saslauthd as LDAP proxy with PLAIN passwords

akarypid at yahoo.gr akarypid at yahoo.gr
Mon Jan 11 04:57:38 EST 2016


NOTE: I am using Cyrus SASL 2.1.26 (self-compiled).

I want to authenticate against an ApacheDS LDAP server using SASL and my 
web searches seem to indicate there are 2 ways to do this:

1) saslauthd
2) ldapdb auxprop plugin

Now (2) seems to be coupled with openldap and some sort of rewriting 
rules on slapd, so I thought I'd go for (1) which to me seemed simpler.

Indeed, I *think* I've got this working. I tested it as follows:

$ testsaslauthd -f /tmp/mysasl/mux -u ldapuser -p secret
0: OK "Success."

$ testsaslauthd -f /tmp/mysasl/mux -u ldapuser -p wrongsecret
0: NO "authentication failed"

As far as I can tell, if something talks to saslauthd via the socket at 
/tmp/mysasl/mux, it will be able to use my ApacheDS.

Now, I am a bit confused as to the SERVER (in my case subversion) 
application talking to saslauthd. For subversion (based on what I've 
read) I created an "/usr/local/etc/svn.conf" as:

pwcheck_method: saslauthd
saslauthd_path: /tmp/mysasl/mux
mech_list: PLAIN

The problem is that when I run my client, I see this:

$ svn co svn://localhost:2008/trunk
svn: E170001: SASL(-4): no mechanism available: Internal Error -4 in 
../../lib/server.c near line 1757

I'm not sure why svnserve doesn't like my config. I'm pretty sure it's 
picked up, because I used strace to run svnserve, (I thought I may be 
editing the wrong config file) and:

$ strace svnserve --listen-port 2008 -r /tmp/testrepo
[...]
open("/usr/local/etc/svn.conf", O_RDONLY) = 3
[...]

So I'm pretty sure svnserve knows that it's supposed to use saslauthd, 
but it seems like it  doesn't even *try* to talk to it: I ran saslauthd 
with "-d" to see what happens and nothing is logged!

When I test with testlsaslauthd I see stuff like:

[...some local cache lookup...]
saslauthd[2514] :do_auth        : auth success: [user=ldapuser] 
[service=myservice] [realm=myrealm] [mech=ldap]
saslauthd[2514] :do_request      : response: OK

I expected there'd be some messages due to svnserve trying to 
authenticate, but there's nothing there...

Many thanks in advance to anyone who takes the time to respond with 
suggestions/explanations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20160111/72d6361d/attachment.html>


More information about the Cyrus-sasl mailing list