[Date Prev][Date Next] [Chronological] [Thread] [Top]

open ldap with SASL & GSSAPI

To: openldap-software@openldap.org
Subject: open ldap with SASL & GSSAPI
From: Maxwell Bottiger <sleepylight@jive-turkey.net>
Date: Wed, 08 Nov 2006 15:08:20 -0500

Hello all,

	I've found lots of information about problems related to mine in the
FAQ and around the net, but I don't have a solution yet.  Here's my
setup:

Open Ldap 2.2
MIT Kerberos
SASL 2.1.20

I'm using ldap to provide directory services and user info to some linux
workstations.  This was working, but after upgrading a test machine to
Fedora 6 I've started having some serious problems.

[sleepylight@minitop ~]$  ldapsearch -H ldap://ns.jive-turkey.net -Y
GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context


I figure this is one of three possible problems.
1 - saslauthd isn't working right
2 - ldap isn't talking to sasl correctly
3 - I've done something wrong with my ldap quires.

Kerberos seems to work fine.  I can get my credentials with kinit, and
the GSSAPI credentials are working for ssh logins.  Also, I can use
testsaslauthd and get a success from the authd server.


[sleepylight@ns ~]$ /usr/sbin/testsaslauthd  -r JIVE-TURKEY.NET -s ldap
-u sleepylight -p *********
0: OK "Success."

So I think my problem is #2 or #3.  I'm not sure which, so if anyone has
some feedback I'm happy to try it out.  I'll include some possibly
relevant material at the end of this email.  Thanks for reading!


Some stuff from slapd.conf:

sasl-host ns.jive-turkey.net

sasl-secprops noanonymous,noplain,noactive

saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth
           uid=$1,ou=People,dc=jive-turkey,dc=net

# Default read access for everything else
access to *
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by * read


Messages from slapd after an attempted login

slapd startup: initiated.
backend_startup: starting "dc=jive-turkey,dc=net"
bdb_db_open: dbenv_open(/var/lib/ldap)
slapd starting
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 10
do_bind: v3 anonymous bind
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 201 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <dc=jive-tukey,dc=net>
ldap_err2string
<= ldap_bv2dn(dc=jive-tukey,dc=net)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=jive-tukey,dc=net)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=jive-tukey,dc=net)=0 Success
<<< dnPrettyNormal: <dc=jive-tukey,dc=net>, <dc=jive-tukey,dc=net>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=32
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 201 contents:
ber_get_next
do_search

Follow-Ups:
- Re: open ldap with SASL & GSSAPI
  - From: Howard Chu <hyc@symas.com>
- Re: open ldap with SASL & GSSAPI
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: Error from replica getting changes from master server
Next by Date: Re: CRL Certificate
Index(es):
- Chronological
- Thread