[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Server dies when authenticating via SASL/GSSAPI
Hi List !!
First my system :
Red Hat LINUX 7.2 Kernel 2.4.19
Openssl 0.9.6g
Cyrus-SASL 2.1.9
Heimdal Kerberos V 0.5.1
OpenLDAP 2.1.8
The Problem:
When making a search via ldapsearch using SASL/GSSAPI-authentication
the slapd-server dies ...
Specification of what i do:
First of all, everything works fine except SASL/GSSAPI.
I show, that a search without SASL/GSSAPI works fine :
---snipp---
[root@server htdocs]# ldapsearch -H "ldaps://server" -b "" -s base -x -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: OTP
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
[root@server]#
---snipp---
So, this shows a search with simple bind and SSL/TLS works.
Kerberos works fine, my principal has a ticket :
---snipp---
[root@server]# /usr/local/heimdal/bin/klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: 44857@WEBSERVICES
Issued Expires Principal
Nov 15 08:48:52 Nov 15 18:48:52 krbtgt/WEBSERVICES@WEBSERVICES
Nov 15 08:49:04 Nov 15 18:48:52
ldap/server@WEBSERVICES
[root@server]#
---snipp---
Doing the same search with SASL/GSSAPI gives the following output :
---snipp---
[root@server]# ldapsearch -H "ldaps://server" -b "" -s base -U 44857 -LLL
supportedSASLMechanisms
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
[root@server]#
---snipp---
The output of strace shows the following :
---snipp---
[...]
modify_ldt(0x1, 0x40a12b1c, 0x10) = 0
getpid() = 21635
rt_sigprocmask(SIG_SETMASK, [32], NULL, 8) = 0
sched_setscheduler(0x5483, 0, 0x40a12d08) = 0
write(2, "do_search\n", 10) = 10
time([1037346762]) = 1037346762
getpid() = 21635
rt_sigprocmask(SIG_SETMASK, NULL, [32], 8) = 0
rt_sigsuspend([] <unfinished ...>
--- SIGRT_0 (Real-time signal 0) ---
---snipp---
The log-output of slapd -d 65535 is:
---snipp---
[...]
getdn: u:id converted to uid=44857,cn=WEBSERVICES,cn=GSSAPI,cn=auth
>>> dnNormalize: <uid=44857,cn=WEBSERVICES,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=44857,cn=WEBSERVICES,cn=GSSAPI,cn=auth,0)
<= ldap_bv2dn(uid=44857,cn=WEBSERVICES,cn=GSSAPI,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=44857,cn=webservices,cn=gssapi,cn=auth,272)=0
<<< dnNormalize: <uid=44857,cn=webservices,cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name
uid=44857,cn=webservices,cn=gssapi,cn=auth to a DN
slap_sasl_regexp: converting SASL name
uid=44857,cn=webservices,cn=gssapi,cn=auth
slap_sasl_regexp: converted SASL name to
uid=44857,ou=users,o=webservices,dc=fraport,dc=de
slap_parseURI: parsing uid=44857,ou=users,o=webservices,dc=fraport,dc=de
ldap_url_parse_ext(uid=44857,ou=users,o=webservices,dc=fraport,dc=de)
>>> dnNormalize: <uid=44857,ou=users,o=webservices,dc=fraport,dc=de>
=> ldap_bv2dn(uid=44857,ou=users,o=webservices,dc=fraport,dc=de,0)
<= ldap_bv2dn(uid=44857,ou=users,o=webservices,dc=fraport,dc=de,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=44857,ou=users,o=webservices,dc=fraport,dc=de,272)=0
<<< dnNormalize: <uid=44857,ou=users,o=webservices,dc=fraport,dc=de>
<==slap_sasl2dn: Converted SASL name to
uid=44857,ou=users,o=webservices,dc=fraport,dc=de
getdn: dn:id converted to uid=44857,ou=users,o=webservices,dc=fraport,dc=de
SASL Canonicalize [conn=0]:
authcDN="uid=44857,ou=users,o=webservices,dc=fraport,dc=de"
Process 21853 detached
---snipp---
That's it ...
I tried everything (i know off) to find out what the problem is,
but i can't find the reason, why it doesn't work ...
So my last hope is that someone on the list has an idea ...
Greets Harry
--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!