[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: openLDAP/SASL/KerberosV(heimdal)

To: "'Chris Maxwell'" <cmaxwell@themanor.net>, <openldap-software@OpenLDAP.org>
Subject: RE: openLDAP/SASL/KerberosV(heimdal)
From: "Howard Chu" <hyc@highlandsun.com>
Date: Fri, 11 Oct 2002 07:20:40 -0700
Importance: Normal
In-reply-to: <1034343379.11839.129.camel@gabriel>

My first response would be "the GSSAPI mech in Cyrus 1.5.24 has several
problems, try upgrading to 1.5.28" but in fact, on my own test machines with
Cyrus 1.5.24 and OpenLDAP 2.0.27 this worked without any trouble.

Does klist show a valid LDAP service ticket after your failed attempt?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> Chris Maxwell
> Sent: Friday, October 11, 2002 6:36 AM
> To: openldap-software@OpenLDAP.org
> Subject: Re: openLDAP/SASL/KerberosV(heimdal)
>
>
> On Thu, 2002-10-10 at 21:34, Kurt D. Zeilenga wrote:
> > At 11:32 AM 2002-10-07, Chris Maxwell wrote:
> > >Hello,
> > >
> > >I am having trouble with GSSAPI.  I can authenticate and
> work locally,
> > >but whenever I attempt to ldapsearch from another box, it fails.
> > >
>
> > >Before Running "kinit" (for reference)
> > >/usr/local/bin/ldapsearch -Y GSSAPI -H ldap://<machineB>
> -b '' -s base
> > >-LLL supportedSASLMechanisms
> > >        ldap_sasl_interactive_bind_s: Local error
> >
> > So run kinit(1) first...
>
> I appreciate the humour ... really; after beating my head against this
> for a few hours it make me chuckle.
>
> The problem was not with running kinit - I just wanted to include the
> results of testing I did on both machines to show it wasn't
> something I
> overlooked (like kinit, or using the wrong KDC, or other oversight).
>
> - ldapsearch(GSSAPI) DOES work for me when connecting to
> LDAP, but ONLY
> on the local host.
>
> - ldapsearch DOES work on both machines (again, local only), and they
> both use the same KDC
>
> - ldapsearch DOES NOT work when connecting to the OTHER machine.
>
>         A-->A   works
>         B-->B   works
>         A-->B   "Local error"
>         B-->A   "Local error"
>
> What really throws me for a loop, is that ldapsearch doesn't
> display the
> "SASL/GSSAPI authentication started" message before it dies,
>
> This below was just to prove that it was working locally (K5
> working, etc)
> > >After Running "kinit"
> > >        SASL/GSSAPI authentication started
> > >        SASL SSF: 56
> > >        SASL installing layers
> > >        dn:
> > >        supportedSASLMechanisms: GSSAPI
>
> YES, I did run kinit(1) first :-) and yes, I checked the ticket works
> using kerberized telnet.
>
> Thanks for any help
>
> --chris
>
> ---
>
> Here is the <sanitized> debug from "ldapsearch -Y GSSAPI -d 4095 -h
> <HOSTNAME> -b '' -s base -LLL supportedSASLMechanisms"
>
> ldap_create
> ldap_url_parse_ext(ldap://<HOSTNAME>)
> ldap_interactive_sasl_bind_s: user selected: GSSAPI
> ldap_int_sasl_bind: GSSAPI
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: <HOSTNAME>
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 192.168.0.232:389
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> ldap_ndelay_on: 3
> ldap_is_sock_ready: 3
> ldap_ndelay_off: 3
> ldap_perror
> ldap_sasl_interactive_bind_s: Local error
>
> ------------------------
> And from the server:
>
> daemon: activity on 1 descriptors
> daemon: new connection on 11
> daemon: conn=13 fd=11 connection from IP=192.168.0.231:42752
> (IP=0.0.0.0:389) accepted.
> daemon: added 11r
> daemon: activity on:
> daemon: select: listen=9 active_threads=0 tvp=NULL
> daemon: select: listen=10 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 11r
> daemon: read activity on 11
> connection_get(11)
> connection_get(11): got connid=13
> connection_read(11): checking for input on id=13
> ber_get_next
> ldap_read: want=1, got=0
>
> ber_get_next on fd 11 failed errno=0 (Undefined error: 0)
> connection_read(11): input error=-2 id=13, closing.
> connection_closing: readying conn=13 sd=11 for close
> connection_close: conn=13 sd=11
> daemon: removing 11
> conn=-1 fd=11 closed
> daemon: select: listen=9 active_threads=0 tvp=NULL
> daemon: select: listen=10 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: select: listen=9 active_threads=0 tvp=NULL
> daemon: select: listen=10 active_threads=0 tvp=NULL
>
>
>

Follow-Ups:
- Errors
  - From: Ron Hall <thorn@cc.mcgill.ca>
- RE: openLDAP/SASL/KerberosV(heimdal)
  - From: Chris Maxwell <cmaxwell@themanor.net>

References:
- Re: openLDAP/SASL/KerberosV(heimdal)
  - From: Chris Maxwell <cmaxwell@themanor.net>

Prev by Date: Re: questions about problem: too many open files
Next by Date: Errors
Index(es):
- Chronological
- Thread