[Date Prev][Date Next] [Chronological] [Thread] [Top]
LDAP Dies When Attempting To Use Kerberos 4 Mechanism (ITS#2991)

To: openldap-its@OpenLDAP.org
Subject: LDAP Dies When Attempting To Use Kerberos 4 Mechanism (ITS#2991)
From: jhh@envirobat.org
Date: Tue, 2 Mar 2004 21:12:50 GMT
Full_Name: John Hayes
Version: 2.1.25
OS: SuSE 9 Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (35.8.3.76)


I have build OPenLDAP to use SASL, which in turn has been built to use the
Ebones Kerberos 4 (MIT 1.22) package. Using the saslauthd and the test fixture
testsaslauthd I am able to successfully authenticate against our KAS (AFS
Kerberos 4 server).

When I try to make reqquests throuh LDAP using the kerberos_v4 mechanism I get
the following:
isauth1:~ # ldapsearch -d5 -X 'uid=jhh,cn=msu.edu,cn=kerberos_v4,cn=auth'  -b
'dc=msu,dc=edu' '(objectclass=*)' -W
ldap_create
Enter LDAP Password:
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=isauth1.cl.msu.edu
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 64 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar  3 02:06:20 2004

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 65 contents:
ldap_read: message type search-entry msgid 1, original id 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar  3 02:06:20 2004

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
 * msgid 1,  type 100
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type search-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
adding response id 1 type 101:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_msgfree
ldap_interactive_sasl_bind_s: server supports: OTP DIGEST-MD5 CRAM-MD5
ldap_int_sasl_bind: OTP DIGEST-MD5 CRAM-MD5
SASL/OTP authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 67 bytes to sd 3
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar  3 02:06:20 2004

** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 2, all 1
ber_get_next
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
isauth1:~ #

When all is said and done the slapd has crashed, issuing the following message
in:
/var/log/messages
Mar  3 02:01:59 isauth1 slapd[32709]: @(#) $OpenLDAP: slapd 2.2.6 (Mar  3 2004
00:35:08) $      root@isauth1:/root/openldap-2.2.6/servers/slapd
Mar  3 02:01:59 isauth1 slapd[32709]: bdb_initialize: Sleepycat Software:
Berkeley DB 4.2.52: (December  3, 2003)
Mar  3 02:01:59 isauth1 slapd[32709]: bdb_db_init: Initializing BDB database
Mar  3 02:01:59 isauth1 slapd[32710]: slapd starting
Mar  3 02:06:20 isauth1 slapd[32712]: conn=0 fd=12 ACCEPT from IP=::1 2284
(IP=:: 389)
Mar  3 02:06:20 isauth1 slapd[32753]: conn=0 op=0 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
Mar  3 02:06:20 isauth1 slapd[32753]: conn=0 op=0 SRCH
attr=supportedSASLMechanisms
Mar  3 02:06:20 isauth1 slapd[32753]: SASL [conn=0] Failure: KERBEROS_V4
unavailable due to lack of IPv4 information
Mar  3 02:06:20 isauth1 slapd[32753]: conn=0 op=0 SEARCH RESULT tag=101 err=0
nentries=1 text=
Mar  3 02:06:20 isauth1 slapd[32753]: conn=0 op=1 BIND dn="" method=163
isauth1:~ #

I have determined that the error reported in the messages file comes from the
SASL libraries (KERBEROS_V4 unavailable due to lack of IPv4 information).

However, the saslauthd is able to communicate with our kas server (I suspect
that the saslauthd extracts the proper communications parameters from
/etc/krb.conf and /etc/krb.realms).

I have started studying the source to determine where the breakdown in LDAP
occurrs but I and concluded that help would be a good idea. Presumably this
problem should exist with Kerberos 5 also.

Thanks for any help.

John Hayes
Michigan State University
Prev by Date: --disable-debug breaks syslog (ITS#2989)
Next by Date: Re: limits command does not support groups (ITS#2967)
Index(es):
- Chronological
- Thread