[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Yet another "ldap_sasl_interactive_bind_s: Local error" unresolved problem !


  First of all i'd like to thank you for your valuable informations and
your kindness in answering me promptly. I've been in many lists (such as
Linux Kernel, JAVA discussions lists, bugtraq, and others) and,
unfortunately, it´s very common to don't get nice answers as you did ... i
guess this list has a good maintainer ...
  Well,  in fact, i was using PHP (my application is based on a PHP script)
compiled for using UMIC's LDAP 3.3, because i couldn't compile it with
OpenLDAP 2.1.4, during some compilations errors. So, i had all the problems
i wrote you. Recently, i've found the answer for that: when you compile PHP
to use OpenLDAP, you have to point it to where OpenLDAP was installed,
which is usually, "/usr/local". So, should be used the clause "
--with-ldap=/usr/local" instead of "--with-ldap=path_to_OpenLDAP_source".
That was my mistake, and since i've recompiled using the installation path,
everything worked fine and the SASL mechanism is working properly. I
consider this as a valuable information for whom is having the same problem
as i did ...
  Thank you again, Kurt !


  Wagner Bila
  Computer Engineer, MSc

                      "Kurt D.                                                                                                                        
                      Zeilenga"                To:      wagner.bila@embraer.com.br                                                                    
                      <Kurt@OpenLDAP.o         cc:      openldap-software@OpenLDAP.org, luiz.davila@embraer.com.br                                    
                      rg>                      Subject: Re: Yet another "ldap_sasl_interactive_bind_s: Local error"  unresolved problem !             
                      05/09/2002 17:28                                                                                                                

At 12:02 PM 2002-09-05, wagner.bila@embraer.com.br wrote:
>  I've been trying, these last 2 ou 3 days, to find an answer to the
>problem i'm facing when i try to authenticate my application to a remote
>LDAP server. I've looked many messages posted to this list but none gave
>the answer and helped me to solve it, and that's why i'm posting this
>message ... My application (which is in fact a web page written in PHP
>script) needs to access a remote LDAP server to authenticate an user (in
>fact, what really matters here is that i need to query its database).
>the PHP engine relies on the UMIC´s LDAP implementation (version 3.3),

I assume you meant U-Mich LDAP 3.3.  That's an LDAPv2+ only implementation
(which OpenLDAP was originally derived from).

>which has the default authentication method set to the SASL mechanism.

U-Mich LDAP doesn't support the SASL framework, it's LDAPv2+ only.
So, I assume, the application is using some other LDAP library,
like OpenLDAP 2.x.

(Note that SASL is not an authentication mechanism, but a framework
which supports multiple authentication mechanisms.)

>This mechanism seems to be not working properly 'cause when i try to run a
>simple query like this one :
>      ldapsearch -u -h "my_ldap_server" -D "cn=Test" -w "password" "cn=a*"

Since you are attempting to use a SASL mechanism, -D and -w are
quite irrelevant. When using a SASL mechanism, you should first
attempt manual specification of the mechanism (e.g., -Y) before
attempting auto-selection of the mechanism.

>  i receive the following error :
>      ldap_sasl_interactive_bind_s: Local error
>  There are many messages posted talking about this error

As there are many possible mechanisms, the are many possible
causes of this error message.

>and saying that
>the probable reason for this is that Kerberos server is not running or
>something like that (which involves the TGT ticket exchange at binding

That's a common cause when the GSSAPI or KERBEROS_V4 mechanism
have been selected.  Per the debugging information you posted,
EXTERNAL was selected.

>  The interesting matter is that if i run the same query with the -x
>(requesting for a simple authentication), everything goes well and my
>is done successfully ! This is the successfull query:
>      ldapsearch -x -u -h "my_ldap_server" -D "cn=Test" -w "password"

>  Is there any way to always disable the SASL authentication method to the
>OpenLDAP tools and library ? If not, what could be possibly wrong ?

Configure --without-cyrus-sasl disables all SASL support in OpenLDAP.

>  I tried the same query on a Novell LDAP server and a Lotus Notes LDAP
>server, giving me the same answer. Both of them gave me the same answer,
>having the same problem. When i consult both of them with the following
>      ldapsearch -h my_ldap_server -x -b "" -s base -LLL
>  i receive:
>      dn:
>        supportedsaslmechanisms: EXTERNAL
>  Is it a problem ?

It explains the error you got.  The client auto-selected the
SASL EXTERNAL mechanism but the client has yet to establish
its identity at some lower level (e.g., TLS/SSL).  So, Cyrus
SASL returns local error in this case.

>Should i receive KERBEROS, LOGIN or something like that
>instead of EXTERNAL ???

No.  The server should publish the mechanisms it supports.
(Note: the SASL Kerberos V mechanism is called "GSSAPI" not

>  Running the search with the debug option i got:
>... (there are some lines above that i've suppressed)
>ber_get_next: tag 0x30 len 48 contents:
>ldap_read: message type search-entry msgid 1, original id 1
>wait4msg continue, msgid 1, all 1
>** Connections:
>* host: embsjt21.sjk.emb  port: 389  (default)
>  refcnt: 2  status: Connected
>  last used: Thu Sep  5 16:03:09 2002
>** Outstanding Requests:
> * msgid 1,  origid 1, status InProgress
>   outstanding referrals 0, parent count 0
>** Response Queue:
> * msgid 1,  type 100
>ldap_chkResponseList for msgid=1, all=1
>ldap_chkResponseList returns NULL
>read1msg: msgid 1, all 1
>ldap_read: want=1, got=1
>  0000:  30                                                 0
>ldap_read: want=1, got=1
>  0000:  0c                                                 .
>ldap_read: want=12, got=12
>  0000:  02 01 01 65 07 0a 01 00  04 00 04 00               ...e........
>ber_get_next: tag 0x30 len 12 contents:
>ldap_read: message type search-result msgid 1, original id 1
>ber_scanf fmt ({iaa) ber:
>read1msg:  0 new referrals
>read1msg:  mark request completed, id = 1
>request 1 done
>res_errno: 0, res_error: <>, res_matched: <>
>ldap_free_request (origid 1, msgid 1)
>ldap_free_connection: refcnt 1
>adding response id 1 type 101:
>ber_scanf fmt ({iaa) ber:
>ber_scanf fmt (}) ber:
>ber_scanf fmt ({x{{a) ber:
>ber_scanf fmt ([v]) ber:
>ldap_interactive_sasl_bind_s: server supports: EXTERNAL
>ldap_int_sasl_bind: EXTERNAL
>ldap_sasl_interactive_bind_s: Local error
>  Using the strace command i got:
>... (again, supressing some unimportant lines)
>fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
>fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
>connect(3, {sin_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr
>("")}}, 16) = -1 EINPROGRESS (Operation now in progress)
>select(1024, NULL, [3], NULL, NULL)     = 1 (out [3])
>getpeername(3, {sin_family=AF_INET, sin_port=htons(389),
>("")}}, [16]) = 0
>fcntl64(3, F_GETFL)                     = 0x802 (flags O_RDWR|O_NONBLOCK)
>fcntl64(3, F_SETFL, O_RDWR)             = 0
>getpeername(3, {sin_family=AF_INET, sin_port=htons(389),
>("")}}, [16]) = 0
>socket(PF_UNIX, SOCK_STREAM, 0)         = 4
>connect(4, {sin_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1
>ENOENT (No such file or directory)
>close(4)                                = 0
>open("/etc/hosts", O_RDONLY)            = 4
>fcntl64(4, F_GETFD)                     = 0
>fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
>fstat64(4, {st_mode=S_IFREG|0644, st_size=207, ...}) = 0
>0) = 0x402fc000
>read(4, "# Do not remove the following li"..., 4096) = 207
>read(4, "", 4096)                       = 0
>close(4)                                = 0
>munmap(0x402fc000, 4096)                = 0
>open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or
>connect(4, {sin_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr
>("")}}, 28) = 0
>send(4, "=\310\1\0\0\1\0\0\0\0\0\0\00221\0015\00267\0011\7in-ad"..., 40,
>= 40
>gettimeofday({1031252704, 524323}, NULL) = 0
>poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
>recvfrom(4, "=\310\205\203\0\1\0\0\0\1\0\0\00221\0015\00267\0011\7i"...,
>1024, 0, {sin_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr
>("")}}, [16]) = 97
>close(4)                                = 0
>brk(0x8059000)                          = 0x8059000
>time(NULL)                              = 1031252704
>write(3, "0>\2\1\1c9\4\0\n\1\0\n\1\0\2\1\0\2\1\0\1\1\0\207\vobje"..., 64)
>= 64
>select(1024, [3], [], NULL, NULL)       = 1 (in [3])
>read(3, "00\2\1\1d+\4\0000\'0%\4\27supportedsaslmech"..., 16384) = 50
>select(1024, [3], [], NULL, NULL)       = 1 (in [3])
>read(3, "0\f\2\1\1e\7\n\1\0\4\0\4\0", 16384) = 14
>time(NULL)                              = 1031252704
>write(2, "ldap_sasl_interactive_bind_s: Lo"...,
>42ldap_sasl_interactive_bind_s: Local error
>) = 42
>  Any kind of help is welcome !
>  Best regards,
>  Wagner Bila
>  Computer Engineer, MSc