Thanks! That has got me to a solution
On my C5/C6 boxes running
ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W
worked giving:
SASL/DIGEST-MD5 authentication started
SASL username: per2
SASL SSF: 0
u:FOOBAR\per2
But on my C7 machines I would get
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: 80090303: LdapErr: DSID-0C090520, comment: The
digest-uri does not match any LDAP SPN's registered for this server., data 0,
v1db1
Looking at the debug output on the C5/C6 boxes I saw in the dump section
something that said
digest-uri="ldap/dc8.foobar.org"
while in the same section on a C7 box I saw
digest-uri="ldap/ldap.foobar.org"
A "host ldap.partners.org" gives back 4 IP address which match
the dc8, dc3, dc12, and dc10 actual host names.
If I run
ldapwhoami -d -1 -H ldaps://dc8.foobar.org -Y DIGEST-MD5 -U per2 -W
on the C7 box it works fine. If I change /etc/saslauthd.conf to
use dc8.foobar.org it works fine for testsaslauthd too. The
only issue doing this is I lose high availability. But I
can actually list the explicity in the "ldap_servers:" line
so I can get around that.
Any idea why on C7 the DIGEST-MD5 thing going on does not set
digest-uri like it does on C6? I guess that is really a question
for the openldap devs.
Thanks again
On Fri, 28 Sep 2018 2:36pm, Dan White wrote:
External Email - Use Caution
On 09/27/18 16:04 -0400, Paul Raines wrote:
I have a saslauthd server running on a CentOS6 system that I want
to upgrade to CentOS7. On the CentOS6 system I have /etc/saslauthd.conf
set as (domain changed):
ldap_servers: ldaps://ldap.foobar.org
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
and saslauthd is run as
/usr/sbin/saslauthd -m /run/saslauthd -a ldap -O /etc/saslauthd.conf
The LDAP server is the LDAP portal of the corporate AD server.
This works fine as 'testsaslauthd -s ldap ...' succeeds. This
same config worked when it was on a CentOS5 system.
When I set up this identical config on a test CentOS7 system the
testsaslauthd always fails. Debug output is
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5
parse_server_challenge()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 make_client_response()
Aug 24 11:05:42 hound saslauthd[118834]: Authentication failed for per2:
Bind to ldap server failed (invalid user/password or insufficient access)
(-7)
Aug 24 11:05:42 hound saslauthd[118834]: do_auth : auth failure:
[user=per2] [service=ldap] [realm=] [mech=ldap] [reason=Unknown]
I have tried ldap_auth_method with 'bind' and 'fastbind' and
ldap_use_sasl set to no, but every combo fails.
It does work to use a /etc/saslauthd.conf with explicit credentials such
as
ldap_servers: ldaps://ldap.foobar.org
ldap_search_base: dc=foobar,dc=org
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: cn=myuid,cn=users,dc=foobar,dc=org
ldap_password: *********
but I don't like putting my password in a config file and also having to
remember to change it everytime the password changes in AD
Does anyone have any ideas why the initial setup does not work
in CentOS7?
Check your DNS settings.
Trouble shoot this by using the ldap client utilities directly:
ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W
