same SASL config that works on CentOS5 & 6 fails on CentOS7

Paul Raines raines at nmr.mgh.harvard.edu
Fri Sep 28 15:19:33 EDT 2018


Thanks!  That has got me to a solution

On my C5/C6 boxes running

ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W

worked giving:

SASL/DIGEST-MD5 authentication started
SASL username: per2
SASL SSF: 0
u:FOOBAR\per2

But on my C7 machines I would get

SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
         additional info: 80090303: LdapErr: DSID-0C090520, comment: The 
digest-uri does not match any LDAP SPN's registered for this server., data 0, 
v1db1

Looking at the debug output on the C5/C6 boxes I saw in the dump section
something that said

digest-uri="ldap/dc8.foobar.org"

while in the same section on a C7 box I saw

digest-uri="ldap/ldap.foobar.org"

A "host ldap.partners.org" gives back 4 IP address which match
the dc8, dc3, dc12, and dc10 actual host names.

If I run

ldapwhoami -d -1 -H ldaps://dc8.foobar.org -Y DIGEST-MD5 -U per2 -W

on the C7 box it works fine.  If I change /etc/saslauthd.conf to
use dc8.foobar.org it works fine for testsaslauthd too.  The
only issue doing this is I lose high availability.  But I
can actually list the explicity in the "ldap_servers:" line
so I can get around that.

Any idea why on C7 the DIGEST-MD5 thing going on does not set
digest-uri like it does on C6?  I guess that is really a question
for the openldap devs.

Thanks again



On Fri, 28 Sep 2018 2:36pm, Dan White wrote:

>       External Email - Use Caution 
> On 09/27/18 16:04 -0400, Paul Raines wrote:
>> I have a saslauthd server running on a CentOS6 system that I want
>> to upgrade to CentOS7.  On the CentOS6 system I have /etc/saslauthd.conf
>> set as (domain changed):
>> 
>> ldap_servers: ldaps://ldap.foobar.org
>> ldap_use_sasl: yes
>> ldap_mech: DIGEST-MD5
>> 
>> and saslauthd is run as
>> 
>> /usr/sbin/saslauthd -m /run/saslauthd -a ldap -O /etc/saslauthd.conf
>> 
>> The LDAP server is the LDAP portal of the corporate AD server.
>> 
>> This works fine as 'testsaslauthd -s ldap ...' succeeds.  This
>> same config worked when it was on a CentOS5 system.
>> 
>> When I set up this identical config on a test CentOS7 system the
>> testsaslauthd always fails.  Debug output is
>> 
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 
>> parse_server_challenge()
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
>> Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 make_client_response()
>> Aug 24 11:05:42 hound saslauthd[118834]: Authentication failed for per2: 
>> Bind to ldap server failed (invalid user/password or insufficient access) 
>> (-7)
>> Aug 24 11:05:42 hound saslauthd[118834]: do_auth         : auth failure: 
>> [user=per2] [service=ldap] [realm=] [mech=ldap] [reason=Unknown]
>> 
>> I have tried ldap_auth_method with 'bind' and 'fastbind' and
>> ldap_use_sasl set to no, but every combo fails.
>> 
>> It does work to use a /etc/saslauthd.conf with explicit credentials such
>> as
>> 
>> ldap_servers: ldaps://ldap.foobar.org
>> ldap_search_base: dc=foobar,dc=org
>> ldap_filter: (sAMAccountName=%u)
>> ldap_bind_dn: cn=myuid,cn=users,dc=foobar,dc=org
>> ldap_password: *********
>> 
>> but I don't like putting my password in a config file and also having to 
>> remember to change it everytime the password changes in AD
>> 
>> Does anyone have any ideas why the initial setup does not work
>> in CentOS7?
>
> Check your DNS settings.
>
> Trouble shoot this by using the ldap client utilities directly:
>
> ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W
>
>
>
>


More information about the Cyrus-sasl mailing list