[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with GSSAPI problem



Hello Howard,

    Thanks for your detailed email.

The sample-client and sample-server is working fine with SASL GSSAPI
Here is output of sample server client test,
# ./sample-server -s host -p ../plugins/.libs
Generating client mechanism list...
Sending list of 6 mechanism(s)
S: UExBSU4gT1RQIEdTU0FQSSBESUdFU1QtTUQ1IENSQU0tTUQ1IEFOT05ZTU9VUw==
Waiting for client mechanism...
C:
R1NTQVBJAGCCAdsGCSqGSIb3EgECAgEAboIByjCCAcagAwIBBaEDAgEOogcDBQAgAAAAo4IBDmGC
AQowggEGoAMCAQWhDxsNS09WQUlURUFNLkNPTaIoMCagAwIBA6EfMB0bBGhvc3QbFWtyaXNobmEu
a292YWl0ZWFtLmNvbaOBwzCBwKADAgEBoQMCAQGigbMEgbDZ1w1Uh0fkri45GIWlL2Soni3LycbC
g/CTxoJXRW6ihU8wpeTJjTwqVXCItXu9UXtgEKjPfaYPE+Z0li6AMW0RWkljFrSqZ/h0ATFCffNu
G6LXuKX3JvYHLv/YsuELui5Ma26lg0zwSV/7dr8hXWIXQUZVP6lA5ObXttyAS3SgcfTLGJYT7XWA
Rva/4hYgk+YnFZ5WvlyQBr/i5MkMFZE9LGHF8qYYbg5flSkqMapMUKSBnjCBm6ADAgEBooGTBIGQ
AU0qRJdQn/ySFhnBxfikCNzoVm17aBYSp0xlGnEwsl9SG4unrj4+Rnv4lv1tT4fyB0dz58H1XQLu
NLysHzewG9lhkR6Z/9ayus/TJXC2NwAtQfYGTdgCr4RxRn3j5LkqCBKZtGrTcmff1ducA9MpFYbP
3DCC6jBEyY4PzrKWxMPf8KmB+y364aB3pskOEmk4
got 'GSSAPI'
Sending response...
S:
YGgGCSqGSIb3EgECAgIAb1kwV6ADAgEFoQMCAQ+iSzBJoAMCAQGiQgRAi8VOuZ7ujuTCgLCYBHmy
/2VwQiB5vojW1DosAHb1NV/CzJOL78cn559X9S7KhIEO0f9NPKGHUfZf8mTjX+TmZA==
Waiting for client reply...
C:
R1NTQVBJAGCCAdsGCSqGSIb3EgECAgEAboIByjCCAcagAwIBBaEDAgEOogcDBQAgAAAAo4IBDmGC
AQowggEGoAMCAQWhDxsNS09WQUlURUFNLkNPTaIoMCagAwIBA6EfMB0bBGhvc3QbFWtyaXNobmEu
a292YWl0ZWFtLmNvbaOBwzCBwKADAgEBoQMCAQGigbMEgbDZ1w1Uh0fkri45GIWlL2Soni3LycbC
g/CTxoJXRW6ihU8wpeTJjTwqVXCItXu9UXtgEKjPfaYPE+Z0li6AMW0RWkljFrSqZ/h0ATFCffNu
G6LXuKX3JvYHLv/YsuELui5Ma26lg0zwSV/7dr8hXWIXQUZVP6lA5ObXttyAS3SgcfTLGJYT7XWA
Rva/4hYgk+YnFZ5WvlyQBr/i5MkMFZE9LGHF8qYYbg5flSkqMapMUKSBnjCBm6ADAgEBooGTBIGQ
AU0qRJdQn/ySFhnBxfikCNzoVm17aBYSp0xlGnEwsl9SG4unrj4+Rnv4lv1tT4fyB0dz58H1XQLu
NLysHzewG9lhkR6Z/9ayus/TJXC2NwAtQfYGTdgCr4RxRn3j5LkqCBKZtGrTcmff1ducA9MpFYbP
3DCC6jBEyY4PzrKWxMPf8KmB+y364aB3pskOEmk4
got 'GSSAPI'
Sending response...
S: YDMGCSqGSIb3EgECAgIBAAD/////t4gYEpSOBWqJnIfDD/FGpD3qASzARiD9BwAIAAQEBAQ=
Waiting for client reply...
C:
YDsGCSqGSIb3EgECAgIBAAD/////kovpNpjd+lBXpwjaSOY9vkohhirb9ivYBAAIAGFydW4ICAgI
CAgICA==
got '`; *H÷'
Negotiation complete
Username: arun
Realm:
SSF: 56
sending encrypted message 'srv message 1'
S:
AAAAPWA7BgkqhkiG9xIBAgICAQAAAAD//wXbI/igPeXPOXPcfxijLyIZfonZLbCM61g7f6j1WO2f
vKcrVoUtePQ=
Waiting for encrypted message...
C:
AAAARWBDBgkqhkiG9xIBAgICAQAAAAD//7cX2mODKnr0ChUUsZZkS7hgjaDjgiq5NDUpv6VVYc03
io+z7E7/VJ5LNk3wvr6O6w==
got ''
recieved decoded message 'client message 1'

Client
------
# ./sample-client -s host -n krishna.kovaiteam.com -u arun-p
../plugins/.libs
service=host
Waiting for mechanism list from server...
S: UExBSU4gT1RQIEdTU0FQSSBESUdFU1QtTUQ1IENSQU0tTUQ1IEFOT05ZTU9VUw==
recieved 46 byte message
Choosing best mechanism from: PLAIN OTP GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS
returning OK: arun
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C:
R1NTQVBJAGCCAdsGCSqGSIb3EgECAgEAboIByjCCAcagAwIBBaEDAgEOogcDBQAgAAAAo4IBDmGC
AQowggEGoAMCAQWhDxsNS09WQUlURUFNLkNPTaIoMCagAwIBA6EfMB0bBGhvc3QbFWtyaXNobmEu
a292YWl0ZWFtLmNvbaOBwzCBwKADAgEBoQMCAQGigbMEgbDZ1w1Uh0fkri45GIWlL2Soni3LycbC
g/CTxoJXRW6ihU8wpeTJjTwqVXCItXu9UXtgEKjPfaYPE+Z0li6AMW0RWkljFrSqZ/h0ATFCffNu
G6LXuKX3JvYHLv/YsuELui5Ma26lg0zwSV/7dr8hXWIXQUZVP6lA5ObXttyAS3SgcfTLGJYT7XWA
Rva/4hYgk+YnFZ5WvlyQBr/i5MkMFZE9LGHF8qYYbg5flSkqMapMUKSBnjCBm6ADAgEBooGTBIGQ
AU0qRJdQn/ySFhnBxfikCNzoVm17aBYSp0xlGnEwsl9SG4unrj4+Rnv4lv1tT4fyB0dz58H1XQLu
NLysHzewG9lhkR6Z/9ayus/TJXC2NwAtQfYGTdgCr4RxRn3j5LkqCBKZtGrTcmff1ducA9MpFYbP
3DCC6jBEyY4PzrKWxMPf8KmB+y364aB3pskOEmk4
Waiting for server reply...
S:
YGgGCSqGSIb3EgECAgIAb1kwV6ADAgEFoQMCAQ+iSzBJoAMCAQGiQgRAi8VOuZ7ujuTCgLCYBHmy
/2VwQiB5vojW1DosAHb1NV/CzJOL78cn559X9S7KhIEO0f9NPKGHUfZf8mTjX+TmZA==
recieved 106 byte message
C:
Waiting for server reply...
S: YDMGCSqGSIb3EgECAgIBAAD/////t4gYEpSOBWqJnIfDD/FGpD3qASzARiD9BwAIAAQEBAQ=
recieved 53 byte message
Sending response...
C:
YDsGCSqGSIb3EgECAgIBAAD/////kovpNpjd+lBXpwjaSOY9vkohhirb9ivYBAAIAGFydW4ICAgI
CAgICA==
Negotiation complete
Username: arun
SSF: 56
Waiting for encoded message...
S:
AAAAPWA7BgkqhkiG9xIBAgICAQAAAAD//wXbI/igPeXPOXPcfxijLyIZfonZLbCM61g7f6j1WO2f
vKcrVoUtePQ=
recieved 65 byte message
recieved decoded message 'srv message 1'
sending encrypted message 'client message 1'
C:
AAAARWBDBgkqhkiG9xIBAgICAQAAAAD//7cX2mODKnr0ChUUsZZkS7hgjaDjgiq5NDUpv6VVYc03
io+z7E7/VJ5LNk3wvr6O6w==



So the SASL GSSAPI with working fine. Is this correct?


So what else could be the problem,I thing configuration part?

I did the following for gssapi test.

1. Modify  "userPassword" in LDIF file as,
userPassword: {KERBEROS}principal@REALM

2. Add the user in Kerberos REALM (say s001)

3. kinit s001

4. ./ldapsearch -Y GSSAPI -U s001

Please I let me know if i miss any thing in step.

Thanks,
-Shaick.

> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Shaick
>
> > Hello Kent,
> >
> > It is a typo and i have corrected that as,
> >
> > sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
> >                         ldap:///c=SE??sub?(krb5PrincipalName=$1@REALM)
> >
> > But still have receive the same error.
> >
> > # ./ldapsearch -Y GSSAPI -U s001 -b "dc=team,dc=com"
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Invalid credentials (49)
> >         additional info: SASL(-13): authentication failure:
> > GSSAPI Failure
> >
> >
> > Please confirm me that the STEPS and configuration are
> > correct, if yes i
> > will try the openldap with MIT Kerberos.
>
> The error message you're receiving says that GSSAPI itself has failed;
this
> has nothing to do with the sasl-regexp at all. Kent's advice has
absolutely
> nothing to do with the problem you're seeing.
>
> As I already stated - saslRegexp mapping is a purely optional step.
Whether
> it succeeds or fails will have no bearing on whether SASL/GSSAPI will
succeed
> or fail. (It will affect the outcome of SASL/DIGEST-MD5 and other
> password-based mechanisms, since the password must be retrieved from the
> entry matching the SASL DN. But since GSSAPI/Kerberos authentication is
> completely outside of LDAP and SASL, there's simply no relevance here.)
>
> The error message you're getting starts with "SASL(xx):" which means the
> error you're getting came from the SASL library. This is not an error
coming
> from slapd itself. You need to check to see if your SASL installation is
> properly configured, as well as checking to see if your Kerberos
installation
> is correct. It's unfortunate that the error message isn't any more
detailed,
> but that's all that the SASL library is telling us, so we can't provide
any
> more detail than that. If you want better diagnostics here, file a bug
report
> with the Cyrus SASL project.
>
> As always, make sure you can get the Cyrus sample client and server
working
> before you attempt to use SASL with OpenLDAP. In the case of GSSAPI, make
> sure your other Kerberized servers work first. Generally things fail here
> because:
>   1) slapd doesn't have access to the Kerberos keytab
>   2) the LDAP service key isn't present in the Kerberos keytab
>   3) the Kerberos realm that slapd is set for doesn't match the client's
> realm
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
>
>