[Date Prev][Date Next] [Chronological] [Thread] [Top]

unable to sasl bind to openldap .



Hi all,

I need some help in finding more about the below error:

Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=1 RESULT tag=97 err=14 text=SASL(0): successful result:
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 BIND dn="" method=163
Jan 20 05:34:58 ldap2 slapd[2561]: SASL [conn=1025] Failure: Inappropriate authentication
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure: Inappropriate authentication
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=3 UNBIND
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 fd=31 closed


More information:

Openldap version:openldap-servers-2.4.23-26.el6_3.2.x86_64

What i am trying to do is i have configure bind (named) to store it's records in LDAP server using plugin provided by bind-dyndb-ldap-1.1.0-0.9.b1.el6.x86_64,  And i have configure named.conf to access ldap server only through GSSAPI.

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
       
        forward first;
        forwarders { };
        #dnssec-enable yes;
        #dnssec-validation yes;
        #dnssec-lookaside auto;
        allow-recursion { any; };
        /* Path to ISC DLV key */
        #bindkeys-file "/etc/named.iscdlv.key";
        #managed-keys-directory "/var/named/dynamic";
        tkey-gssapi-credential "dnsadmin@EXAMPLE.ORG";
        tkey-domain "EXAMPLE.ORG";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dynamic-db "openldap" {
        library "ldap.so";
        #arg "uri ldapi://%2fvar%2frun%2fldapi";
        arg "uri ldap://localhost";
        arg "base cn=dns,dc=example,dc=org";
        arg "fake_mname ldap2.example.org.";
        arg "auth_method sasl";
        arg "sasl_mech GSSAPI";
        arg "sasl_user dnsadmin@EXAMPLE.ORG";
        arg "zone_refresh 30";
};

As you can see named checks for dnsadmin@EXAMPLE.ORG as it sasl  authentication user,  dnsadmin@EXAMPLE.ORG is an user  who exists in ldap records

dn: cn=dnsadmin,ou=People,dc=example,dc=org
cn: dnsadmin
sn: user
objectClass: person
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
userPassword:: U2VjcmV0MTIz
krbPrincipalName: dnsadmin@EXAMPLE.ORG
krbLoginFailedCount: 0
krbPrincipalKey:: MIIByKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBsDCCAawwVKAHMAWgAwIBAKFJ
 MEegAwIBEqFABD4gACUNiDAaRqfI6BDKN9YZ/DhvIf6TfUZY8pdWQ5HvM1ZI/DOxdPnIoXfnbjRT+
 i7D7lMpkixzcxcFki3fFDBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAqBkEvL+gzUndM8TNS7ik+I
 1weyacnVPB3PaFjtteeQBLcmrqikUN9eCWTDgwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM0347z
 v8kK3gj0A9SYOzUDa7Hc89pG1dg4LOdJfam6QkNGamezP45ZnFLzGSQ/oTR76I3YwRKAHMAWgAwIB
 AKE5MDegAwIBF6EwBC4QAC3muW46EjvmxYXnvzA11/kiUrGwknrOL/dtcVVhx2ul81zChqkfuHYjU
 BbTMDygBzAFoAMCAQChMTAvoAMCAQihKAQmCADtDnWrNBUuisnbEstExWOiwQphTqqXyrzPi1XQ3U
 jvE0TpMZUwPKAHMAWgAwIBAKExMC+gAwIBA6EoBCYIAFNul3CO38n/hMzLT9lT31ma7ObzhJ9B1qn
 BIGSvn7wDSiH2dw==
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20130119232256Z
krbExtraData:: AALQKvtQcm9vdC9hZG1pbkBFWEFNUExFLk9SRwA=
krbExtraData:: AAgBAA==


named reads /etc/named.keytab file to get dnsadmin@EXAMPLE.ORG

[root@ldap2 master]# klist -k /etc/named.keytab

Keytab name: WRFILE:/etc/named.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 dnsadmin@EXAMPLE.ORG
   2 dnsadmin@EXAMPLE.ORG
   2 dnsadmin@EXAMPLE.ORG
   2 dnsadmin@EXAMPLE.ORG
   2 dnsadmin@EXAMPLE.ORG
   2 dnsadmin@EXAMPLE.ORG


what i am looking for is when bind tries to connect using "dnsadmin@EXAMPLE.ORG" to ldap server i am seeing below error

Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=0 RESULT tag=97 err=14 text=SASL(0): successful result:
Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring operation: binding
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 BIND dn="" method=163
Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring operation: binding
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 RESULT tag=97 err=14 text=SASL(0): successful result:
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 BIND dn="" method=163
Jan 20 05:47:43 ldap2 slapd[2561]: SASL [conn=1031] Failure: Inappropriate authentication
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=3 UNBIND
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure: Inappropriate authentication
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 fd=34 closed

Can any one help me on how to enable more debugging to get more info about the error=50 (Insufficient access error) , Below is my olcAuthRegexp configuration:

# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /opt/setup-openldap/sample-slapd.conf
olcConfigDir: /etc/openldap/slapd.d/
olcAllows: bind_v2
...
..
...
...
....
olcTLSCACertificateFile: /etc/pki/tls/certs/cacert.pem
olcTLSCertificateFile: /etc/pki/tls/certs/server.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/serverkey.pem
olcTLSVerifyClient: allow
olcToolThreads: 1
olcWriteTimeout: 0
olcAuthzRegexp: {0}uid=(.*),cn=EXAMPLE.ORG,cn=gssapi,cn=auth  uid=$1,ou=People
 ,dc=example,dc=org
olcLogLevel: stats


And the output of ldapwhoami

[root@ldap2 master]# ldapwhoami -Y GSSAPI -H ldapi:///
SASL/GSSAPI authentication started
SASL username: dnsadmin@EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
dn:uid=dnsadmin,cn=example.org,cn=gssapi,cn=auth

I just want to find out why named when trying to sasl bind with openldap it fails,  

Thanks
Niranjan