OpenLDAP SASL身份验证

Question

I'm setting up this authentication through OpenLDAP:

OpenLDAP -> Pass-through (External authentication) -> SASL -> PAM -> RSA Agent

In order to access to an application via a RSA Token.

Starting from the bottom to the top:

This is my PAM configuration:

#%PAM-1.0
auth required pam_securid.so
account      sufficient pam_ldap.so
account    include      password-auth
password      sufficient pam_ldap.so
password   include      password-auth

This test works great:

[root@ldap ~]# testsaslauthd -u goingsolo -p 11111111
0: OK "Success."

OpenLdap is correctly configured to works with the SASL Authenticatino in PLAIN:

[root@ldap /]# ldapsearch -h localhost -b "" -LLL -s base supportedSASLMechanisms -x
dn:
supportedSASLMechanisms: PLAIN

And the userPassword of my goingsolo user is configured with {SASL}goingsolo And if I do a SASL bind it works:

[root@datap-keldap-1-n01 /]# ldapsearch -h localhost -b dc=ldap,dc=com -U "goingsolo" -w 11111111                  
SASL/PLAIN authentication started
0: OK "Success."

The problem is when I perform a simple bind with -D instead of -U, I receive invalid credentials:

[root@datap-keldap-1-n01 /]# ldapsearch -h localhost -b dc=ldap,dc=com -D "cn=goingsolo,ou=People,dc=ldap,dc=com" -w 11111111                  
ldap_bind: Invalid credentials (49)

Also when performing a sasl bind with the full dn, the authentication fails because from the /var/lag/messages:

Mar 27 19:01:00 ldap saslauthd[11777]: do_auth         : auth failure: [user=cn=goingsolo,ou=People,dc=ldap,dc=com] [service=ldap] [realm=] [mech=pam] [reason=PAM auth error]

I guess this is because it does not a translate from the full dn to the simple user (goingsolo).

Any tips on what should I check?

Answer 1

The problem was how OpenLdap was build (I guess wrong compiling). I tryed to reinstall it and then it worked. Be sure the SASL machanism is set to plain.