[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: OpenLDAP+SSL+Kerberos against AD

To: Antti Tikkanen <antti.tikkanen@hut.fi>
Subject: Re: OpenLDAP+SSL+Kerberos against AD
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 12 Jun 2002 13:07:05 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.OSF.4.10.10206121306580.4087-100000@kosh.hut.fi>
It appears that after negotiating and installing SASL security layers
on an LDAP over SSL (ldaps://), the client made a search request.
Then server has apparently closed the connection.  You might check the
server logs...

You might try disabling SASL security layers, -O maxbufsize=0.

Kurt

At 03:08 AM 2002-06-12, Antti Tikkanen wrote:
>Hi all,
>
>I am having problems using openldap with both kerberos and SSL against a
>Windows 2000 AD. The problem only appears when I use *both* kerberos and
>SSL. Separately both work fine. I am using OpenLDAP 2.0.23, MIT Kerberos V
>1.2.4, cyrus-sasl-1.5.24 and openssl0.9.6b.
>
>More precisely, commands such as 
>
>  ldapsearch -Hldaps://myserver -D "cn=validuser,dc=myserver,dc=com" \
>  -x -W -b "" -s base
>
>which only use SSL work fine. Also, commands such as
>
>  ldapsearch -Hldap://myserver -b "" -s base
>
>will also work fine after I have done 'kinit'. Without a valid ticket I
>get a ldap_sasl_interactive_bind_s: Local error, which is what you would
>expect.
>
>However, when I say
>  
>  ldapsearch -Hldaps://myserver -b "" -s base
>
>and try to use both SSL and Kerberos, things start to break. I get an
>error message: ldap_result: Can't contact LDAP server. 
>
>Here is a closer trace:
>
>---
>
># ldapsearch -Hldaps://myserver -s base -b "" -d 1
>ldap_create
>ldap_url_parse_ext(ldaps://myserver)
>ldap_pvt_sasl_getmech
>ldap_search
>put_filter "(objectclass=*)"
>put_filter: simple
>put_simple_filter "objectclass=*"
>ldap_send_initial_request
>ldap_new_connection
>ldap_int_open_connection
>ldap_connect_to_host: myserver
>ldap_new_socket: 3
>ldap_prepare_socket: 3
>ldap_connect_to_host: Trying myserver_ip:636
>ldap_connect_timeout: fd: 3 tm: -1 async: 0
>ldap_ndelay_on: 3
>ldap_is_sock_ready: 3
>ldap_ndelay_off: 3
>ldap_int_sasl_open: host=myserver
>TLS trace: SSL_connect:before/connect initialization
>TLS trace: SSL_connect:SSLv2/v3 write client hello A
>TLS trace: SSL_connect:SSLv3 read server hello A
>TLS certificate verification: depth: 0, subject: /CN=myserver,
>issuer: /Email=changed@cc.hut.fi/C=FI/ST=Uusimaa/L=Espoo/O=Computing
>Centre/OU=Helsinki University of Technology/CN=FUTCA
>TLS trace: SSL_connect:SSLv3 read server certificate A
>TLS trace: SSL_connect:SSLv3 read server certificate request A
>TLS trace: SSL_connect:SSLv3 read server done A
>TLS trace: SSL_connect:SSLv3 write client certificate A
>TLS trace: SSL_connect:SSLv3 write client key exchange A
>TLS trace: SSL_connect:SSLv3 write change cipher spec A
>TLS trace: SSL_connect:SSLv3 write finished A
>TLS trace: SSL_connect:SSLv3 flush data
>TLS trace: SSL_connect:SSLv3 read finished A
>ldap_open_defconn: successful
>ldap_send_server_request
>ber_flush: 64 bytes to sd 3
>ldap_result msgid 1
>ldap_chkResponseList for msgid=1, all=1
>ldap_chkResponseList returns NULL
>wait4msg (infinite timeout), msgid 1
>wait4msg continue, msgid 1, all 1
>** Connections:
>* host: myserver  port: 636  (default)
>  refcnt: 2  status: Connected
>  last used: Wed Jun 12 10:25:40 2002
>
>** Outstanding Requests:
> * msgid 1,  origid 1, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
>   Empty
>ldap_chkResponseList for msgid=1, all=1
>ldap_chkResponseList returns NULL
>do_ldap_select
>read1msg: msgid 1, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 74 contents:
>ldap_read: message type search-entry msgid 1, original id 1
>wait4msg continue, msgid 1, all 1
>** Connections:
>* host: myserver  port: 636  (default)
>  refcnt: 2  status: Connected
>  last used: Wed Jun 12 10:25:40 2002
>
>** Outstanding Requests:
> * msgid 1,  origid 1, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
> * msgid 1,  type 100
>ldap_chkResponseList for msgid=1, all=1
>ldap_chkResponseList returns NULL
>read1msg: msgid 1, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 16 contents:
>ldap_read: message type search-result msgid 1, original id 1
>ber_scanf fmt ({iaa) ber:
>read1msg:  0 new referrals
>read1msg:  mark request completed, id = 1
>request 1 done
>res_errno: 0, res_error: <>, res_matched: <>
>ldap_free_request (origid 1, msgid 1)
>ldap_free_connection
>ldap_free_connection: refcnt 1
>adding response id 1 type 101:
>ldap_parse_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (}) ber:
>ldap_get_values
>ber_scanf fmt ({x{{a) ber:
>ber_scanf fmt ([v]) ber:
>ldap_msgfree
>ldap_interactive_sasl_bind_s: server supports: GSSAPI GSS-SPNEGO
>ldap_int_sasl_bind: GSSAPI GSS-SPNEGO
>SASL/GSSAPI authentication started
>ldap_sasl_bind_s
>ldap_sasl_bind
>ldap_send_initial_request
>ldap_send_server_request
>ber_flush: 1176 bytes to sd 3
>ldap_result msgid 2
>ldap_chkResponseList for msgid=2, all=1
>ldap_chkResponseList returns NULL
>wait4msg (infinite timeout), msgid 2
>wait4msg continue, msgid 2, all 1
>** Connections:
>* host: myserver  port: 636  (default)
>  refcnt: 2  status: Connected
>  last used: Wed Jun 12 10:25:40 2002
>
>** Outstanding Requests:
> * msgid 2,  origid 2, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
>   Empty
>ldap_chkResponseList for msgid=2, all=1
>ldap_chkResponseList returns NULL
>do_ldap_select
>read1msg: msgid 2, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 151 contents:
>ldap_read: message type bind msgid 2, original id 2
>ber_scanf fmt ({iaa) ber:
>read1msg:  0 new referrals
>read1msg:  mark request completed, id = 2
>request 2 done
>res_errno: 0, res_error: <>, res_matched: <>
>ldap_free_request (origid 2, msgid 2)
>ldap_free_connection
>ldap_free_connection: refcnt 1
>ldap_parse_sasl_bind_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (O) ber:
>ldap_parse_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (x) ber:
>ber_scanf fmt (}) ber:
>ldap_msgfree
>sasl_client_start: 1
>ldap_sasl_bind_s
>ldap_sasl_bind
>ldap_send_initial_request
>ldap_send_server_request
>ber_flush: 22 bytes to sd 3
>ldap_result msgid 3
>ldap_chkResponseList for msgid=3, all=1
>ldap_chkResponseList returns NULL
>wait4msg (infinite timeout), msgid 3
>wait4msg continue, msgid 3, all 1
>** Connections:
>* host: myserver  port: 636  (default)
>  refcnt: 2  status: Connected
>  last used: Wed Jun 12 10:25:40 2002
>
>** Outstanding Requests:
> * msgid 3,  origid 3, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
>   Empty
>ldap_chkResponseList for msgid=3, all=1
>ldap_chkResponseList returns NULL
>do_ldap_select
>read1msg: msgid 3, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 71 contents:
>ldap_read: message type bind msgid 3, original id 3
>ber_scanf fmt ({iaa) ber:
>read1msg:  0 new referrals
>read1msg:  mark request completed, id = 3
>request 3 done
>res_errno: 0, res_error: <>, res_matched: <>
>ldap_free_request (origid 3, msgid 3)
>ldap_free_connection
>ldap_free_connection: refcnt 1
>ldap_parse_sasl_bind_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (O) ber:
>ldap_parse_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (x) ber:
>ber_scanf fmt (}) ber:
>ldap_msgfree
>sasl_client_start: 0
>ldap_sasl_bind_s
>ldap_sasl_bind
>ldap_send_initial_request
>ldap_send_server_request
>ber_flush: 77 bytes to sd 3
>ldap_result msgid 4
>ldap_chkResponseList for msgid=4, all=1
>ldap_chkResponseList returns NULL
>wait4msg (infinite timeout), msgid 4
>wait4msg continue, msgid 4, all 1
>** Connections:
>* host: myserver  port: 636  (default)
>  refcnt: 2  status: Connected
>  last used: Wed Jun 12 10:25:40 2002
>
>** Outstanding Requests:
> * msgid 4,  origid 4, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
>   Empty
>ldap_chkResponseList for msgid=4, all=1
>ldap_chkResponseList returns NULL
>do_ldap_select
>read1msg: msgid 4, all 1
>ber_get_next
>ber_get_next: tag 0x30 len 18 contents:
>ldap_read: message type bind msgid 4, original id 4
>ber_scanf fmt ({iaa) ber:
>read1msg:  0 new referrals
>read1msg:  mark request completed, id = 4
>request 4 done
>res_errno: 0, res_error: <>, res_matched: <>
>ldap_free_request (origid 4, msgid 4)
>ldap_free_connection
>ldap_free_connection: refcnt 1
>ldap_parse_sasl_bind_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (O) ber:
>ldap_parse_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (x) ber:
>ber_scanf fmt (}) ber:
>ldap_msgfree
>SASL SSF: 56
>SASL installing layers
>ldap_pvt_sasl_install
>version: 2
>
>#
># filter: (objectclass=*)
># requesting: ALL
>#
>
>ldap_search_ext
>put_filter "(objectclass=*)"
>put_filter: simple
>put_simple_filter "objectclass=*"
>ldap_send_initial_request
>ldap_send_server_request
>ber_flush: 39 bytes to sd 3
>ldap_result msgid -1
>ldap_chkResponseList for msgid=-1, all=0
>ldap_chkResponseList returns NULL
>wait4msg (infinite timeout), msgid -1
>wait4msg continue, msgid -1, all 0
>** Connections:
>* host: myserver  port: 636  (default)
>  refcnt: 2  status: Connected
>  last used: Wed Jun 12 10:25:40 2002
>
>** Outstanding Requests:
> * msgid 5,  origid 5, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
>   Empty
>ldap_chkResponseList for msgid=-1, all=0
>ldap_chkResponseList returns NULL
>do_ldap_select
>read1msg: msgid -1, all 0
>ber_get_next
>ldap_perror
>ldap_result: Can't contact LDAP server
>ldap_unbind
>ldap_free_request (origid 5, msgid 5)
>ldap_free_connection
>ldap_send_unbind
>ber_flush: 7 bytes to sd 3
>ldap_free_connection: actually freed
>TLS trace: SSL3 alert write:warning:close notify
>
>---
>
>What is wrong? Anyone? I would really, really appreciate any help or
>hints. 
>
>Best regards,
>Antti
>
>-- 
>
>Antti.Tikkanen@hut.fi 
>Helsinki University of Technology 
>Computing Centre
Follow-Ups:
- Re: OpenLDAP+SSL+Kerberos against AD
  - From: Antti Tikkanen <antti.tikkanen@hut.fi>
References:
- OpenLDAP+SSL+Kerberos against AD
  - From: Antti Tikkanen <antti.tikkanen@hut.fi>
Prev by Date: RE: possible bug in lber library?
Next by Date: RE: possible bug in lber library?
Index(es):
- Chronological
- Thread