1

We have a scenario where the local ldap will actually receive all authentication requests and then pass the authentication to SASLauthd module when password is stored as {SASL}username. Thus, the authentication will be done on remote openldap while authorization at the local openldap instance.

We are using the default openldap distribution comes for Ubuntu 18 and not rebuilt the code as the build configuration in Debian suggests that it is already built with --enable-spasswd --with-cyrus-sasl

As suggested did the change in /etc/saslauthd.conf as follows

ldap_servers: ldaps://<remote ldap ip>:636
ldap_search_base: ou=Users,dc=example,dc=com
ldap_filter: (uid=%U)
ldap_bind_dn: cn=admin,dc=example,dc=com
ldap_password: <password>
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_auth_method: bind
ldap_version: 3
ldap_restart: yes
ldap_deref: never

Then in /usr/lib/sasl2/slapd.conf added the following.

mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

Ensured that the PLAIN is in supported sasl mechanisms.

ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

Then as suggested set the user password for the user testuser in the local LDAP for which we want remote (pass-through) authentication,saved the password in plain text (no encryption, not even SSHA) in the form {SASL}username@example.com and as we are not using the domain saved as {SASL}testuser. Checked if sasl authentication works:

root@CS-IDAM-TEST1:~# testsaslauthd -u testuser -p <password in remote ldap>
0: OK "Success."

Still, when I try a ldapsearch of the form :

ldapsearch  -H ldap://localhost:389 -b "cn=username,ou=Users,dc=local,dc=com" -D "cn=username,ou=Users,dc=local,dc=com" -W "uid=testuser"

The request never lands to the remote ldap for authentication through SASL (tried with -x :no difference), while the ldapsearch of the same form pointing to the remote openldap works perfectly.

bodgit
  • 4,751
  • 16
  • 27
Shankha Das
  • 11
  • 2
  • This setup is just wrong. You are solving the problem yo\ve just created. – drookie Dec 19 '18 at 15:29
  • Hi, Can you please clarify why do you think the setup is wrong. – Shankha Das Dec 19 '18 at 16:36
  • When you receive the request on one ldap server and need to terminate it on another. Either they should replicate one db, or you should send the request to the actual server. Or this intermediate machine should be not an ldap server, but ldap-awared balancer. – drookie Dec 19 '18 at 17:37
  • May be my explanation was not very clear in my question. Please refer this pass-through authentication to a remote Active Directory. Link : https://blogs.msdn.microsoft.com/alextch/2012/04/25/configuring-openldap-pass-through-authentication-to-active-directory/ In my case, I am trying similar feture with a remote LDAP. – Shankha Das Dec 19 '18 at 18:12

0 Answers0