[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sasl Kerberos authentication with subordinate


Actually 'peter' is not the right user t test against because its password in the internal ldap server is defined as {SASL}peter@EXAMPLE.COM.  It should be 

I tested againt another user mark whose password is {SASL}mark@SUB.EXAMPLE.COM. Both the ldapsearch and ldapwhoami worked well if I use the internal ldap server. This is what I expected. 

When I test againt the external server, using  ldapwhoami -d -1 -x -H ldap://externalldapserver -D "uid=mark,ou=People,ou=sub,dc=example,dc=com" -w password

 the ldap log shows this error message:

 50e4f948 >>> dnPrettyNormal: <uid=mark,ou=People,ou=sub,dc=example,dc=com>
=> ldap_bv2dn(uid=mark,ou=People,ou=sub,dc=example,dc=com,0)
<= ldap_bv2dn(uid=mark,ou=People,ou=sub,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=mark,ou=People,ou=sub,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=mark,ou=people,ou=sub,dc=example,dc=com)=0
50e4f948 <<< dnPrettyNormal: <uid=mark,ou=People,ou=sub,dc=example,dc=com>, <uid=mark,   ou=people,ou=sub,dc=example,dc=com>
50e4f948 conn=1034 op=0 BIND dn="uid=mark,ou=People,ou=sub,dc=example,dc=com" method=1   28
50e4f948 do_bind: version=3 dn="uid=mark,ou=People,ou=sub,dc=example,dc=com" method=12   8
50e4f948 ==> bdb_bind: dn: uid=mark,ou=People,ou=sub,dc=example,dc=com
50e4f948 bdb_dn2entry("uid=mark,ou=people,ou=sub,dc=example,dc=com")
50e4f948 => bdb_dn2id("ou=people,ou=sub,dc=example,dc=com")
50e4f948 <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-309   88)
50e4f948 send_ldap_result: conn=1034 op=0 p=3
50e4f948 send_ldap_result: err=49 matched="" text=""
50e4f948 send_ldap_response: msgid=1 tag=97 err=49

Similary message is also shown when I run the ldapsearch command. 


-----Original Message-----
From: Dan White [mailto:dwhite@olp.net] 
Sent: Wednesday, January 02, 2013 7:18 PM
To: Wu, James C.
Cc: openldap-technical@openldap.org
Subject: Re: sasl Kerberos authentication with subordinate

On 12/31/12 11:19 -0800, Wu, James C. wrote:
>I have tested that the LDAP authentication through saslauthd using 
>Kerberos works well on both the internal ldap and Kerberos pair and the 
>external ldap Kerberos pair.

How did you verify authentication was working with your internal server?

>For example, when I used "su - peter" where peter is a user in the 
>external ldap server and the password is 
>{SASL}peter@EXAMPLE.COM<mailto:%7bSASL%7dpeter@EXAMPLE.COM>. The 
>authentication works. However, when I use "su - James" where james is a 
>user defined in the internal ldap server with password 
>then the authentication failed. I check the log file, the internal 
>server did get the search request forwarded from the external ldap 
>server and returned the correct information back. However, I did not 
>see the saslauthd process on either the external or the internal ldap 
>server get any inquiry for the authentication.

On 01/02/13 14:52 -0800, Wu, James C. wrote:
>When I add uid to the -D flag in the ldapwhoami, then it failed on both 
>the external and internal ldap servers.
>ldapwhoami -x -H ldap://internalldap -D 
>"uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password ldapwhoami 
>-x -H ldap://externalldap -D 
>"uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password

How does this second command (against your internal server) differ from the above verification?

Dan White