OpenLDAP Pass-through Authentication

[deeztek]

Name and Version

bitnami/openldap:2.6

What architecture are you using?

amd64

What steps will reproduce the bug?

Using the following docker-compose.yml file:

services:
  openldap:
    image: bitnami/openldap:latest
    ports:
      - '1389:1389'
      - '1636:1636'
    environment:
      - LDAP_ROOT=dc=domain,dc=local
      - LDAP_ADMIN_USERNAME=${LDAP_ADMIN_USERNAME}
      - LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD}
      - LDAP_USERS=${LDAP_USERS}
      - LDAP_PASSWORDS=${LDAP_PASSWORDS}
       - LDAP_EXTRA_SCHEMAS=cosine,inetorgperson,nis,argon2
      - BITNAMI_DEBUG=true
    volumes:
      - openldap_data:/bitnami/openldap
      - ../config/openldap/custom/schema/argon2.ldif:/opt/bitnami/openldap/etc/schema/argon2.ldif
      - ../config/openldap/sasl/slapd.conf:/usr/lib/sasl2/slapd.conf
      - ../config/openldap/sasl/saslauthd.conf:/etc/saslauthd.conf


volumes:
  openldap_data:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /mnt/data/openldap

The contents of slapd.conf are as follows:

mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/sasl2/mux

The contents of saslauthd.conf are as follows:

ldap_servers: ldap://192.168.xxx.xxx.xxx
ldap_search_base: OU=Users,DC=domain,DC=tld
ldap_filter: (uid=%u)

ldap_bind_dn: CN=saslauthd,CN=Users,DC=domain,DC=tld
ldap_password: somepassword

Added a user that already exists in domain.tld in openldap with the following password:

{SASL}[email protected]

What is the expected behavior?

I expect a successful authentication to domain.tld

What do you see instead?

Instead a get the following error:

hermes_openldap_app  | 679ceede.3aa31e0a 0x7f2ff617e6c0 conn=1004 op=1 SRCH attr=uid mail displayName
hermes_openldap_app  | 679ceede.3aa4b816 0x7f2ff617e6c0 conn=1004 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000019 etime=0.000172 nentries=1 text=
hermes_openldap_app  | 679ceede.3aaafd88 0x7f2ff597d6c0 conn=1005 fd=14 ACCEPT from IP=172.16.32.1:47082 (IP=0.0.0.0:1389)
hermes_openldap_app  | 679ceede.3aab8f34 0x7f2ff597d6c0 conn=1005 op=0 BIND dn="[email protected],ou=users,dc=domain,dc=local" method=128
hermes_openldap_app  | 679ceede.3aac9267 0x7f2ff597d6c0 SASL [conn=1005] Failure: cannot connect to saslauthd server: No such file or directory
hermes_openldap_app  | 679ceede.3aad25b9 0x7f2ff597d6c0 conn=1005 op=0 RESULT tag=97 err=49 qtime=0.000005 etime=0.000120 text=
hermes_openldap_app  | 679ceede.3ab0191f 0x7f2ff617e6c0 conn=1005 fd=14 closed (connection lost)
hermes_openldap_app  | 679ceede.3ab3d76a 0x7f2ff597d6c0 conn=1004 fd=13 closed (connection lost)

Additional information

I'm guessing the paths to slapd.conf and saslauthd.conf are probably wrong. I got the config from the openldap admin documentation (https://www.openldap.org/doc/admin26/guide.html#Pass-Through%20authentication), however there is no clear guidance on how to accomplish that with the bitnami openldap container. I would appreciate some help on this.

thanks a lot