[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: unable to sasl bind to openldap .
On 01/20/13 17:30 +0530, mallapadi niranjan wrote:
Hi all,
I need some help in finding more about the below error:
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=1 RESULT tag=97 err=14
text=SASL(0): successful result:
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 BIND dn="" method=163
Jan 20 05:34:58 ldap2 slapd[2561]: SASL [conn=1025] Failure: Inappropriate
authentication
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 RESULT tag=97 err=50
text=SASL(-14): authorization failure: Inappropriate authentication
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=3 UNBIND
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 fd=31 closed
More information:
Openldap version:openldap-servers-2.4.23-26.el6_3.2.x86_64
What i am trying to do is i have configure bind (named) to store it's
records in LDAP server using plugin provided by
bind-dyndb-ldap-1.1.0-0.9.b1.el6.x86_64, And i have configure named.conf
to access ldap server only through GSSAPI.
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
forward first;
forwarders { };
#dnssec-enable yes;
#dnssec-validation yes;
#dnssec-lookaside auto;
allow-recursion { any; };
/* Path to ISC DLV key */
#bindkeys-file "/etc/named.iscdlv.key";
#managed-keys-directory "/var/named/dynamic";
tkey-gssapi-credential "dnsadmin@EXAMPLE.ORG";
tkey-domain "EXAMPLE.ORG";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dynamic-db "openldap" {
library "ldap.so";
#arg "uri ldapi://%2fvar%2frun%2fldapi";
arg "uri ldap://localhost";;
arg "base cn=dns,dc=example,dc=org";
arg "fake_mname ldap2.example.org.";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user dnsadmin@EXAMPLE.ORG";
arg "zone_refresh 30";
};
You should not specify a username when using the GSSAPI. SASL and OpenLDAP
will derive the username based on the kerberos ticket, and your sasl-regexp
rules. It's possible that the username you're submitting is being
interpreted as an authz identity, and is causing an authorization failure.
As you can see named checks for dnsadmin@EXAMPLE.ORG as it sasl
authentication user, dnsadmin@EXAMPLE.ORG is an user who exists in ldap
records
dn: cn=dnsadmin,ou=People,dc=example,dc=org
cn: dnsadmin
sn: user
objectClass: person
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
userPassword:: U2VjcmV0MTIz
krbPrincipalName: dnsadmin@EXAMPLE.ORG
krbLoginFailedCount: 0
krbPrincipalKey::
MIIByKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBsDCCAawwVKAHMAWgAwIBAKFJ
MEegAwIBEqFABD4gACUNiDAaRqfI6BDKN9YZ/DhvIf6TfUZY8pdWQ5HvM1ZI/DOxdPnIoXfnbjRT+
i7D7lMpkixzcxcFki3fFDBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAqBkEvL+gzUndM8TNS7ik+I
1weyacnVPB3PaFjtteeQBLcmrqikUN9eCWTDgwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM0347z
v8kK3gj0A9SYOzUDa7Hc89pG1dg4LOdJfam6QkNGamezP45ZnFLzGSQ/oTR76I3YwRKAHMAWgAwIB
AKE5MDegAwIBF6EwBC4QAC3muW46EjvmxYXnvzA11/kiUrGwknrOL/dtcVVhx2ul81zChqkfuHYjU
BbTMDygBzAFoAMCAQChMTAvoAMCAQihKAQmCADtDnWrNBUuisnbEstExWOiwQphTqqXyrzPi1XQ3U
jvE0TpMZUwPKAHMAWgAwIBAKExMC+gAwIBA6EoBCYIAFNul3CO38n/hMzLT9lT31ma7ObzhJ9B1qn
BIGSvn7wDSiH2dw==
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20130119232256Z
krbExtraData:: AALQKvtQcm9vdC9hZG1pbkBFWEFNUExFLk9SRwA=
krbExtraData:: AAgBAA==
named reads /etc/named.keytab file to get dnsadmin@EXAMPLE.ORG
[root@ldap2 master]# klist -k /etc/named.keytab
Keytab name: WRFILE:/etc/named.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 dnsadmin@EXAMPLE.ORG
2 dnsadmin@EXAMPLE.ORG
2 dnsadmin@EXAMPLE.ORG
2 dnsadmin@EXAMPLE.ORG
2 dnsadmin@EXAMPLE.ORG
2 dnsadmin@EXAMPLE.ORG
what i am looking for is when bind tries to connect using "
dnsadmin@EXAMPLE.ORG" to ldap server i am seeing below error
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=0 RESULT tag=97 err=14
text=SASL(0): successful result:
Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring
operation: binding
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 BIND dn="" method=163
Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring
operation: binding
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 RESULT tag=97 err=14
text=SASL(0): successful result:
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 BIND dn="" method=163
Jan 20 05:47:43 ldap2 slapd[2561]: SASL [conn=1031] Failure: Inappropriate
authentication
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=3 UNBIND
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 RESULT tag=97 err=50
text=SASL(-14): authorization failure: Inappropriate authentication
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 fd=34 closed
Can any one help me on how to enable more debugging to get more info about
the error=50 (Insufficient access error) , Below is my olcAuthRegexp
configuration:
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /opt/setup-openldap/sample-slapd.conf
olcConfigDir: /etc/openldap/slapd.d/
olcAllows: bind_v2
...
..
...
...
....
olcTLSCACertificateFile: /etc/pki/tls/certs/cacert.pem
olcTLSCertificateFile: /etc/pki/tls/certs/server.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/serverkey.pem
olcTLSVerifyClient: allow
olcToolThreads: 1
olcWriteTimeout: 0
olcAuthzRegexp: {0}uid=(.*),cn=EXAMPLE.ORG,cn=gssapi,cn=auth
uid=$1,ou=People
,dc=example,dc=org
olcLogLevel: stats
And the output of ldapwhoami
[root@ldap2 master]# ldapwhoami -Y GSSAPI -H ldapi:///
SASL/GSSAPI authentication started
SASL username: dnsadmin@EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
dn:uid=dnsadmin,cn=example.org,cn=gssapi,cn=auth
I just want to find out why named when trying to sasl bind with openldap it
fails,
Your olcAuthzRegexp rule is failing to trigger. Try specifying a lowercase
'cn=example.org'.
--
Dan White