[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: GSSAPI, OpenLDAP 2.0.21 and core dump

To: "Anthony Brock" <abrock@georgefox.edu>, <openldap-software@OpenLDAP.org>
Subject: RE: GSSAPI, OpenLDAP 2.0.21 and core dump
From: "Howard Chu" <hyc@highlandsun.com>
Date: Wed, 30 Jan 2002 16:03:49 -0800
Importance: Normal
In-reply-to: <5.1.0.14.2.20020130152256.02f52290@mail.georgefox.edu>

What part of

> ldap_start_tls: Connect error
>          additional info: error:24064064:random number
> generator:SSLEAY_RAND_BYTES:PRNG not seeded

leads you to the conclusion that this has something to do with certificates?
What makes you think this has anything to do with anything other than, perhaps,
not seeding your random number generator?

Also, this error message is clearly coming from SSLeay and/or OpenSSL, but you
neglected to mention either in your email. Seems a rather significant detail to
be omitting. Especially since the Kerberos and/or SASL libraries may have been
built on top of the OpenSSL crypto library. (I have no idea, you didn't say.
But that would be a good reason why an unintialized SSL random number generator
is preventing your Kerberos login from working.)

When you REALLY need something to work, the first thing you REALLY need to do
is Read The Documentation. In your case, you REALLY need to read the "FAQ" file
that is included in the OpenSSL source, especially the section that starts "Why
do I get a ``PRNG not seeded'' error message?"

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Anthony Brock
> Sent: Wednesday, January 30, 2002 3:23 PM
> To: openldap-software@OpenLDAP.org
> Subject: GSSAPI, OpenLDAP 2.0.21 and core dump
>
>
> I am trying to build a V3 compliant OpenLDAP server on a Sun Solaris 8
> UltraSparc E250 using Sun WorkShop 5.
>
> I have a working Kerberos infrastructure based on MIT 1.2.3, and have
> downloaded and installed both the Sleepy Cat DB 3.3 and the Cyrus SASL
> 1.5.27. After much pain and suffering, I have successfully confirmed that
> the SASL library is working properly against the Kerberos (using the sample
> client and server).
>
> However, after building and compiling OpenLDAP against SASL, I am
> attempting to use the "OpenLDAP, OpenSSL, SASL and Kerberos V HOWTO"
> document as a guide. The daemons appear to work at first:
>
> *****
> $ klist
> Ticket cache: /tmp/krb5cc_100
> Default principal: abrock@GEORGEFOX.EDU
>
> Valid starting                       Expires                       Service
> principal
> Wed Jan 30 14:30:38 2002  Wed Jan 30 17:01:14
> 2002  krbtgt/GEORGEFOX.EDU@GEORGEFOX.EDU
> Wed Jan 30 14:38:32 2002  Wed Jan 30 17:01:14
> 2002  ldap/scripts.georgefox.edu@GEORGEFOX.EDU
> $ ldapsearch -L -h scripts.georgefox.edu -x -b "" -s base -LLL
> supportedSASLMechanisms
> dn:
> supportedSASLMechanisms: GSSAPI
>
> $
> *****
>
> However, when I attempt the following command I see a core dump:
>
> *****
> $ ldapsearch -L -h scripts.georgefox.edu -I -b "" -s base -LLL
> supportedSASLMechanisms
> SASL/GSSAPI authentication started
> SASL Interaction
> Please enter your authorization name: abrock
> ldap_sasl_interactive_bind_s: Can't contact LDAP server
> $
> *****
>
> Any attempts to use the "-H ldap://scripts.georgefox.edu/"; or "-H
> ldaps://scripts.georgefox.edu/" notation result in:
>
> *****
> $ ldapsearch -L -H ldap://scripts.georgefox.edu/ -x -b "" -s base -LLL -ZZ
> supportedSASLMechanisms
> ldap_start_tls: Connect error
>          additional info: error:24064064:random number
> generator:SSLEAY_RAND_BYTES:PRNG not seeded
> $ ldapsearch -L -H ldaps://scripts.georgefox.edu/ -x -b "" -s base -LLL
> supportedSASLMechanisms
> ldap_bind: Can't contact LDAP server
>          additional info: error:24064064:random number
> generator:SSLEAY_RAND_BYTES:PRNG not seeded
> $
> *****
>
> I believe this may be a certificate problem, though queries work correctly
> from within Netscape's addressbook.
>
> Please advise as I am stumped. I can live with the certificate mystery for
> the moment. However, I REALLY need the Kerberos to work!
>
> Thanks in advance!
>
> Tony
>
> *********************************************************************
> *********
> * Anthony Brock
> abrock@georgefox.edu *
> * Director of Network Services                         George Fox
> University *
> *********************************************************************
> *********
>

References:
- GSSAPI, OpenLDAP 2.0.21 and core dump
  - From: Anthony Brock <abrock@georgefox.edu>

Prev by Date: GSSAPI, OpenLDAP 2.0.21 and core dump
Next by Date: RE: GSSAPI, OpenLDAP 2.0.21 and core dump
Index(es):
- Chronological
- Thread