[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with GSSAPI problem



You may wish to run "ldapwhoami" specifying GSSAPI.

Also, you need to make sure that slapd has access to an ldap keytab.

--Quanah

--On Friday, August 08, 2003 12:39 AM +0530 Shaick <shaick_mlist1@lycos.co.uk> wrote:

Hello Howard,

    Thanks for your detailed email.

The sample-client and sample-server is working fine with SASL GSSAPI
Here is output of sample server client test,
# ./sample-server -s host -p ../plugins/.libs
Generating client mechanism list...
Sending list of 6 mechanism(s)
S: UExBSU4gT1RQIEdTU0FQSSBESUdFU1QtTUQ1IENSQU0tTUQ1IEFOT05ZTU9VUw==
Waiting for client mechanism...
C:
R1NTQVBJAGCCAdsGCSqGSIb3EgECAgEAboIByjCCAcagAwIBBaEDAgEOogcDBQAgAAAAo4IBD
mGC
AQowggEGoAMCAQWhDxsNS09WQUlURUFNLkNPTaIoMCagAwIBA6EfMB0bBGhvc3QbFWtyaXNob
mEu
a292YWl0ZWFtLmNvbaOBwzCBwKADAgEBoQMCAQGigbMEgbDZ1w1Uh0fkri45GIWlL2Soni3Ly
cbC
g/CTxoJXRW6ihU8wpeTJjTwqVXCItXu9UXtgEKjPfaYPE+Z0li6AMW0RWkljFrSqZ/h0ATFCf
fNu
G6LXuKX3JvYHLv/YsuELui5Ma26lg0zwSV/7dr8hXWIXQUZVP6lA5ObXttyAS3SgcfTLGJYT7
XWA
Rva/4hYgk+YnFZ5WvlyQBr/i5MkMFZE9LGHF8qYYbg5flSkqMapMUKSBnjCBm6ADAgEBooGTB
IGQ
AU0qRJdQn/ySFhnBxfikCNzoVm17aBYSp0xlGnEwsl9SG4unrj4+Rnv4lv1tT4fyB0dz58H1X
QLu
NLysHzewG9lhkR6Z/9ayus/TJXC2NwAtQfYGTdgCr4RxRn3j5LkqCBKZtGrTcmff1ducA9MpF
YbP 3DCC6jBEyY4PzrKWxMPf8KmB+y364aB3pskOEmk4
got 'GSSAPI'
Sending response...
S:
YGgGCSqGSIb3EgECAgIAb1kwV6ADAgEFoQMCAQ+iSzBJoAMCAQGiQgRAi8VOuZ7ujuTCgLCYB
Hmy /2VwQiB5vojW1DosAHb1NV/CzJOL78cn559X9S7KhIEO0f9NPKGHUfZf8mTjX+TmZA==
Waiting for client reply...
C:
R1NTQVBJAGCCAdsGCSqGSIb3EgECAgEAboIByjCCAcagAwIBBaEDAgEOogcDBQAgAAAAo4IBD
mGC
AQowggEGoAMCAQWhDxsNS09WQUlURUFNLkNPTaIoMCagAwIBA6EfMB0bBGhvc3QbFWtyaXNob
mEu
a292YWl0ZWFtLmNvbaOBwzCBwKADAgEBoQMCAQGigbMEgbDZ1w1Uh0fkri45GIWlL2Soni3Ly
cbC
g/CTxoJXRW6ihU8wpeTJjTwqVXCItXu9UXtgEKjPfaYPE+Z0li6AMW0RWkljFrSqZ/h0ATFCf
fNu
G6LXuKX3JvYHLv/YsuELui5Ma26lg0zwSV/7dr8hXWIXQUZVP6lA5ObXttyAS3SgcfTLGJYT7
XWA
Rva/4hYgk+YnFZ5WvlyQBr/i5MkMFZE9LGHF8qYYbg5flSkqMapMUKSBnjCBm6ADAgEBooGTB
IGQ
AU0qRJdQn/ySFhnBxfikCNzoVm17aBYSp0xlGnEwsl9SG4unrj4+Rnv4lv1tT4fyB0dz58H1X
QLu
NLysHzewG9lhkR6Z/9ayus/TJXC2NwAtQfYGTdgCr4RxRn3j5LkqCBKZtGrTcmff1ducA9MpF
YbP 3DCC6jBEyY4PzrKWxMPf8KmB+y364aB3pskOEmk4
got 'GSSAPI'
Sending response...
S:
YDMGCSqGSIb3EgECAgIBAAD/////t4gYEpSOBWqJnIfDD/FGpD3qASzARiD9BwAIAAQEBAQ=
Waiting for client reply...
C:
YDsGCSqGSIb3EgECAgIBAAD/////kovpNpjd+lBXpwjaSOY9vkohhirb9ivYBAAIAGFydW4IC
AgI CAgICA==
got '`; *H÷'
Negotiation complete
Username: arun
Realm:
SSF: 56
sending encrypted message 'srv message 1'
S:
AAAAPWA7BgkqhkiG9xIBAgICAQAAAAD//wXbI/igPeXPOXPcfxijLyIZfonZLbCM61g7f6j1W
O2f vKcrVoUtePQ=
Waiting for encrypted message...
C:
AAAARWBDBgkqhkiG9xIBAgICAQAAAAD//7cX2mODKnr0ChUUsZZkS7hgjaDjgiq5NDUpv6VVY
c03 io+z7E7/VJ5LNk3wvr6O6w==
got ''
received decoded message 'client message 1'

Client
------
# ./sample-client -s host -n krishna.kovaiteam.com -u arun-p
../plugins/.libs
service=host
Waiting for mechanism list from server...
S: UExBSU4gT1RQIEdTU0FQSSBESUdFU1QtTUQ1IENSQU0tTUQ1IEFOT05ZTU9VUw==
received 46 byte message
Choosing best mechanism from: PLAIN OTP GSSAPI DIGEST-MD5 CRAM-MD5
ANONYMOUS returning OK: arun
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C:
R1NTQVBJAGCCAdsGCSqGSIb3EgECAgEAboIByjCCAcagAwIBBaEDAgEOogcDBQAgAAAAo4IBD
mGC
AQowggEGoAMCAQWhDxsNS09WQUlURUFNLkNPTaIoMCagAwIBA6EfMB0bBGhvc3QbFWtyaXNob
mEu
a292YWl0ZWFtLmNvbaOBwzCBwKADAgEBoQMCAQGigbMEgbDZ1w1Uh0fkri45GIWlL2Soni3Ly
cbC
g/CTxoJXRW6ihU8wpeTJjTwqVXCItXu9UXtgEKjPfaYPE+Z0li6AMW0RWkljFrSqZ/h0ATFCf
fNu
G6LXuKX3JvYHLv/YsuELui5Ma26lg0zwSV/7dr8hXWIXQUZVP6lA5ObXttyAS3SgcfTLGJYT7
XWA
Rva/4hYgk+YnFZ5WvlyQBr/i5MkMFZE9LGHF8qYYbg5flSkqMapMUKSBnjCBm6ADAgEBooGTB
IGQ
AU0qRJdQn/ySFhnBxfikCNzoVm17aBYSp0xlGnEwsl9SG4unrj4+Rnv4lv1tT4fyB0dz58H1X
QLu
NLysHzewG9lhkR6Z/9ayus/TJXC2NwAtQfYGTdgCr4RxRn3j5LkqCBKZtGrTcmff1ducA9MpF
YbP 3DCC6jBEyY4PzrKWxMPf8KmB+y364aB3pskOEmk4
Waiting for server reply...
S:
YGgGCSqGSIb3EgECAgIAb1kwV6ADAgEFoQMCAQ+iSzBJoAMCAQGiQgRAi8VOuZ7ujuTCgLCYB
Hmy /2VwQiB5vojW1DosAHb1NV/CzJOL78cn559X9S7KhIEO0f9NPKGHUfZf8mTjX+TmZA==
received 106 byte message
C:
Waiting for server reply...
S:
YDMGCSqGSIb3EgECAgIBAAD/////t4gYEpSOBWqJnIfDD/FGpD3qASzARiD9BwAIAAQEBAQ=
received 53 byte message
Sending response...
C:
YDsGCSqGSIb3EgECAgIBAAD/////kovpNpjd+lBXpwjaSOY9vkohhirb9ivYBAAIAGFydW4IC
AgI CAgICA==
Negotiation complete
Username: arun
SSF: 56
Waiting for encoded message...
S:
AAAAPWA7BgkqhkiG9xIBAgICAQAAAAD//wXbI/igPeXPOXPcfxijLyIZfonZLbCM61g7f6j1W
O2f vKcrVoUtePQ=
received 65 byte message
received decoded message 'srv message 1'
sending encrypted message 'client message 1'
C:
AAAARWBDBgkqhkiG9xIBAgICAQAAAAD//7cX2mODKnr0ChUUsZZkS7hgjaDjgiq5NDUpv6VVY
c03 io+z7E7/VJ5LNk3wvr6O6w==



So the SASL GSSAPI with working fine. Is this correct?


So what else could be the problem,I thing configuration part?

I did the following for gssapi test.

1. Modify  "userPassword" in LDIF file as,
userPassword: {KERBEROS}principal@REALM

2. Add the user in Kerberos REALM (say s001)

3. kinit s001

4. ./ldapsearch -Y GSSAPI -U s001

Please I let me know if i miss any thing in step.

Thanks,
-Shaick.

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Shaick

> Hello Kent,
>
> It is a typo and i have corrected that as,
>
> sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
>                         ldap:///c=SE??sub?(krb5PrincipalName=$1@REALM)
>
> But still have receive the same error.
>
> # ./ldapsearch -Y GSSAPI -U s001 -b "dc=team,dc=com"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>         additional info: SASL(-13): authentication failure:
> GSSAPI Failure
>
>
> Please confirm me that the STEPS and configuration are
> correct, if yes i
> will try the openldap with MIT Kerberos.

The error message you're receiving says that GSSAPI itself has failed;
this
has nothing to do with the sasl-regexp at all. Kent's advice has
absolutely
nothing to do with the problem you're seeing.

As I already stated - saslRegexp mapping is a purely optional step.
Whether
it succeeds or fails will have no bearing on whether SASL/GSSAPI will
succeed
or fail. (It will affect the outcome of SASL/DIGEST-MD5 and other
password-based mechanisms, since the password must be retrieved from the
entry matching the SASL DN. But since GSSAPI/Kerberos authentication is
completely outside of LDAP and SASL, there's simply no relevance here.)

The error message you're getting starts with "SASL(xx):" which means the
error you're getting came from the SASL library. This is not an error
coming
from slapd itself. You need to check to see if your SASL installation is
properly configured, as well as checking to see if your Kerberos
installation
is correct. It's unfortunate that the error message isn't any more
detailed,
but that's all that the SASL library is telling us, so we can't provide
any
more detail than that. If you want better diagnostics here, file a bug
report
with the Cyrus SASL project.

As always, make sure you can get the Cyrus sample client and server
working
before you attempt to use SASL with OpenLDAP. In the case of GSSAPI, make
sure your other Kerberized servers work first. Generally things fail here
because:
  1) slapd doesn't have access to the Kerberos keytab
  2) the LDAP service key isn't present in the Kerberos keytab
  3) the Kerberos realm that slapd is set for doesn't match the client's
realm

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support






-- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html