[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: help with openldap-2.4.29-sasl-2.1.25 bind problems

Either disable gssapi or install and configure it.

suomi

On 03/04/2012 04:04 PM, luxInteg wrote:

Greetings,

i am new to this list.  I have a computer with these:-
cpu:        amd64  2 cores
os          linux 64bit  distro=cblfs  kernel-3.2.1, gcc-4.5.2
auth progs: MIT-kerberos-1.10, sasl-2.1.25. openldap-2.4.29

( I have an inhouse CA  and generated a  signed  Certicate/Key pair   on  this
machine running openssl-0.9.8  I transferred these and the cacert.pem file
securely to the machine above and these are included in the slapd.conf file )

I verified ldap is running without sasl  with the ldapsearch command  like
so:-
ldapsearch -xWLLL  "ou=people"   -H ldaps://tester.example.com

When I tried the same command for a sasl bind:-
ldappsearch -LLL  "ou=people"   -H ldaps://tester.example.com

I get this
###################################################
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
	additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
###################################################


(For debugging ) I did the same with the   -d -1 switch
ldappsearch -LLL  -d -1  "ou=people"   -H ldaps://tester.example.com

  and excerpts   from the output are below:-
######################################################
ldap_url_parse_ext(ldaps://tester.example.com)
ldap_create
ldap_url_parse_ext(ldaps://tester.example.com:636/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP tester.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=211, written=211
   0000:  16 03 01 00 ce 01 00 00  ca 03 01 4f 52 8f 3c 49   ...........OR.<I
   0010:  ca 19 83 08 c8 85 c3 00  94 20 0b 48 32 1a c1 40   ......... .H2..@

--------------
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
-------------

--------------
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
   0000:  16 03 01 06 5b
--------------

--------------
TLS trace: SSL_connect:SSLv3 read server certificate A
tls_read: want=5, got=5
   0000:  16 03 01 00 8d                                     .....
tls_read: want=141, got=141

--------------
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=210, written=210

--------------
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
   0000:  16 03 01 00 ba                                     .....
tls_read: want=186, got=186
------------------

--------------
TLS trace: SSL_connect:SSLv3 read server session ticket A
tls_read: want=5, got=5
   0000:  14 03 01 00 01                                     .....
tls_read: want=1, got=1
   0000:  01                                                 .
tls_read: want=5, got=5
   0000:  16 03 01 00 30                                     ....0
tls_read: want=48, got=48

--------------
TLS trace: SSL_connect:SSLv3 read finished A
ldap_int_sasl_open: host=tester.example.com
SASL/GSSAPI authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x20ebed0 ptr=0x20ebed0 end=0x20ec16a len=666

--------------
ldap_msgfree
ldap_result ld 0x2018010 msgid 1
wait4msg ld 0x2018010 msgid 1 (infinite timeout)
wait4msg continue ld 0x2018010 msgid 1 all 1
** ld 0x2018010 Connections:
* host: tester.example.com  port: 636  (default)
   refcnt: 2  status: Connected
   last used: Sat Mar  3 21:38:04 2012


** ld 0x2018010 Outstanding Requests:
  * msgid 1,  origid 1, status InProgress
    outstanding referrals 0, parent count 0
   ld 0x2018010 request count 1 (abandoned 0)
** ld 0x2018010 Response Queue:
    Empty
   ld 0x2018010 response count 0
ldap_chkResponseList ld 0x2018010 msgid 1 all 1
ldap_chkResponseList returns ld 0x2018010 NULL
ldap_int_select
read1msg: ld 0x2018010 msgid 1 all 1
ber_get_next
tls_read: want=5, got=5
   0000:  17 03 01 00 20                                     ....
tls_read: want=32, got=32

--------------
tls_read: want=5, got=5
   0000:  17 03 01 00 70                                     ....p
tls_read: want=112, got=112

--------------
ldap_read: want=79, got=79
   0000:  01 31 04 00 04 49 53 41  53 4c 28 2d 31 33 29 3a   .1...ISASL(-13):
   0010:  20 61 75 74 68 65 6e 74  69 63 61 74 69 6f 6e 20    authentication
   0020:  66 61 69 6c 75 72 65 3a  20 47 53 53 41 50 49 20   failure: GSSAPI
   0030:  46 61 69 6c 75 72 65 3a  20 67 73 73 5f 61 63 63   Failure: gss_acc
   0040:  65 70 74 5f 73 65 63 5f  63 6f 6e 74 65 78 74      ept_sec_context
ber_get_next: tag 0x30 len 85 contents:

--------------
read1msg: ld 0x2018010 0 new referrals
read1msg:  mark request completed, ld 0x2018010 msgid 1
request done: ld 0x2018010 msgid 1
res_errno: 49, res_error:<SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context>, res_matched:<>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind:<null>
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x20eb750 ptr=0x20eb753 end=0x20eb7a5 len=82
--------------
#########################################################################


advice would be appreciated

sincerely
lux-integ