[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SASL/Kerberos V4 & openldap
This error indicates that slapd didn't like the authorization ID (authzid)
that it got from SASL. An authzid must be of the form "u:<username>" or
"dn:<ldap DN>"; the "authzid=quanah" is illegal, it should have been
"authzid=u:quanah" instead.
By default the authzid is NULL, but the Cyrus Kerberos 4 plugin sets it equal
to the authcid in that case. This is a bug in the Cyrus Kerberos 4 plugin; it
needs to call sparams->canon_user differently in this situation. There is
already a workaround in slapd for this problem with other mechs but it
assumes that Cyrus will always try to canonicalize the authcid before the
authzid. The Kerberos 4 plugin does the authzid first, so that workaround
doesn't help.
For the moment, you should be able to make this work by explicitly setting
your authzid to a valid name. (ldapsearch -X u:quanah) A real fix for this
will probably require work in both the Cyrus Kerberos 4 plugin and in slapd.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
> --On Thursday, October 31, 2002 3:12 PM -0800 Howard Chu
> <hyc@highlandsun.com> wrote:
>
> > OK, looks like a bug in slapd/sasl.c. Please try this
> change and tell me
> > if there are any other problems. If it works I'll commit the fix.
>
> Howard,
>
> I rebuilt with the fix. That error no longer occurs.
> However, now I get
> something more interesting:
>
> ldap4:~> ldapsearch -h localhost -s base -Y KERBEROS_V4
> SASL/KERBEROS_V4 authentication started
> ldap_sasl_interactive_bind_s: Insufficient access (50)
> additional info: SASL(-14): authorization failure:
> Inappropriate
> authentication
>
> When I look in the ldap log, I see what follows this. My
> understanding
> from the ldap administrators guide, is that my authentication
> I should
> follow this format:
> When the service ticket is obtained, it will be passed to the
> LDAP server
> as proof of the user's identity. The server will extract the
> identity and
> realm out of the service ticket using SASL library calls, and
> convert them
> into an authentication request DN of the form
>
> uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth
>
> So in our above example, if the user's name were "adamson", the
> authentication request DN would be:
>
> uid=adamsom,cn=example.com,cn=kerberos_v4,cn=auth
>
>
> Where in this case, it would be:
>
> uid=quanah,cn=ir.stanford.edu,cn=kerberos_v4,cn=auth
>
> However, it just sees me as id=quanah ?? Not even uid?
>
> I have a correct kerberos ticket as well:
>
> ldap4:/var/log> klist
>
> Kerberos 4 ticket cache: /tmp/tkt54046
> Principal: quanah@IR.STANFORD.EDU
>
> Issued Expires Principal
> 10/31/02 16:01:29 11/01/02 17:27:50
> krbtgt.IR.STANFORD.EDU@IR.STANFORD.EDU
> 10/31/02 16:01:29 11/01/02 17:27:50 afs@IR.STANFORD.EDU
> 10/31/02 16:01:50 11/01/02 17:28:11 ldap.ldap4@IR.STANFORD.EDU
>
>
> --Quanah
>
>
>
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228
> local4.debug]
> do_bind
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834
> local4.debug]
> daemon: select: listen=7 active_threads=1 tvp=NULL
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467
> local4.debug]
> >>> dnPrettyNormal: <>
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834
> local4.debug]
> daemon: select: listen=8 active_threads=1 tvp=NULL
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344
> local4.debug]
> <<< dnPrettyNormal: <>, <>
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591
> local4.debug]
> do_sasl_bind: dn () mech KERBEROS_V4
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666
> local4.debug]
> conn=7 op=0 BIND dn="" method=163
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069
> local4.debug]
> ==> sasl_bind: dn="" mech=KERBEROS_V4 datalen=0
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 335269
> local4.debug]
> send_ldap_sasl: err=14 len=4
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658
> local4.debug]
> send_ldap_response: msgid=1 tag=97 err=14
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187
> local4.debug]
> <== slap_sasl_bind: rc=14
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241
> local4.debug]
> daemon: activity on 1 descriptors
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679
> local4.debug]
> daemon: activity on:
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297
> local4.debug]
> 12r
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 100000
> local4.debug]
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 694296
> local4.debug]
> daemon: read activity on 12
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 525477
> local4.debug]
> connection_get(12)
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 611214
> local4.debug]
> connection_get(12): got connid=7
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 138202
> local4.debug]
> connection_read(12): checking for input on id=7
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228
> local4.debug]
> do_bind
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 812316
> local4.debug]
> ber_get_next on fd 12 failed errno=11 (Resource temporarily
> unavailable)
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834
> local4.debug]
> daemon: select: listen=7 active_threads=1 tvp=NULL
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467
> local4.debug]
> >>> dnPrettyNormal: <>
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834
> local4.debug]
> daemon: select: listen=8 active_threads=1 tvp=NULL
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344
> local4.debug]
> <<< dnPrettyNormal: <>, <>
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591
> local4.debug]
> do_sasl_bind: dn () mech KERBEROS_V4
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666
> local4.debug]
> conn=7 op=1 BIND dn="" method=163
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069
> local4.debug]
> ==> sasl_bind: dn="" mech=<continuing> datalen=117
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 335269
> local4.debug]
> send_ldap_sasl: err=14 len=8
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658
> local4.debug]
> send_ldap_response: msgid=2 tag=97 err=14
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187
> local4.debug]
> <== slap_sasl_bind: rc=14
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241
> local4.debug]
> daemon: activity on 1 descriptors
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679
> local4.debug]
> daemon: activity on:
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297
> local4.debug]
> 12r
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 100000
> local4.debug]
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 694296
> local4.debug]
> daemon: read activity on 12
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 525477
> local4.debug]
> connection_get(12)
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 611214
> local4.debug]
> connection_get(12): got connid=7
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 138202
> local4.debug]
> connection_read(12): checking for input on id=7
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 812316
> local4.debug]
> ber_get_next on fd 12 failed errno=11 (Resource temporarily
> unavailable)
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228
> local4.debug]
> do_bind
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834
> local4.debug]
> daemon: select: listen=7 active_threads=1 tvp=NULL
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467
> local4.debug]
> >>> dnPrettyNormal: <>
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834
> local4.debug]
> daemon: select: listen=8 active_threads=1 tvp=NULL
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344
> local4.debug]
> <<< dnPrettyNormal: <>, <>
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591
> local4.debug]
> do_sasl_bind: dn () mech KERBEROS_V4
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666
> local4.debug]
> conn=7 op=2 BIND dn="" method=163
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069
> local4.debug]
> ==> sasl_bind: dn="" mech=<continuing> datalen=16
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347708
> local4.debug]
> SASL Canonicalize [conn=7]: authzid="quanah"
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 702030
> local4.debug]
> slap_sasl_getdn: id=quanah
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 668004
> local4.debug]
> SASL [conn=7] Failure: Inappropriate authentication
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 246281
> local4.debug]
> send_ldap_result: conn=7 op=2 p=3
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 291653
> local4.debug]
> send_ldap_result: err=50 matched="" text="SASL(-14):
> authorization failure:
> Inappropriate authentication"
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658
> local4.debug]
> send_ldap_response: msgid=3 tag=97 err=50
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 217296
> local4.debug]
> conn=7 op=2 RESULT tag=97 err=50 text=SASL(-14):
> authorization failure:
> Inappropriate authentication
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187
> local4.debug]
> <== slap_sasl_bind: rc=50
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241
> local4.debug]
> daemon: activity on 1 descriptors
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679
> local4.debug]
> daemon: activity on:
> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297
> local4.debug]
> 12r
>
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>