[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: openLDAP/SASL/KerberosV(heimdal)

To: Howard Chu <hyc@highlandsun.com>
Subject: RE: openLDAP/SASL/KerberosV(heimdal)
From: Chris Maxwell <cmaxwell@themanor.net>
Date: 11 Oct 2002 14:16:02 -0400
Cc: openldap-software@OpenLDAP.org
In-reply-to: <015a01c27131$61632960$0e01a8c0@CELLO>
References: <015a01c27131$61632960$0e01a8c0@CELLO>

On Fri, 2002-10-11 at 10:20, Howard Chu wrote:
> My first response would be "the GSSAPI mech in Cyrus 1.5.24 has several
> problems, try upgrading to 1.5.28" but in fact, on my own test machines with
> Cyrus 1.5.24 and OpenLDAP 2.0.27 this worked without any trouble.
> 
> Does klist show a valid LDAP service ticket after your failed attempt?
> 

No it doesn't.

ldapsearch does an ldap_perror and dies just before it should be doing
the following:  

	ldap_int_sasl_open: host=<HOSTNAME>
	SASL/GSSAPI authentication started
(comes from a successful local connection, where klist shows valid
ticket).

but it never gets to that point ... something causes it to ldap_perror
and break just before it reaches that SASL point in the code.

I checked DNS resolution just to be sure it wasn't that, and both
hostnames check out correctly.

--chris


> > On Thu, 2002-10-10 at 21:34, Kurt D. Zeilenga wrote:
> > > At 11:32 AM 2002-10-07, Chris Maxwell wrote:
> > > >Hello,
> > > >
> > > >I am having trouble with GSSAPI.  I can authenticate and
> > work locally,
> > > >but whenever I attempt to ldapsearch from another box, it fails.
> > > >
> >
> > > >Before Running "kinit" (for reference)
> > > >/usr/local/bin/ldapsearch -Y GSSAPI -H ldap://<machineB>
> > -b '' -s base
> > > >-LLL supportedSASLMechanisms
> > > >        ldap_sasl_interactive_bind_s: Local error
> > >
> > > So run kinit(1) first...
> >
> > I appreciate the humour ... really; after beating my head against this
> > for a few hours it make me chuckle.
> >
> > The problem was not with running kinit - I just wanted to include the
> > results of testing I did on both machines to show it wasn't
> > something I
> > overlooked (like kinit, or using the wrong KDC, or other oversight).
> >
> > - ldapsearch(GSSAPI) DOES work for me when connecting to
> > LDAP, but ONLY
> > on the local host.
> >
> > - ldapsearch DOES work on both machines (again, local only), and they
> > both use the same KDC
> >
> > - ldapsearch DOES NOT work when connecting to the OTHER machine.
> >
> >         A-->A   works
> >         B-->B   works
> >         A-->B   "Local error"
> >         B-->A   "Local error"
> >
> > What really throws me for a loop, is that ldapsearch doesn't
> > display the
> > "SASL/GSSAPI authentication started" message before it dies,
> >
> > This below was just to prove that it was working locally (K5
> > working, etc)
> > > >After Running "kinit"
> > > >        SASL/GSSAPI authentication started
> > > >        SASL SSF: 56
> > > >        SASL installing layers
> > > >        dn:
> > > >        supportedSASLMechanisms: GSSAPI
> >
> > YES, I did run kinit(1) first :-) and yes, I checked the ticket works
> > using kerberized telnet.
> >
> > Thanks for any help
> >
> > --chris
> >
> > ---
> >
> > Here is the <sanitized> debug from "ldapsearch -Y GSSAPI -d 4095 -h
> > <HOSTNAME> -b '' -s base -LLL supportedSASLMechanisms"
> >
> > ldap_create
> > ldap_url_parse_ext(ldap://<HOSTNAME>)
> > ldap_interactive_sasl_bind_s: user selected: GSSAPI
> > ldap_int_sasl_bind: GSSAPI
> > ldap_new_connection
> > ldap_int_open_connection
> > ldap_connect_to_host: <HOSTNAME>
> > ldap_new_socket: 3
> > ldap_prepare_socket: 3
> > ldap_connect_to_host: Trying 192.168.0.232:389
> > ldap_connect_timeout: fd: 3 tm: -1 async: 0
> > ldap_ndelay_on: 3
> > ldap_is_sock_ready: 3
> > ldap_ndelay_off: 3
> > ldap_perror
> > ldap_sasl_interactive_bind_s: Local error
> >
> > ------------------------
> > And from the server:
> >
> > daemon: activity on 1 descriptors
> > daemon: new connection on 11
> > daemon: conn=13 fd=11 connection from IP=192.168.0.231:42752
> > (IP=0.0.0.0:389) accepted.
> > daemon: added 11r
> > daemon: activity on:
> > daemon: select: listen=9 active_threads=0 tvp=NULL
> > daemon: select: listen=10 active_threads=0 tvp=NULL
> > daemon: activity on 1 descriptors
> > daemon: activity on: 11r
> > daemon: read activity on 11
> > connection_get(11)
> > connection_get(11): got connid=13
> > connection_read(11): checking for input on id=13
> > ber_get_next
> > ldap_read: want=1, got=0
> >
> > ber_get_next on fd 11 failed errno=0 (Undefined error: 0)
> > connection_read(11): input error=-2 id=13, closing.
> > connection_closing: readying conn=13 sd=11 for close
> > connection_close: conn=13 sd=11
> > daemon: removing 11
> > conn=-1 fd=11 closed
> > daemon: select: listen=9 active_threads=0 tvp=NULL
> > daemon: select: listen=10 active_threads=0 tvp=NULL
> > daemon: activity on 1 descriptors
> > daemon: select: listen=9 active_threads=0 tvp=NULL
> > daemon: select: listen=10 active_threads=0 tvp=NULL
> >
> >
> >
>

References:
- RE: openLDAP/SASL/KerberosV(heimdal)
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: OpenLdap authentication wirh SASL (CRAM-MD5 or DIGEST-MD5)
Next by Date: www.openldap.com SSL test user anonymous
Index(es):
- Chronological
- Thread