[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: open ldap with SASL & GSSAPI



First step in getting SASL/GSSAPI working (or any SASL mechanism)
is to make sure it works first using Cyrus SASL sample test
programs (as service "ldap" and daemon "slapd").  You apparently
haven't done that yet...

At 12:08 PM 11/8/2006, Maxwell Bottiger wrote:
>Hello all,
>
>        I've found lots of information about problems related to mine in the
>FAQ and around the net, but I don't have a solution yet.  Here's my
>setup:
>
>Open Ldap 2.2
>MIT Kerberos
>SASL 2.1.20
>
>I'm using ldap to provide directory services and user info to some linux
>workstations.  This was working, but after upgrading a test machine to
>Fedora 6 I've started having some serious problems.
>
>[sleepylight@minitop ~]$  ldapsearch -H ldap://ns.jive-turkey.net -Y
>GSSAPI
>SASL/GSSAPI authentication started
>ldap_sasl_interactive_bind_s: Invalid credentials (49)
>        additional info: SASL(-13): authentication failure: GSSAPI
>Failure: gss_accept_sec_context
>
>
>I figure this is one of three possible problems.
>1 - saslauthd isn't working right
>2 - ldap isn't talking to sasl correctly
>3 - I've done something wrong with my ldap quires.
>
>Kerberos seems to work fine.  I can get my credentials with kinit, and
>the GSSAPI credentials are working for ssh logins.  Also, I can use
>testsaslauthd and get a success from the authd server.
>
>
>[sleepylight@ns ~]$ /usr/sbin/testsaslauthd  -r JIVE-TURKEY.NET -s ldap
>-u sleepylight -p *********
>0: OK "Success."
>
>So I think my problem is #2 or #3.  I'm not sure which, so if anyone has
>some feedback I'm happy to try it out.  I'll include some possibly
>relevant material at the end of this email.  Thanks for reading!
>
>
>Some stuff from slapd.conf:
>
>sasl-host ns.jive-turkey.net
>
>sasl-secprops noanonymous,noplain,noactive
>
>saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth
>           uid=$1,ou=People,dc=jive-turkey,dc=net
>
># Default read access for everything else
>access to *
>        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
>        by * read
>
>
>Messages from slapd after an attempted login
>
>slapd startup: initiated.
>backend_startup: starting "dc=jive-turkey,dc=net"
>bdb_db_open: dbenv_open(/var/lib/ldap)
>slapd starting
>connection_get(10): got connid=0
>connection_read(10): checking for input on id=0
>ber_get_next
>ber_get_next: tag 0x30 len 12 contents:
>ber_get_next
>ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
>do_bind
>ber_scanf fmt ({imt) ber:
>ber_scanf fmt (m}) ber:
>>>> dnPrettyNormal: <>
><<< dnPrettyNormal: <>, <>
>do_bind: version=3 dn="" method=128
>send_ldap_result: conn=0 op=0 p=3
>send_ldap_response: msgid=1 tag=97 err=0
>ber_flush: 14 bytes to sd 10
>do_bind: v3 anonymous bind
>connection_get(10): got connid=0
>connection_read(10): checking for input on id=0
>ber_get_next
>ber_get_next: tag 0x30 len 201 contents:
>ber_get_next
>ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
>do_search
>ber_scanf fmt ({miiiib) ber:
>>>> dnPrettyNormal: <dc=jive-tukey,dc=net>
>ldap_err2string
><= ldap_bv2dn(dc=jive-tukey,dc=net)=0 Success
>=> ldap_dn2bv(272)
>ldap_err2string
><= ldap_dn2bv(dc=jive-tukey,dc=net)=0 Success
>=> ldap_dn2bv(272)
>ldap_err2string
><= ldap_dn2bv(dc=jive-tukey,dc=net)=0 Success
><<< dnPrettyNormal: <dc=jive-tukey,dc=net>, <dc=jive-tukey,dc=net>
>ber_scanf fmt ({mm}) ber:
>ber_scanf fmt ({mm}) ber:
>ber_scanf fmt ({M}}) ber:
>send_ldap_result: conn=0 op=1 p=3
>send_ldap_response: msgid=2 tag=101 err=32
>ber_flush: 14 bytes to sd 10
>connection_get(10): got connid=0
>connection_read(10): checking for input on id=0
>ber_get_next
>ber_get_next: tag 0x30 len 201 contents:
>ber_get_next
>do_search