[Date Prev][Date Next] [Chronological] [Thread] [Top]
SASL auth not working

To: openldap-technical@openldap.org
Subject: SASL auth not working
From: Diego Lima <lists@diegolima.org>
Date: Wed, 23 Jun 2010 10:27:05 -0300
Hello all,

I'm trying to set up openldap to authenticate using my kerberos
service, but I'm not having success so far. I've already set up MIT
Kerberos V and I can successfully get tickets from it:

root@filesystem:~# kinit diego.lima
Password for diego.lima@USERS:
root@filesystem:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: diego.lima@USERS

Valid starting     Expires            Service principal
06/23/10 09:44:49  06/23/10 19:44:49  krbtgt/USERS@USERS
	renew until 06/24/10 09:44:46


I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:

root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456
0: OK "Success."

The saslauthd output looks like this:

saslauthd[28383] :rel_accept_lock : released accept lock
saslauthd[28385] :get_accept_lock : acquired accept lock
saslauthd[28383] :do_auth         : auth success:
[user=diego.lima@USERS] [service=imap] [realm=] [mech=kerberos5]
saslauthd[28383] :do_request      : response: OK

I've set up my user account on LDAP like this:

dn: krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br
krbPrincipalName: diego.lima@USERS
krbPrincipalKey:: (big key)
krbLastPwdChange: 20100622215607Z
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
objectClass: posixAccount
structuralObjectClass: krbPrincipal
entryUUID: b4d16a7a-1294-102f-8f9b-2759be64cd18
creatorsName: cn=admin,dc=domain,dc=com,dc=br
createTimestamp: 20100622215607Z
uid: diego.lima
uidNumber: 10001
gidNumber: 10001
cn: diego.lima
homeDirectory: /home/diego.lima
loginShell: /bin/bash
userPassword:: e1NBU0x9ZGllZ28ubGltYUBVU0VSUw==
krbLastSuccessfulAuth: 20100623124649Z
krbLoginFailedCount: 0
krbExtraData:: (data)
krbExtraData:: (data)
entryCSN: 20100623124649.354631Z#000000#000#000000
modifiersName: cn=admin,dc=domain,dc=com,dc=br
modifyTimestamp: 20100623124649Z


The userPassword value translates to {SASL}diego.lima@USERS

When I try to do an authenticated search on LDAP I see the following:

# ldapsearch -D
krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b
dc=domain,dc=com,dc=br '(objectClass=*)' -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)


And on the slapd output:

daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(7):
daemon: epoll: listen=7 busy
daemon: epoll: listen=8 active_threads=0 tvp=zero
>>> slap_listener(ldap:///)
daemon: listen=7, new connection on 18
daemon: added 18r (active) listener=(nil)
conn=35 fd=18 ACCEPT from IP=127.0.1.1:51089 (IP=0.0.0.0:389)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 18r
daemon: read active on 18
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=35
connection_read(18): checking for input on id=35
ber_get_next
ldap_read: want=8, got=8
  0000:  30 53 02 01 01 60 4e 02                            0S...`N.
ldap_read: want=77, got=77
  0000:  01 03 04 41 6b 72 62 50  72 69 6e 63 69 70 61 6c   ...AkrbPrincipal
  0010:  4e 61 6d 65 3d 64 69 65  67 6f 2e 6c 69 6d 61 40   Name=diego.lima@
  0020:  55 53 45 52 53 2c 63 6e  3d 55 53 45 52 53 2c 64   USERS,cn=USERS,d
  0030:  63 3d 34 6c 69 6e 75 78  2c 64 63 3d 63 6f 6d 2c   c=domain,dc=com,
  0040:  64 63 3d 62 72 80 06 31  32 33 34 35 36            dc=br..123456
ber_get_next: tag 0x30 len 83 contents:
ber_dump: buf=0x1cc73d0 ptr=0x1cc73d0 end=0x1cc7423 len=83
  0000:  02 01 01 60 4e 02 01 03  04 41 6b 72 62 50 72 69   ...`N....AkrbPri
  0010:  6e 63 69 70 61 6c 4e 61  6d 65 3d 64 69 65 67 6f   ncipalName=diego
  0020:  2e 6c 69 6d 61 40 55 53  45 52 53 2c 63 6e 3d 55   .lima@USERS,cn=U
  0030:  53 45 52 53 2c 64 63 3d  34 6c 69 6e 75 78 2c 64   SERS,dc=domain,d
  0040:  63 3d 63 6f 6d 2c 64 63  3d 62 72 80 06 31 32 33   c=com,dc=br..123
  0050:  34 35 36                                           456
op tag 0x60, time 1277298275
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=35 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x1cc73d0 ptr=0x1cc73d3 end=0x1cc7423 len=80
  0000:  60 4e 02 01 03 04 41 6b  72 62 50 72 69 6e 63 69   `N....AkrbPrinci
  0010:  70 61 6c 4e 61 6d 65 3d  64 69 65 67 6f 2e 6c 69   palName=diego.li
  0020:  6d 61 40 55 53 45 52 53  2c 63 6e 3d 55 53 45 52   ma@USERS,cn=USER
  0030:  53 2c 64 63 3d 34 6c 69  6e 75 78 2c 64 63 3d 63   S,dc=domain,dc=c
  0040:  6f 6d 2c 64 63 3d 62 72  80 06 31 32 33 34 35 36   om,dc=br..123456
ber_scanf fmt (m}) ber:
ber_dump: buf=0x1cc73d0 ptr=0x1cc741b end=0x1cc7423 len=8
  0000:  00 06 31 32 33 34 35 36                            ..123456
>>> dnPrettyNormal: <krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>
=> ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br,0)
<= ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br)=0
<<< dnPrettyNormal:
<krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>,
<krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br>
conn=35 op=0 BIND
dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
method=128
do_bind: version=3
dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
method=128
==> hdb_bind: dn:
krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br
bdb_dn2entry("krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br")
=> access_allowed: auth access to
"krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
"userPassword" requested
=> acl_get: [1] attr userPassword
=> slap_access_allowed: result not in cache (userPassword)
=> acl_mask: access to entry
"krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br",
attr "userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=admin,dc=domain,dc=com,dc=br
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> slap_access_allowed: auth access granted by auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
SASL Canonicalize [conn=35]: authcid="diego.lima@USERS"
SASL Canonicalize [conn=35]: authcid="diego.lima@USERS"
send_ldap_result: conn=35 op=0 p=3
send_ldap_result: err=49 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 18
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
conn=35 op=0 RESULT tag=97 err=49 text=
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 18r
daemon: read active on 18
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=35
connection_read(18): checking for input on id=35
ber_get_next
ldap_read: want=8, got=0

ber_get_next on fd 18 failed errno=0 (Success)
connection_read(18): input error=-2 id=35, closing.
connection_closing: readying conn=35 sd=18 for close
connection_close: conn=35 sd=18
daemon: removing 18
conn=35 fd=18 closed (connection lost)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero


I see nothing on the saslauthd output when I try to log in. Did I miss
anything? Please note that I'm trying to use the same kerberos
principal as my user, and this is intended. I did try adding another
user (account and posixAccount objectClasses) with a separate kerberos
principal and that did not work either.


Lastly, here is my slapd.conf:

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include		/etc/ldap/schema/kerberos.schema

pidfile         /var/run/slapd/slapd.pid

argsfile        /var/run/slapd/slapd.args

loglevel        none

modulepath	/usr/lib/ldap
moduleload	back_hdb

sizelimit 500

tool-threads 1

backend		hdb

database        hdb
suffix          "dc=domain,dc=com,dc=br"
rootdn          "cn=admin,dc=domain,dc=com,dc=br"
directory       "/var/lib/ldap"

dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index           objectClass eq

lastmod         on
checkpoint      512 30

access to attrs=userPassword,shadowLastChange,krbPrincipalKey,krbLastPwdChange
        by dn="cn=admin,dc=domain,dc=com,dc=br" write
        by anonymous auth
        by self write
        by * none
access to dn.base="" by * read
access to *
        by dn="cn=admin,dc=domain,dc=com,dc=br" write
        by * read


Thanks for the help!

-- 
Diego Lima
Follow-Ups:
- Re: SASL auth not working
  - From: Dan White <dwhite@olp.net>
Prev by Date: RE: PROBLEM: can't use SASL to authentication openldap client
Next by Date: Re: smbk5pwd: ldappassword hangs
Index(es):
- Chronological
- Thread