[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL authentication : Inappropriate authentication error

I have set up Kerberos and cyrus-SASL. Now I am busy with OpenLDAP and TLS.
It is nearly working. But I have the following problem

the following command fails : ldapsearch -I -b 'dc=pt-jv,dc=cetic,dc=be' '(objectclass=*)'
the output is he following one:
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: bc
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: Inappropriate authentication

Here is more infos:
Kerberos is up and running. I have tested it with the kerberized ftp program
SASL is up and running: I have tested it with the sample client/server

when i do ldapwhoami, I reveive the following output:
SASL/GSSAPI authentication started
SASL username: bc@TEST.CETIC.BE
SASL installing layers
Result: Success (0)

the debug output of LDAP tells me :
--- SNIP ---
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech GSSAPI
conn=0 op=3 BIND dn="" method=163
==> sasl_bind: dn="" mech=<continuing> datalen=65
SASL Canonicalize [conn=0]: authcid="bc"
slap_sasl_getdn: conn 0 id=bc [len=2]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=bc,cn=GSSAPI,cn=auth)=0
slap_sasl_getdn: u:id converted to uid=bc,cn=GSSAPI,cn=auth
>>> dnNormalize: <uid=bc,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=bc,cn=GSSAPI,cn=auth,0)
<= ldap_bv2dn(uid=bc,cn=GSSAPI,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=bc,cn=gssapi,cn=auth)=0
<<< dnNormalize: <uid=bc,cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name uid=bc,cn=gssapi,cn=auth to a DN
slap_authz_regexp: converting SASL name uid=bc,cn=gssapi,cn=auth
slap_authz_regexp: converted SASL name to uid=bc,ou=employees,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be
slap_parseURI: parsing uid=bc,ou=employees,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be
>>> dnNormalize: <uid=bc,ou=employees,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be>
=> ldap_bv2dn(uid=bc,ou=employees,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be,0)
<= ldap_bv2dn(uid=bc,ou=employees,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be)=-4 Decoding error
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: slapAuthcDN="uid=bc,cn=gssapi,cn=auth"
SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: Bad file descriptor
SASL proxy authorize [conn=0]: authcid="bc" authzid="bc"
conn=0 op=3 BIND authcid="bc" authzid="bc"
SASL Authorize [conn=0]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
conn=0 op=3 BIND dn="uid=bc,cn=gssapi,cn=auth" mech=GSSAPI ssf=56
do_bind: SASL/GSSAPI bind: dn="uid=bc,cn=gssapi,cn=auth" ssf=56
send_ldap_response: msgid=4 tag=97 err=0
--- SNIP ---

The ldapsearch command fails (see message above)
the debug output is the following one
--- SNIP ---
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech GSSAPI
conn=1 op=3 BIND dn="" method=163
==> sasl_bind: dn="" mech=<continuing> datalen=65
SASL Canonicalize [conn=1]: authzid="bcEÁ"
slap_sasl_getdn: conn 1 id=bcEÁ [len=2]
SASL [conn=1] Failure: Inappropriate authentication
send_ldap_result: conn=1 op=3 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: Inappropriate authentication"
send_ldap_response: msgid=4 tag=97 err=50
--- SNIP ---

The behavior of ldapsearch is not what I expected:
1 It asked be my "authorization name". Why ? I am already authenticated by Kerberos (I have a ticket)
2 It doesn't map my name to a correct dn.

Here is the slapd.conf:
--- SNIP ---
#sasl-realm              TEST.CETIC.BE
sasl-host               pt-jv.cetic.be

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
       by dn="cn=Manager,dc=pt-jv,dc=cetic,dc=be" write
       by dn="uid=ldapadm.+\+realm=TEST\.CETIC\.BE" write
       by dn="uid=bc.+\+realm=TEST\.CETIC\.BE" write
       by self write
       by Manager write
       by users read
       by anonymous auth

password-hash {CLEARTEXT}

lastmod                 on

# Indexes
index   default pres,eq
index   objectClass,uid,uidnumber,gidnumber,cn
index   mail,mailalternateaddress,mailforwardingaddress eq
index   memberUid
index   krb5PrincipalName,krb5PrincipalRealm

authz-policy both
authz-regexp uid=([^,]*),dc=pt-jv,dc=cetic,dc=be,cn=gssapi,cn=auth uid=$1,ou=employees,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be
#authz-regexp ou=emp,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be ou=employees,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be
#authz-regexp dc=pt-jv,dc=cetic,dc=be,cn=gssapi,cn=auth ou=employees,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be
authz-regexp uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=employees,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be
#sasl-regexp uid=(.*),cn=gssapi,cn=auth ldap:///ou=employees,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be??sub?(mail=$1)
#sasl-regexp uid=(.*),dc=pt-jv,dc=cetic,dc=be,cn=gssapi,cn=auth ldap:///ou=employees,ou=People,ou,Users,dc=pt-jv,dc=cetic,dc=be??sub?(mail=$1)


authz-policy both
--- SNIP ---

For info, the following command works perfectly:
ldapsearch -H ldap://pt-jv.cetic.be:389/ -x -b "" -s base -LLL -ZZ supportedSASLMechanisms
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5

I am sure I am doing something wrong. Can you help me ?