[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Yet another "ldap_sasl_interactive_bind_s: Local error" unresolved problem !

At 12:02 PM 2002-09-05, wagner.bila@embraer.com.br wrote:
>  I've been trying, these last 2 ou 3 days, to find an answer to the
>problem i'm facing when i try to authenticate my application to a remote
>LDAP server. I've looked many messages posted to this list but none gave me
>the answer and helped me to solve it, and that's why i'm posting this
>message ... My application (which is in fact a web page written in PHP
>script) needs to access a remote LDAP server to authenticate an user (in
>fact, what really matters here is that i need to query its database). Well,
>the PHP engine relies on the UMIC´s LDAP implementation (version 3.3),

I assume you meant U-Mich LDAP 3.3.  That's an LDAPv2+ only implementation
(which OpenLDAP was originally derived from).

>which has the default authentication method set to the SASL mechanism.

U-Mich LDAP doesn't support the SASL framework, it's LDAPv2+ only.
So, I assume, the application is using some other LDAP library,
like OpenLDAP 2.x.

(Note that SASL is not an authentication mechanism, but a framework
which supports multiple authentication mechanisms.)

>This mechanism seems to be not working properly 'cause when i try to run a
>simple query like this one :
>
>      ldapsearch -u -h "my_ldap_server" -D "cn=Test" -w "password" "cn=a*"

Since you are attempting to use a SASL mechanism, -D and -w are
quite irrelevant. When using a SASL mechanism, you should first
attempt manual specification of the mechanism (e.g., -Y) before
attempting auto-selection of the mechanism.

>  i receive the following error :
>      ldap_sasl_interactive_bind_s: Local error
>  There are many messages posted talking about this error

As there are many possible mechanisms, the are many possible
causes of this error message.

>and saying that
>the probable reason for this is that Kerberos server is not running or
>something like that (which involves the TGT ticket exchange at binding
>time).

That's a common cause when the GSSAPI or KERBEROS_V4 mechanism
have been selected.  Per the debugging information you posted,
EXTERNAL was selected.

>  The interesting matter is that if i run the same query with the -x option
>(requesting for a simple authentication), everything goes well and my query
>is done successfully ! This is the successfull query:
>
>      ldapsearch -x -u -h "my_ldap_server" -D "cn=Test" -w "password"
>"cn=a*"

>  Is there any way to always disable the SASL authentication method to the
>OpenLDAP tools and library ? If not, what could be possibly wrong ?

Configure --without-cyrus-sasl disables all SASL support in OpenLDAP.

>  I tried the same query on a Novell LDAP server and a Lotus Notes LDAP
>server, giving me the same answer. Both of them gave me the same answer,
>having the same problem. When i consult both of them with the following
>query:
>
>      ldapsearch -h my_ldap_server -x -b "" -s base -LLL
>supportedSASLMechanisms
>
>  i receive:
>
>      dn:
>        supportedsaslmechanisms: EXTERNAL
>
>  Is it a problem ?

It explains the error you got.  The client auto-selected the
SASL EXTERNAL mechanism but the client has yet to establish
its identity at some lower level (e.g., TLS/SSL).  So, Cyrus
SASL returns local error in this case.

>Should i receive KERBEROS, LOGIN or something like that
>instead of EXTERNAL ???

No.  The server should publish the mechanisms it supports.
(Note: the SASL Kerberos V mechanism is called "GSSAPI" not
"KERBEROS").

>  Running the search with the debug option i got:
>
>
>... (there are some lines above that i've suppressed)
>ber_get_next: tag 0x30 len 48 contents:
>ldap_read: message type search-entry msgid 1, original id 1
>wait4msg continue, msgid 1, all 1
>** Connections:
>* host: embsjt21.sjk.emb  port: 389  (default)
>  refcnt: 2  status: Connected
>  last used: Thu Sep  5 16:03:09 2002
>
>** Outstanding Requests:
> * msgid 1,  origid 1, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
> * msgid 1,  type 100
>ldap_chkResponseList for msgid=1, all=1
>ldap_chkResponseList returns NULL
>do_ldap_select
>read1msg: msgid 1, all 1
>ber_get_next
>ldap_read: want=1, got=1
>  0000:  30                                                 0
>ldap_read: want=1, got=1
>  0000:  0c                                                 .
>ldap_read: want=12, got=12
>  0000:  02 01 01 65 07 0a 01 00  04 00 04 00               ...e........
>ber_get_next: tag 0x30 len 12 contents:
>ldap_read: message type search-result msgid 1, original id 1
>ber_scanf fmt ({iaa) ber:
>read1msg:  0 new referrals
>read1msg:  mark request completed, id = 1
>request 1 done
>res_errno: 0, res_error: <>, res_matched: <>
>ldap_free_request (origid 1, msgid 1)
>ldap_free_connection
>ldap_free_connection: refcnt 1
>adding response id 1 type 101:
>ldap_parse_result
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (}) ber:
>ldap_get_values
>ber_scanf fmt ({x{{a) ber:
>ber_scanf fmt ([v]) ber:
>ldap_msgfree
>ldap_interactive_sasl_bind_s: server supports: EXTERNAL
>ldap_int_sasl_bind: EXTERNAL
>ldap_perror
>ldap_sasl_interactive_bind_s: Local error
>
>
>  Using the strace command i got:
>
>
>... (again, supressing some unimportant lines)
>socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
>fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
>fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
>connect(3, {sin_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr
>("1.67.5.21")}}, 16) = -1 EINPROGRESS (Operation now in progress)
>select(1024, NULL, [3], NULL, NULL)     = 1 (out [3])
>getpeername(3, {sin_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr
>("1.67.5.21")}}, [16]) = 0
>fcntl64(3, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
>fcntl64(3, F_SETFL, O_RDWR)             = 0
>getpeername(3, {sin_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr
>("1.67.5.21")}}, [16]) = 0
>socket(PF_UNIX, SOCK_STREAM, 0)         = 4
>connect(4, {sin_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1
>ENOENT (No such file or directory)
>close(4)                                = 0
>open("/etc/hosts", O_RDONLY)            = 4
>fcntl64(4, F_GETFD)                     = 0
>fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
>fstat64(4, {st_mode=S_IFREG|0644, st_size=207, ...}) = 0
>old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
>0) = 0x402fc000
>read(4, "# Do not remove the following li"..., 4096) = 207
>read(4, "", 4096)                       = 0
>close(4)                                = 0
>munmap(0x402fc000, 4096)                = 0
>open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or
>directory)
>socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
>connect(4, {sin_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr
>("1.199.4.1")}}, 28) = 0
>send(4, "=\310\1\0\0\1\0\0\0\0\0\0\00221\0015\00267\0011\7in-ad"..., 40, 0)
>= 40
>gettimeofday({1031252704, 524323}, NULL) = 0
>poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
>recvfrom(4, "=\310\205\203\0\1\0\0\0\1\0\0\00221\0015\00267\0011\7i"...,
>1024, 0, {sin_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr
>("1.199.4.1")}}, [16]) = 97
>close(4)                                = 0
>brk(0x8059000)                          = 0x8059000
>time(NULL)                              = 1031252704
>write(3, "0>\2\1\1c9\4\0\n\1\0\n\1\0\2\1\0\2\1\0\1\1\0\207\vobje"..., 64)
>= 64
>select(1024, [3], [], NULL, NULL)       = 1 (in [3])
>read(3, "00\2\1\1d+\4\0000\'0%\4\27supportedsaslmech"..., 16384) = 50
>select(1024, [3], [], NULL, NULL)       = 1 (in [3])
>read(3, "0\f\2\1\1e\7\n\1\0\4\0\4\0", 16384) = 14
>time(NULL)                              = 1031252704
>write(2, "ldap_sasl_interactive_bind_s: Lo"...,
>42ldap_sasl_interactive_bind_s: Local error
>) = 42
>_exit(1)
>
>
>  Any kind of help is welcome !
>
>  Best regards,
>
>  Wagner Bila
>  Computer Engineer, MSc