[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap crashes on GSSAPI authentication

To: openldap-software@OpenLDAP.org
Subject: Openldap crashes on GSSAPI authentication
From: Diego Julian Remolina <dijuremo@math.gatech.edu>
Date: Fri, 21 Feb 2003 08:13:17 -0500 (EST)
Content-id: <Pine.LNX.4.44.0302210754052.1683@mathpc65.math.gatech.edu>

Hi,

I have been trying for a while to get openldap working with sasl and
gssapi on Solaris 9 but have had no luck.  Can anybody give me a hand?

I am using mit kerberos krb5-1.2.7.

I compiled sasl-2.1.12 and tested it with the sample server and client
with sucess for gssapi authentication.  Later on I compiled
openldap-2.1.12 and after many problems, I found out that even though
slapd was finding /opt/local/lib/sasl2 while using ldd, it wanted the link
from /usr/lib/sasl2 to that folder in order to recognize the GSSAPI
authentication mechanism (This actually works as you can see in the log of
my client session). (And yes I know I should have created that link
following the sasl instructions... but It took me a while to realize
that.... :) ).

Then I tested an anonymous query that works just fine.  Then I got a
kerberos ticket (klist shows my ticket granting ticket) and later on I
tried ldapsearch with the GSSAPI authentication mechanism but slapd dies
with a core dump (http://www.math.gatech.edu/~dijuremo/openldap/). Note 
that I after it died, I did a klist and also got
the ldap/host kerberos ticket which means my keytab is in the right
place for the ldap server.  
I did a truss of the slapd with debugging enabled that can be seen at: 
http://www.math.gatech.edu/~dijuremo/openldap/slapdlog

My slapd.conf file can be seen at:
http://www.math.gatech.edu/~dijuremo/openldap/slapd.conf

No matter which sasl-regexp I use in slapd.conf, the server crashes; but 
from the debugging information I can see that the username is being mapped 
correctly to the kerberos principal.

Does anybody knows what is wrong with my configuration?

Thanks you so much in advance for any help you may be able to give me.

Diego Remolina
School of Mathematics
Georgia Tech

############ This is a copy of the client session ###################
hilbert:/home/sysadm/src/openldap % klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1583)


Kerberos 4 ticket cache: /tmp/tkt1583
klist: You have no tickets cached
hilbert:/home/sysadm/src/openldap % /opt/local/bin/ldapsearch -x -L -s
"base" -b '' supportedSASLMechanisms
version: 1

#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#

#
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: OTP
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5

# search result

# numResponses: 2
# numEntries: 1
hilbert:/home/sysadm/src/openldap % kinit dijuremo
Password for dijuremo@MATH.GATECH.EDU:
hilbert:/home/sysadm/src/openldap % klist
Ticket cache: FILE:/tmp/krb5cc_1583
Default principal: dijuremo@MATH.GATECH.EDU

Valid starting     Expires            Service principal
02/20/03 16:51:22  02/21/03 02:51:22
krbtgt/MATH.GATECH.EDU@MATH.GATECH.EDU


Kerberos 4 ticket cache: /tmp/tkt1583
klist: You have no tickets cached
hilbert:/home/sysadm/src/openldap % /opt/local/bin/ldapsearch -x
'(uid=dijuremo)'
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=dijuremo)
# requesting: ALL
#

# dijuremo, People, math.gatech.edu
dn: uid=dijuremo,ou=People,dc=math,dc=gatech,dc=edu
uid: dijuremo
cn: Diego Julian Remolina
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/tcsh
uidNumber: 1583
gidNumber: 50
homeDirectory: /home/dijuremo
gecos: Diego Julian Remolina

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
hilbert:/home/sysadm/src/openldap % /opt/local/bin/ldapsearch -Y GSSAPI -u
dijuremo '(uid=dijuremo)'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
(NOTE: Here is when slapd crashed and the server cannot be contacted)
hilbert:/home/sysadm/src/openldap % klist
Ticket cache: FILE:/tmp/krb5cc_1583
Default principal: dijuremo@MATH.GATECH.EDU

Valid starting     Expires            Service principal
02/20/03 16:51:22  02/21/03 02:51:22
krbtgt/MATH.GATECH.EDU@MATH.GATECH.EDU
02/20/03 16:51:51  02/21/03 02:51:22
ldap/hilbert.math.gatech.edu@MATH.GATECH.EDU


Kerberos 4 ticket cache: /tmp/tkt1583
klist: You have no tickets cached
hilbert:/home/sysadm/src/openldap %
###################### End of the client session ##################

Follow-Ups:
- Re: Openldap crashes on GSSAPI authentication
  - From: Stephen Frost <sfrost@snowman.net>
- Re: Openldap crashes on GSSAPI authentication
  - From: Mitrana Cristian <cmitrana@xnet.ro>

Prev by Date: graphs in LDAP
Next by Date: Re: SASL Bind vs. PHP Bind
Index(es):
- Chronological
- Thread