[Date Prev][Date Next] [Chronological] [Thread] [Top]

slurpd question with GSSAPI

To: OpenLDAP-software@OpenLDAP.org
Subject: slurpd question with GSSAPI
From: "Derek T. Yarnell" <derek@cs.umd.edu>
Date: Thu, 26 Aug 2004 16:04:09 +0000
Content-disposition: inline

Now that I have my SSL problem under control, I am having some trouble with gssapi and slurpd.

Background, I run a lab called csic.umd.edu which has it's own kerberos realm/afs cell, etc.. and run a department kerberos realm, cs.umd.edu and I have both the cs.umd.edu/csic.umd.edu ldap stores in the same server. Different databases obviously.

Now working with the different databases is fine client->server. You can talk to each one, depending on your base and gssapi creds. This all works fine. Now to do replication, I was hoping to only run one slurpd but the problem I am running into is that it looks like credentials both host/torch.cs.umd.edu@CS.UMD.EDU and host/torch.cs.umd.edu@CSIC. UMD.EDU are being converted into,

uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=CS.UMD.EDU,cn=GSSAPI,cn=auth

Which by my sasl-regex rules will always get talking to the CS

sasl-regexp     uid=(.*),cn=CS.UMD.EDU,cn=GSSAPI,cn=auth
               ldap:///dc=cs,dc=umd,dc=edu??sub?uid=$1
sasl-regexp     uid=(.*),cn=CSIC.UMD.EDU,cn=GSSAPI,cn=auth
               ldap:///dc=csic,dc=umd,dc=edu??sub?uid=$1

So am I doomed to have to run 2 of them? If so how can I get around the problem with the REALMS not having an effect on the sasl-regexp. Also i am runing 2.2.15 should I be really looking at doing syncrepl? Is there a good example for syncrepl, that is what the docs are missing on the site.

#### MAIN CS DATABASE
database        bdb
## db checkpointing...off by default
checkpoint      256 15
suffix          "dc=cs,dc=umd,dc=edu"
rootdn          "cn=Manager,dc=cs,dc=umd,dc=edu"
rootpw          *******************
directory       /var/openldap/cs/master
index           objectClass     eq
index           uid,cn          eq
cachesize       4000
replogfile      /var/openldap/slurpd/replog
replica         uri=ldap://ripper.cs.umd.edu tls=critical
               bindmethod=sasl saslmech=GSSAPI
               authcId=host/torch.cs.umd.edu@CS.UMD.EDU

#### MAIN CSIC DATABASE
database        bdb
## db checkpointing...off by default
checkpoint      256 15
suffix          "dc=csic,dc=umd,dc=edu"
rootdn          "cn=Manager,dc=csic,dc=umd,dc=edu"
rootpw          *************************
directory       /var/openldap/csic/master
index           objectClass     eq
index           uid,cn          eq
cachesize       4000
replogfile      /var/openldap/slurpd/replog
replica         uri=ldap://ripper.cs.umd.edu tls=critical
               bindmethod=sasl saslmech=GSSAPI
               authcId=host/torch.cs.umd.edu@CSIC.UMD.EDU

#### slave slapd log

dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <> do_sasl_bind: dn () mech GSSAPI slap_sasl_getdn: u:id converted to uid=host/torch.cs.umd.edu@CSIC.UMD. EDU,cn=CS.UMD.EDU,cn=GSSAPI,cn=auth

dnNormalize: <uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=CS.UMD.EDU, cn=GSSAPI,cn=auth>

=> ldap_bv2dn(uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=CS.UMD.EDU, cn=GSSAPI,cn=auth,0) ldap_err2string <= ldap_bv2dn(uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=CS.UMD.EDU, cn=GSSAPI,cn=auth)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(uid=host/torch.cs.umd.edu@csic.umd.edu,cn=cs.umd.edu, cn=gssapi,cn=auth)=0 Success <<< dnNormalize: <uid=host/torch.cs.umd.edu@csic.umd.edu,cn=cs.umd.edu, cn=gssapi,cn=auth> ==>slap_sasl2dn: converting SASL name uid=host/torch.cs.umd.edu@csic. umd.edu,cn=cs.umd.edu,cn=gssapi,cn=auth to a DN slap_sasl_regexp: converting SASL name uid=host/torch.cs.umd.edu@csic. umd.edu,cn=cs.umd.edu,cn=gssapi,cn=auth slap_sasl_regexp: converted SASL name to ldap:///dc=cs,dc=umd,dc=edu?? sub?uid=host/torch.cs.umd.edu@csic.umd.edu slap_parseURI: parsing ldap:///dc=cs,dc=umd,dc=edu??sub?uid=host/torch. cs.umd.edu@csic.umd.edu ldap_url_parse_ext(ldap:///dc=cs,dc=umd,dc=edu??sub?uid=host/torch.cs. umd.edu@csic.umd.edu) put_filter: "uid=host/torch.cs.umd.edu@csic.umd.edu" put_filter: default put_simple_filter: "uid=host/torch.cs.umd.edu@csic.umd.edu" ber_scanf fmt ({mm}) ber:

dnNormalize: <dc=cs,dc=umd,dc=edu>

=> ldap_bv2dn(dc=cs,dc=umd,dc=edu,0) ldap_err2string <= ldap_bv2dn(dc=cs,dc=umd,dc=edu)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(dc=cs,dc=umd,dc=edu)=0 Success <<< dnNormalize: <dc=cs,dc=umd,dc=edu> slap_sasl2dn: performing internal search (base=dc=cs,dc=umd,dc=edu, scope=2) => bdb_search bdb_dn2entry("dc=cs,dc=umd,dc=edu") search_candidates: base="dc=cs,dc=umd,dc=edu" (0x00000001) scope=2 => bdb_dn2idl( "dc=cs,dc=umd,dc=edu" ) => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read: failed (-30990) <= bdb_equality_candidates: id=0, first=0, last=0 => bdb_equality_candidates (uid) => key_read <= bdb_index_read: failed (-30990) <= bdb_equality_candidates: id=0, first=0, last=0 bdb_search_candidates: id=0 first=1 last=0 bdb_search: no candidates send_ldap_result: conn=117 op=0 p=3 <==slap_sasl2dn: Converted SASL name to <nothing> SASL [conn=117] Failure: Could not open db SASL Authorize [conn=117]: proxy authorization allowed send_ldap_sasl: err=0 len=-1 send_ldap_response: msgid=4 tag=97 err=0 ber_flush: 14 bytes to sd 22 <== slap_sasl_bind: rc=0 do_bind: SASL/GSSAPI bind: dn="uid=host/torch.cs.umd.edu@csic.umd.edu, cn=cs.umd.edu,cn=gssapi,cn=auth" ssf=56 connection_get(22): got connid=117 connection_read(22): checking for input on id=117 ldap_pvt_sasl_install ber_get_next ber_get_next: tag 0x30 len 1068 contents: do_add ber_scanf fmt ({m) ber:

dnPrettyNormal: <cn=testgroup,ou=groups,dc=csic,dc=umd,dc=edu>

=> ldap_bv2dn(cn=testgroup,ou=groups,dc=csic,dc=umd,dc=edu,0) ldap_err2string <= ldap_bv2dn(cn=testgroup,ou=groups,dc=csic,dc=umd,dc=edu)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(cn=testgroup,ou=groups,dc=csic,dc=umd,dc=edu)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(cn=testgroup,ou=groups,dc=csic,dc=umd,dc=edu)=0 Success <<< dnPrettyNormal: <cn=testgroup,ou=groups,dc=csic,dc=umd,dc=edu>, <cn=testgroup,ou=groups,dc=csic,dc=umd,dc=edu> ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt (}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" ldap_url_parse_ext(ldaps://ldap.cs.umd.edu) send_ldap_result: conn=117 op=4 p=3 send_ldap_response: msgid=5 tag=105 err=10 ber_get_next ber_get_next on fd 22 failed errno=11 (Resource temporarily unavailable) ber_flush: 86 bytes to sd 22 connection_get(22): got connid=117 connection_read(22): checking for input on id=117 ber_get_next ber_get_next on fd 22 failed errno=0 (Error 0) connection_read(22): input error=-2 id=117, closing. connection_closing: readying conn=117 sd=22 for close connection_close: conn=117 sd=22


--
Derek T. Yarnell
UNIX System Administrator
Computer Science Deparment
University of Maryland

Follow-Ups:
- Re: slurpd question with GSSAPI
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: OpenLDAP PGP key server
Next by Date: Re: OpenLDAP PGP key server
Index(es):
- Chronological
- Thread