same SASL config that works on CentOS5 & 6 fails on CentOS7
Paul Raines
raines at nmr.mgh.harvard.edu
Fri Sep 28 15:19:33 EDT 2018
Thanks! That has got me to a solution
On my C5/C6 boxes running
ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W
worked giving:
SASL/DIGEST-MD5 authentication started
SASL username: per2
SASL SSF: 0
u:FOOBAR\per2
But on my C7 machines I would get
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: 80090303: LdapErr: DSID-0C090520, comment: The
digest-uri does not match any LDAP SPN's registered for this server., data 0,
v1db1
Looking at the debug output on the C5/C6 boxes I saw in the dump section
something that said
digest-uri="ldap/dc8.foobar.org"
while in the same section on a C7 box I saw
digest-uri="ldap/ldap.foobar.org"
A "host ldap.partners.org" gives back 4 IP address which match
the dc8, dc3, dc12, and dc10 actual host names.
If I run
ldapwhoami -d -1 -H ldaps://dc8.foobar.org -Y DIGEST-MD5 -U per2 -W
on the C7 box it works fine. If I change /etc/saslauthd.conf to
use dc8.foobar.org it works fine for testsaslauthd too. The
only issue doing this is I lose high availability. But I
can actually list the explicity in the "ldap_servers:" line
so I can get around that.
Any idea why on C7 the DIGEST-MD5 thing going on does not set
digest-uri like it does on C6? I guess that is really a question
for the openldap devs.
Thanks again
On Fri, 28 Sep 2018 2:36pm, Dan White wrote:
> External Email - Use Caution
> On 09/27/18 16:04 -0400, Paul Raines wrote:
>> I have a saslauthd server running on a CentOS6 system that I want
>> to upgrade to CentOS7. On the CentOS6 system I have /etc/saslauthd.conf
>> set as (domain changed):
>>
>> ldap_servers: ldaps://ldap.foobar.org
>> ldap_use_sasl: yes
>> ldap_mech: DIGEST-MD5
>>
>> and saslauthd is run as
>>
>> /usr/sbin/saslauthd -m /run/saslauthd -a ldap -O /etc/saslauthd.conf
>>
>> The LDAP server is the LDAP portal of the corporate AD server.
>>
>> This works fine as 'testsaslauthd -s ldap ...' succeeds. This
>> same config worked when it was on a CentOS5 system.
>>
>> When I set up this identical config on a test CentOS7 system the
>> testsaslauthd always fails. Debug output is
>>
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5
>> parse_server_challenge()
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 make_client_response()
>> Aug 24 11:05:42 hound saslauthd[118834]: Authentication failed for per2:
>> Bind to ldap server failed (invalid user/password or insufficient access)
>> (-7)
>> Aug 24 11:05:42 hound saslauthd[118834]: do_auth : auth failure:
>> [user=per2] [service=ldap] [realm=] [mech=ldap] [reason=Unknown]
>>
>> I have tried ldap_auth_method with 'bind' and 'fastbind' and
>> ldap_use_sasl set to no, but every combo fails.
>>
>> It does work to use a /etc/saslauthd.conf with explicit credentials such
>> as
>>
>> ldap_servers: ldaps://ldap.foobar.org
>> ldap_search_base: dc=foobar,dc=org
>> ldap_filter: (sAMAccountName=%u)
>> ldap_bind_dn: cn=myuid,cn=users,dc=foobar,dc=org
>> ldap_password: *********
>>
>> but I don't like putting my password in a config file and also having to
>> remember to change it everytime the password changes in AD
>>
>> Does anyone have any ideas why the initial setup does not work
>> in CentOS7?
>
> Check your DNS settings.
>
> Trouble shoot this by using the ldap client utilities directly:
>
> ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W
>
>
>
>
More information about the Cyrus-sasl
mailing list