[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP2 and SASL/Kerberos

To: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP2 and SASL/Kerberos
From: Turbo Fredriksson <turbo@bayour.com>
Date: 06 Mar 2001 18:29:41 +0100
In-reply-to: GOMBAS Gabor's message of "Tue, 6 Mar 2001 15:45:03 +0100"
Organization: Bah!
References: <871ysb5db8.fsf@papadoc.bayour.com> <20010306143515.X137484@pandora.inf.elte.hu> <874rx73rz6.fsf@papadoc.bayour.com> <20010306154502.C137484@pandora.inf.elte.hu>
User-agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7

>>>>> "GOMBAS" == GOMBAS Gabor <gombasg@inf.elte.hu> writes:

    GOMBAS> Are you sure the required Kerberos key (with the etype the
    GOMBAS> client wants to use) is present in the keytab inside the
    GOMBAS> chroot? If yes, I would suggest using gdb to check what
    GOMBAS> key does it really 

I have for the last couple of hours been browsing through the OpenLDAP-Software
mailinglist archive, and came up with this

        http://www.OpenLDAP.org/lists/openldap-software/200012/msg00211.html

----- s n i p -----
CHROOT:/usr/lib/sasl# ls -l
total 76
lrwxrwxrwx    1 root     root           22 Mar  5 16:48 libanonymous.so -> libanonymous.so.1.0.15
lrwxrwxrwx    1 root     root           22 Mar  5 16:48 libanonymous.so.1 -> libanonymous.so.1.0.15
-rw-r--r--    1 root     root         5636 Feb 27 17:47 libanonymous.so.1.0.15
lrwxrwxrwx    1 root     root           20 Mar  5 16:48 libcrammd5.so -> libcrammd5.so.1.0.15
lrwxrwxrwx    1 root     root           20 Mar  5 16:48 libcrammd5.so.1 -> libcrammd5.so.1.0.15
-rw-r--r--    1 root     root        10152 Feb 27 17:47 libcrammd5.so.1.0.15
lrwxrwxrwx    1 root     root           22 Mar  5 16:48 libdigestmd5.so -> libdigestmd5.so.0.0.17
lrwxrwxrwx    1 root     root           22 Mar  5 16:48 libdigestmd5.so.0 -> libdigestmd5.so.0.0.17
-rw-r--r--    1 root     root        26544 Feb 27 17:47 libdigestmd5.so.0.0.17
lrwxrwxrwx    1 root     root           21 Mar  5 16:48 libgssapiv2.so -> libgssapiv2.so.1.0.14
lrwxrwxrwx    1 root     root           21 Mar  5 16:48 libgssapiv2.so.1 -> libgssapiv2.so.1.0.14
-rw-r--r--    1 root     root        12040 Feb 27 17:47 libgssapiv2.so.1.0.14
lrwxrwxrwx    1 root     root           17 Mar  5 16:48 liblogin.so -> liblogin.so.0.0.5
lrwxrwxrwx    1 root     root           17 Mar  5 16:48 liblogin.so.0 -> liblogin.so.0.0.5
-rw-r--r--    1 root     root         7956 Feb 27 17:47 liblogin.so.0.0.5
lrwxrwxrwx    1 root     root           18 Mar  5 16:48 libplain.so -> libplain.so.1.0.14
lrwxrwxrwx    1 root     root           18 Mar  5 16:48 libplain.so.1 -> libplain.so.1.0.14
-rw-r--r--    1 root     root         7576 Feb 27 17:47 libplain.so.1.0.14
----- s n i p -----

----- s n i p -----
CHROOT:/# strace -o /tmp/xyz slapd -h "ldap://0.0.0.0:3389/ ldaps://0.0.0.0/" -d 4 2>&1 | tee /tmp/out 
daemon_init: ldap://0.0.0.0:3389/ ldaps://0.0.0.0/
slapd starting
        [starting ldapsearch -b "dc=com" -H ldaps:/// -I "(objectclass=*)"]
connection_get(12)
connection_get(12)
connection_get(12)
SRCH "" 0 0    0 0 0
    filter: (objectClass=*)
    attrs: supportedSASLMechanisms
ber_flush: 73 bytes to sd 12
send_ldap_result: 0::
ber_flush: 14 bytes to sd 12
        [entering 'root' at the 'Please enter your authorization name' prompt]
connection_get(12)
==> sasl_bind: dn="" mech=GSSAPI datalen=537
send_ldap_result: 80::GSSAPI: gss_acquire_cred: Miscellaneous failure; No principal in keytab matches desired name; 
ber_flush: 108 bytes to sd 12
connection_get(12)
----- s n i p -----

The output from strace will revile this:
----- s n i p -----
CHROOT:/# grep ^open /tmp/xyz | grep -v '/lib/.*\.so\..*'
[...]
open("/usr/lib/sasl/libgssapiv2.so", O_RDONLY) = 7
open("/usr/lib/sasl/libanonymous.so", O_RDONLY) = 7
open("/usr/lib/sasl/libcrammd5.so", O_RDONLY) = 7
open("/usr/lib/sasl/libdigestmd5.so", O_RDONLY) = 7
open("/usr/lib/sasl/liblogin.so", O_RDONLY) = 7
open("/usr/lib/sasl/libplain.so", O_RDONLY) = 7
open("/usr/lib/sasl/slapd.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/sasl", O_RDONLY|O_NONBLOCK|0x10000) = 10
open("/etc/sasldb", O_RDONLY)           = -1 ENOENT (No such file or directory)
open("/etc/sasldb", O_RDONLY)           = -1 ENOENT (No such file or directory)
open("/etc/ldap/slapd.conf", O_RDONLY)  = 10
[...]
----- s n i p -----

If I remove all files exept the 'libgssapiv2.so*' in the module directory,
it won't try to open '/etc/sasldb' atleast, but still don't work...

The '/usr/lib/sasl/slapd.conf' file.. Checking the Cyrus-SASL documentation
a N'th time, I can't find anything about how to configure it if using Krb5...

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden

killed World Trade Center class struggle $400 million in gold bullion
Panama North Korea critical Cocaine toluene jihad BATF congress
nuclear domestic disruption Uzi
[See http://www.aclu.org/echelonwatch/index.html for more about this]

Follow-Ups:
- Re: OpenLDAP2 and SASL/Kerberos
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: OpenLDAP2 and SASL/Kerberos
  - From: GOMBAS Gabor <gombasg@inf.elte.hu>

References:
- OpenLDAP2 and SASL/Kerberos
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: OpenLDAP2 and SASL/Kerberos
  - From: GOMBAS Gabor <gombasg@inf.elte.hu>
- Re: OpenLDAP2 and SASL/Kerberos
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: adding undefined attributes
Next by Date: Re: OpenLDAP2 and SASL/Kerberos
Index(es):
- Chronological
- Thread