[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP2 and SASL/Kerberos



Even more investigation reviles that the sample-{server|client} from
Cyrus-SASL does NOT work!

----- s n i p -----
CHROOT:/tmp/sample# ./sample-server -s ldap -p /usr/lib/sasl
Generating client mechanism list...
Sending list of 4 mechanism(s)
S: UExBSU4gTE9HSU4gQU5PTllNT1VTIEdTU0FQSQ==
Waiting for client mechanism...
C: R1NTQVBJAGCCAhUGCSqGSIb3EgECAgEAboICBDCCAgCgAwIBBaEDAgEOogcDBQAgAAAAo4IBJGGCASAwggEcoAMCAQWhDBsKQkFZT1VSLkNPTaIlMCOgAwIBA6EcMBobBGxkYXAbEnBhcGFkb2MuYmF5b3VyLmNvbaOB3zCB3KADAgEQoQMCAQKigc8Egczzq7bGtNEyE0DkBceUEVo2bGHpOK57xP3rU2IM8Tf4Q9qCNR/1TVvZLXbiCHJUcYH2mQ2GYNkCQY1lxdkf7BggiRmMMII8xxcMJ9c+2vXkHL246tbzlVTALb+8mVp71B4vIKvDv8L/m552tP2KSPUSVRgDNOTsRAp2OYhAy+52XAZv3DG+K2n54VqTPtDMo5G6geGPjXI6LhVcMmlMKMvZ14rAn+urTQNSPeGNWaO6NMNYkFmQPkIRgzxXbBI1MzEFQqwkc5UybU7RmwmkgcIwgb+gAwIBEKKBtwSBtASOfxgeFRzgIIRDayTT6KQGMA0u/MUv7Kb1TJo2gQ8FfDwfSCC+aCTv8YBv2K84UGTzwNun3HbvLdtMftAOO1tA+IF2SiHL6yl2f+Q7Qyv+IuRtlxQozaWr3HdU1RjiYUA2WdM1DU2dVnRk/Q2Br2ryi6k526obRNpMWRGcHV48ybCKIl43nUl84zRMqcUB1kl/wz+lPpSrWFgSBEe1iCvtwPMq5vzvSHirLZhFh3IvA9SN8A==
got 'GSSAPI'
lt-sample-server: Starting SASL negotiation: generic failure (GSSAPI: gss_acquire_cred: Miscellaneous failure; No principal in keytab matches desired name; )
----- s n i p -----

----- s n i p -----
CHROOT:/tmp/sample# ./sample-client -s ldap -u root -a root -p /usr/lib/sasl -n papadoc.bayour.com
service=ldap
Waiting for mechanism list from server...
S: UExBSU4gTE9HSU4gQU5PTllNT1VTIEdTU0FQSQ==
Choosing best mechanism from: PLAIN LOGIN ANONYMOUS GSSAPI
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: R1NTQVBJAGCCAhUGCSqGSIb3EgECAgEAboICBDCCAgCgAwIBBaEDAgEOogcDBQAgAAAAo4IBJGGCASAwggEcoAMCAQWhDBsKQkFZT1VSLkNPTaIlMCOgAwIBA6EcMBobBGxkYXAbEnBhcGFkb2MuYmF5b3VyLmNvbaOB3zCB3KADAgEQoQMCAQKigc8Egczzq7bGtNEyE0DkBceUEVo2bGHpOK57xP3rU2IM8Tf4Q9qCNR/1TVvZLXbiCHJUcYH2mQ2GYNkCQY1lxdkf7BggiRmMMII8xxcMJ9c+2vXkHL246tbzlVTALb+8mVp71B4vIKvDv8L/m552tP2KSPUSVRgDNOTsRAp2OYhAy+52XAZv3DG+K2n54VqTPtDMo5G6geGPjXI6LhVcMmlMKMvZ14rAn+urTQNSPeGNWaO6NMNYkFmQPkIRgzxXbBI1MzEFQqwkc5UybU7RmwmkgcIwgb+gAwIBEKKBtwSBtASOfxgeFRzgIIRDayTT6KQGMA0u/MUv7Kb1TJo2gQ8FfDwfSCC+aCTv8YBv2K84UGTzwNun3HbvLdtMftAOO1tA+IF2SiHL6yl2f+Q7Qyv+IuRtlxQozaWr3HdU1RjiYUA2WdM1DU2dVnRk/Q2Br2ryi6k526obRNpMWRGcHV48ybCKIl43nUl84zRMqcUB1kl/wz+lPpSrWFgSBEe1iCvtwPMq5vzvSHirLZhFh3IvA9SN8A==
Waiting for server reply...

----- s n i p -----

However, and what fooled me was that service (-s) = 'host' worked like a charm!
----- s n i p -----
CHROOT:/tmp/sample# kadmin -p turbo@BAYOUR.COM
Authenticating as principal turbo@BAYOUR.COM with password.
Enter password:
kadmin:  getprincs
K/M@BAYOUR.COM
admin/admin@BAYOUR.COM
ftp/papadoc.bayour.com@BAYOUR.COM
host/papadoc.bayour.com@BAYOUR.COM
kadmin/admin@BAYOUR.COM
kadmin/changepw@BAYOUR.COM
kadmin/history@BAYOUR.COM
krbtgt/BAYOUR.COM@BAYOUR.COM
ldap/localhost@BAYOUR.COM
ldap/papadoc.bayour.com@BAYOUR.COM
mounthome/papadoc.bayour.com@BAYOUR.COM
pam_migrate/papadoc.bayour.com@BAYOUR.COM
root@BAYOUR.COM
turbo@BAYOUR.COM
----- s n i p -----

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden