actual host names.

If I run

ldapwhoami -d -1 -H ldaps://dc8.foobar.org -Y DIGEST-MD5 -U per2 -W

on the C7 box it works fine.  If I change /etc/saslauthd.conf to
use dc8.foobar.org it works fine for testsaslauthd too.  The
only issue doing this is I lose high availability.  But I
can actually list the explicity in the "ldap_servers:" line
so I can get around that.

Any idea why on C7 the DIGEST-MD5 thing going on does not set
digest-uri like it does on C6?  I guess that is really a question
for the openldap devs.

Thanks again



On Fri, 28 Sep 2018 2:36pm, Dan White wrote:

External Email - Use Caution On 09/27/18 16:04 -0400, Paul Raines wrote:
I have a saslauthd server running on a CentOS6 system that I want
to upgrade to CentOS7.  On the CentOS6 system I have /etc/saslauthd.conf
set as (domain changed):

ldap_servers: ldaps://ldap.foobar.org
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5

and saslauthd is run as

/usr/sbin/saslauthd -m /run/saslauthd -a ldap -O /etc/saslauthd.conf

The LDAP server is the LDAP portal of the corporate AD server.

This works fine as 'testsaslauthd -s ldap ...' succeeds.  This
same config worked when it was on a CentOS5 system.

When I set up this identical config on a test CentOS7 system the
testsaslauthd always fails.  Debug output is

Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 parse_server_challenge()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 make_client_response()
Aug 24 11:05:42 hound saslauthd[118834]: Authentication failed for per2: Bind to ldap server failed (invalid user/password or insufficient access) (-7) Aug 24 11:05:42 hound saslauthd[118834]: do_auth : auth failure: [user=per2] [service=ldap] [realm=] [mech=ldap] [reason=Unknown]

I have tried ldap_auth_method with 'bind' and 'fastbind' and
ldap_use_sasl set to no, but every combo fails.

It does work to use a /etc/saslauthd.conf with explicit credentials such
as

ldap_servers: ldaps://ldap.foobar.org
ldap_search_base: dc=foobar,dc=org
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: cn=myuid,cn=users,dc=foobar,dc=org
ldap_password: *********

but I don't like putting my password in a config file and also having to remember to change it everytime the password changes in AD

Does anyone have any ideas why the initial setup does not work
in CentOS7?

Check your DNS settings.

Trouble shoot this by using the ldap client utilities directly:

ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W




[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux