[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
sb_sasl_pkt_length: received illegal packet length of 113 bytes
Howdy! After a week of reading every manual, cookbook, and howto,
trying every combination of config options, and twenty google searches
an hour, I've managed to get openldap (redhat stock 2.0.25), krb5
(redhat nearly stock 1.2.5), SSL/TLS, and sasl (redhat stock 2.1.7,
which include 1.5.28) working on a RH8.0 box. Mostly.
Sorry for the lengthy email, I'm not sure which parts are important
for debugging, so I'm sticking them all in. :)
(One other, separate, little problem, before going on: with the
cyrus-sasl-gssapi and cyrus-sasl-plain packages both installed,
ldapsearch returned "ldap_sasl_interactive_bind_s: Unknown
authentication method"; after removing the cyrus-sasl-plain package,
it started working. Hmm....)
Here's the problem. Ldapsearch works like this:
# ldapsearch -X u:root -H ldap://ldap-2.lan.butchwax.com/ -v \
-LLL -ZZ o=butchwax
ldap_initialize( ldap://ldap-2.lan.butchwax.com/ )
SASL/GSSAPI authentication started
SASL username: u:root
SASL SSF: 56
SASL installing layers
filter: o=butchwax
requesting: ALL
dn: o=butchwax
objectClass: top
objectClass: organization
o: butchwax
Perfect. But this doesn't work:
# ldapsearch -Q -H ldap://ldap-2.lan.butchwax.com/ -v \
-LLL -ZZ o=butchwax
ldap_initialize( ldap://ldap-2.lan.butchwax.com/ )
filter: o=butchwax
requesting: ALL
ldap_result: Can't contact LDAP server
The sasl sample client and server work perfectly (and they're linked
to the 1.5.28 sasl libraries). This search grabs the correct krb
service ticket before failing.
Running -d -1 on the server and comparing the output for the two
searches reveals this after about 1200 lines of otherwise nearly
identical debugging info:
Without the -X u:root option:
Jan 21 15:53:02 greaser slapd: ldap_pvt_sasl_install
[...snip ~10 lines]
Jan 21 15:53:02 greaser slapd: sasl_read: want=4, got=4
Jan 21 15:53:02 greaser slapd: 0000: 00 00 00 71
...q
Jan 21 15:53:02 greaser slapd: sb_sasl_pkt_length: received illegal packet length of 113 bytes
Jan 21 15:53:02 greaser slapd: sasl_read: want=16, got=16
Jan 21 15:53:02 greaser slapd: 0000: 60 6f 06 09 2a 86 48 86 f7 12 01 02 02 02 01 04 `o..*.H.........
Jan 21 15:53:02 greaser slapd: ldap_read: want=1, got=0
Jan 21 15:53:02 greaser slapd:
Jan 21 15:53:02 greaser slapd: ber_get_next on fd 11 failed errno=0 (Success)
Jan 21 15:53:02 greaser slapd: connection_read(11): input error=-2 id=14, closing.
Jan 21 15:53:02 greaser slapd: connection_closing: readying conn=14 sd=11 for close
Jan 21 15:53:02 greaser slapd: connection_close: conn=14 sd=11
Jan 21 15:53:02 greaser slapd: daemon: removing 11
[...ends a few lines later]
With the -X u:root option:
Jan 21 15:54:51 greaser slapd: ldap_pvt_sasl_install
[...snip ~10 lines]
Jan 21 15:54:51 greaser slapd: sasl_read: want=4, got=4
Jan 21 15:54:51 greaser slapd: 0000: 00 00 00 71
...q
Jan 21 15:54:51 greaser slapd: sasl_read: want=113, got=113
Jan 21 15:54:51 greaser slapd: 0000: 60 6f 06 09 2a 86 48 86 f7 12 01 02 02 02 01 04 `o..*.H.........
Jan 21 15:54:51 greaser slapd: 0010: 00 02 00 ff ff 2b c3 0e dd 33 b7 d6 5d c6 d7 c0 .....+...3..]...
[...900 lines later the desired output is given]
As far as ldapsearch -d -1 output:
With -X u:root:
[snip about 700 lines]
sasl_client_step: 0
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 97 bytes to sd 3
0000: 30 5f 02 01 05 60 5a 02 01 03 04 00 a3 53 04 06 0_...`Z......S..
0010: 47 53 53 41 50 49 04 49 60 47 06 09 2a 86 48 86 GSSAPI.I`G..*.H.
0020: f7 12 01 02 02 02 01 04 00 ff ff ff ff a8 d9 79 ...............y
0030: 94 8b 58 b1 8c 57 22 4a e4 af fd 4b d4 41 a3 f5 ..X..W"J...K.A..
0040: 72 ad 9a 8b 24 5d e9 ce 9a d1 5a 72 cf 21 79 47 r...$]....Zr.!yG
0050: 51 04 0f ff ff 75 3a 72 6f 6f 74 06 06 06 06 06 Q....u:root.....
0060: 06 .
With no -X:
[snip same 700 lines]
ldap_msgfree
sasl_client_step: 0
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 89 bytes to sd 3
0000: 30 57 02 01 05 60 52 02 01 03 04 00 a3 4b 04 06 0W...`R......K..
0010: 47 53 53 41 50 49 04 41 60 3f 06 09 2a 86 48 86 GSSAPI.A`?..*.H.
0020: f7 12 01 02 02 02 01 04 00 ff ff ff ff a6 6c c2 ..............l.
0030: 35 31 ac ed 83 e4 50 a2 63 cf 35 6e 83 25 2f f5 51....P.c.5n.%/.
0040: ab 7a db 04 2d 6a 41 88 5e 09 99 f5 65 ca 8a 2d .z..-jA.^...e..-
0050: 04 04 0f ff ff 04 04 04 04 .........
Maybe the 'u:root' in in the -X output is significant? Then:
With no -X:
[snip about 70 more lines]
ldap_msgfree
SASL SSF: 56
SASL installing layers
ldap_pvt_sasl_install
filter: o=butchwax
With -X:
ldap_msgfree
SASL username: u:root
SASL SSF: 56
SASL installing layers
ldap_pvt_sasl_install
filter: o=butchwax
Here it is again. Then:
With no -X:
[snip 100 more lines]
do_ldap_select
read1msg: msgid -1, all 0
ber_get_next
tls_read: want=5, got=5
0000: 15 03 01 00 18 .....
tls_read: want=24, got=24
0000: 9a 00 0c 7a c0 76 6e 08 41 42 8a ac ad 8b 01 77 ...z.vn.AB.....w
0010: 18 ea cc b4 63 f1 2b d3 ....c.+.
TLS trace: SSL3 alert read:warning:close notify
sasl_read: want=4, got=0
ldap_read: want=1, got=0
ber_get_next failed.
ldap_perror
ldap_result: Can't contact LDAP server
ldap_unbind
ldap_free_request (origid 6, msgid 6)
ldap_free_connection
ldap_send_unbind
And with -X:
[snip same 100 lines]
do_ldap_select
read1msg: msgid -1, all 0
ber_get_next
tls_read: want=5, got=5
0000: 17 03 01 00 d0 .....
tls_read: want=208, got=208
[...]
sasl_read: want=4, got=4
0000: 00 00 00 b2 ....
sasl_read: want=178, got=178
[... and soon we see the results of the query come over.]
What else is needed to debug this? I'll include any config file
that'll help clear this up. Thanks for any help!
John
--
John Morris
+1-888-717-4279