Discussion:
same SASL config that works on CentOS5 & 6 fails on CentOS7
Paul Raines
2018-09-27 20:04:02 UTC
Permalink
I have a saslauthd server running on a CentOS6 system that I want
to upgrade to CentOS7. On the CentOS6 system I have /etc/saslauthd.conf
set as (domain changed):

ldap_servers: ldaps://ldap.foobar.org
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5

and saslauthd is run as

/usr/sbin/saslauthd -m /run/saslauthd -a ldap -O /etc/saslauthd.conf

The LDAP server is the LDAP portal of the corporate AD server.

This works fine as 'testsaslauthd -s ldap ...' succeeds. This
same config worked when it was on a CentOS5 system.

When I set up this identical config on a test CentOS7 system the
testsaslauthd always fails. Debug output is

Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 parse_server_challenge()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 make_client_response()
Aug 24 11:05:42 hound saslauthd[118834]: Authentication failed for per2: Bind
to ldap server failed (invalid user/password or insufficient access) (-7)
Aug 24 11:05:42 hound saslauthd[118834]: do_auth : auth failure:
[user=per2] [service=ldap] [realm=] [mech=ldap] [reason=Unknown]

I have tried ldap_auth_method with 'bind' and 'fastbind' and
ldap_use_sasl set to no, but every combo fails.

It does work to use a /etc/saslauthd.conf with explicit credentials such
as

ldap_servers: ldaps://ldap.foobar.org
ldap_search_base: dc=foobar,dc=org
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: cn=myuid,cn=users,dc=foobar,dc=org
ldap_password: *********

but I don't like putting my password in a config file and also having to
remember to change it everytime the password changes in AD

Does anyone have any ideas why the initial setup does not work
in CentOS7?


---------------------------------------------------------------
Paul Raines http://help.nmr.mgh.harvard.edu
MGH/MIT/HMS Athinoula A. Martinos Center for Biomedical Imaging
149 (2301) 13th Street Charlestown, MA 02129 USA
Dan White
2018-09-28 18:36:33 UTC
Permalink
Post by Paul Raines
I have a saslauthd server running on a CentOS6 system that I want
to upgrade to CentOS7. On the CentOS6 system I have /etc/saslauthd.conf
ldap_servers: ldaps://ldap.foobar.org
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
and saslauthd is run as
/usr/sbin/saslauthd -m /run/saslauthd -a ldap -O /etc/saslauthd.conf
The LDAP server is the LDAP portal of the corporate AD server.
This works fine as 'testsaslauthd -s ldap ...' succeeds. This
same config worked when it was on a CentOS5 system.
When I set up this identical config on a test CentOS7 system the
testsaslauthd always fails. Debug output is
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 parse_server_challenge()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 make_client_response()
Aug 24 11:05:42 hound saslauthd[118834]: Authentication failed for
per2: Bind to ldap server failed (invalid user/password or
insufficient access) (-7)
Aug 24 11:05:42 hound saslauthd[118834]: do_auth : auth
failure: [user=per2] [service=ldap] [realm=] [mech=ldap]
[reason=Unknown]
I have tried ldap_auth_method with 'bind' and 'fastbind' and
ldap_use_sasl set to no, but every combo fails.
It does work to use a /etc/saslauthd.conf with explicit credentials such
as
ldap_servers: ldaps://ldap.foobar.org
ldap_search_base: dc=foobar,dc=org
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: cn=myuid,cn=users,dc=foobar,dc=org
ldap_password: *********
but I don't like putting my password in a config file and also having
to remember to change it everytime the password changes in AD
Does anyone have any ideas why the initial setup does not work
in CentOS7?
Check your DNS settings.

Trouble shoot this by using the ldap client utilities directly:

ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W
Paul Raines
2018-09-28 19:19:33 UTC
Permalink
Thanks! That has got me to a solution

On my C5/C6 boxes running

ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W

worked giving:

SASL/DIGEST-MD5 authentication started
SASL username: per2
SASL SSF: 0
u:FOOBAR\per2

But on my C7 machines I would get

SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: 80090303: LdapErr: DSID-0C090520, comment: The
digest-uri does not match any LDAP SPN's registered for this server., data 0,
v1db1

Looking at the debug output on the C5/C6 boxes I saw in the dump section
something that said

digest-uri="ldap/dc8.foobar.org"

while in the same section on a C7 box I saw

digest-uri="ldap/ldap.foobar.org"

A "host ldap.partners.org" gives back 4 IP address which match
the dc8, dc3, dc12, and dc10 actual host names.

If I run

ldapwhoami -d -1 -H ldaps://dc8.foobar.org -Y DIGEST-MD5 -U per2 -W

on the C7 box it works fine. If I change /etc/saslauthd.conf to
use dc8.foobar.org it works fine for testsaslauthd too. The
only issue doing this is I lose high availability. But I
can actually list the explicity in the "ldap_servers:" line
so I can get around that.

Any idea why on C7 the DIGEST-MD5 thing going on does not set
digest-uri like it does on C6? I guess that is really a question
for the openldap devs.

Thanks again
External Email - Use Caution
Post by Paul Raines
I have a saslauthd server running on a CentOS6 system that I want
to upgrade to CentOS7. On the CentOS6 system I have /etc/saslauthd.conf
ldap_servers: ldaps://ldap.foobar.org
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
and saslauthd is run as
/usr/sbin/saslauthd -m /run/saslauthd -a ldap -O /etc/saslauthd.conf
The LDAP server is the LDAP portal of the corporate AD server.
This works fine as 'testsaslauthd -s ldap ...' succeeds. This
same config worked when it was on a CentOS5 system.
When I set up this identical config on a test CentOS7 system the
testsaslauthd always fails. Debug output is
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5
parse_server_challenge()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 client step 2
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 ask_user_info()
Aug 24 11:05:42 hound saslauthd[118834]: DIGEST-MD5 make_client_response()
Bind to ldap server failed (invalid user/password or insufficient access)
(-7)
[user=per2] [service=ldap] [realm=] [mech=ldap] [reason=Unknown]
I have tried ldap_auth_method with 'bind' and 'fastbind' and
ldap_use_sasl set to no, but every combo fails.
It does work to use a /etc/saslauthd.conf with explicit credentials such
as
ldap_servers: ldaps://ldap.foobar.org
ldap_search_base: dc=foobar,dc=org
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: cn=myuid,cn=users,dc=foobar,dc=org
ldap_password: *********
but I don't like putting my password in a config file and also having to
remember to change it everytime the password changes in AD
Does anyone have any ideas why the initial setup does not work
in CentOS7?
Check your DNS settings.
ldapwhoami -d -1 -H ldaps://ldap.foobar.org -Y DIGEST-MD5 -U per2 -W
Quanah Gibson-Mount
2018-09-28 19:44:51 UTC
Permalink
--On Friday, September 28, 2018 4:19 PM -0400 Paul Raines
Post by Paul Raines
Any idea why on C7 the DIGEST-MD5 thing going on does not set
digest-uri like it does on C6? I guess that is really a question
for the openldap devs.
Seems more like a DNS resolution issue than an OpenLDAP issue. RHEL6 uses
OpenLDAP 2.4.40, RHEL7 uses OpenLDAP 2.4.44. There haven't been any
changes related to this functionality between the two. It's possible
RedHat has made their own custom modifications in this arena so you might
want to look for any differences there.

However, it seems more that on your CentOS 5/6 boxes that when DNS is
queried for "ldap.foobar.org" it gets back "dc8.foobar.org" whereas on your
CentOS7 box, it gets back "ldap.foobar.org".

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
Paul Raines
2018-09-28 19:58:09 UTC
Permalink
External Email - Use Caution
--On Friday, September 28, 2018 4:19 PM -0400 Paul Raines
Post by Paul Raines
Any idea why on C7 the DIGEST-MD5 thing going on does not set
digest-uri like it does on C6? I guess that is really a question
for the openldap devs.
Seems more like a DNS resolution issue than an OpenLDAP issue. RHEL6 uses
OpenLDAP 2.4.40, RHEL7 uses OpenLDAP 2.4.44. There haven't been any changes
related to this functionality between the two. It's possible RedHat has made
their own custom modifications in this arena so you might want to look for
any differences there.
However, it seems more that on your CentOS 5/6 boxes that when DNS is queried
for "ldap.foobar.org" it gets back "dc8.foobar.org" whereas on your CentOS7
box, it gets back "ldap.foobar.org".
Running 'host ldap.foobar.org' on the C6 and C7 machine both return the exact
same four lines/IPs. Reverse DNS of the 4 IPs using the host command is also
the same on both C6 and C7 machines. It really looks like OpenLDAP is
just not doing the reverse DNS on C7 when building the MD5 digest
Quanah Gibson-Mount
2018-09-28 20:12:26 UTC
Permalink
--On Friday, September 28, 2018 4:58 PM -0400 Paul Raines
Post by Paul Raines
Running 'host ldap.foobar.org' on the C6 and C7 machine both return the
exact same four lines/IPs. Reverse DNS of the 4 IPs using the host
command is also the same on both C6 and C7 machines. It really looks
like OpenLDAP is
just not doing the reverse DNS on C7 when building the MD5 digest
Hi Paul,

Again, as I stated, there have been no changes to OpenLDAP in this area.
Additionally, OpenLDAP leverages cyrus-sasl for SASL mechanism
negotiations. The culprit most likely would be a change in the version of
cyrus-sasl being used between C5/C6 and C7.

c7 has: 2.1.26-23.el7
c6 has: 2.1.23-15.el6_6.2


Warm regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
Paul Raines
2018-09-28 20:24:25 UTC
Permalink
External Email - Use Caution
--On Friday, September 28, 2018 4:58 PM -0400 Paul Raines
Post by Paul Raines
Running 'host ldap.foobar.org' on the C6 and C7 machine both return the
exact same four lines/IPs. Reverse DNS of the 4 IPs using the host
command is also the same on both C6 and C7 machines. It really looks
like OpenLDAP is
just not doing the reverse DNS on C7 when building the MD5 digest
Hi Paul,
Again, as I stated, there have been no changes to OpenLDAP in this area.
Additionally, OpenLDAP leverages cyrus-sasl for SASL mechanism negotiations.
The culprit most likely would be a change in the version of cyrus-sasl being
used between C5/C6 and C7.
c7 has: 2.1.26-23.el7
c6 has: 2.1.23-15.el6_6.2
Okay, that makes sense. Though the change may go even deeper such as
newer openssl or other crypto library maybe.

Thanks

Loading...