[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP+SSL+Kerberos against AD



Hi all,

I am having problems using openldap with both kerberos and SSL against a
Windows 2000 AD. The problem only appears when I use *both* kerberos and
SSL. Separately both work fine. I am using OpenLDAP 2.0.23, MIT Kerberos V
1.2.4, cyrus-sasl-1.5.24 and openssl0.9.6b.

More precisely, commands such as 

  ldapsearch -Hldaps://myserver -D "cn=validuser,dc=myserver,dc=com" \
  -x -W -b "" -s base

which only use SSL work fine. Also, commands such as

  ldapsearch -Hldap://myserver -b "" -s base

will also work fine after I have done 'kinit'. Without a valid ticket I
get a ldap_sasl_interactive_bind_s: Local error, which is what you would
expect.

However, when I say
  
  ldapsearch -Hldaps://myserver -b "" -s base

and try to use both SSL and Kerberos, things start to break. I get an
error message: ldap_result: Can't contact LDAP server. 

Here is a closer trace:

---

# ldapsearch -Hldaps://myserver -s base -b "" -d 1
ldap_create
ldap_url_parse_ext(ldaps://myserver)
ldap_pvt_sasl_getmech
ldap_search
put_filter "(objectclass=*)"
put_filter: simple
put_simple_filter "objectclass=*"
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: myserver
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying myserver_ip:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=myserver
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, subject: /CN=myserver,
issuer: /Email=changed@cc.hut.fi/C=FI/ST=Uusimaa/L=Espoo/O=Computing
Centre/OU=Helsinki University of Technology/CN=FUTCA
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 64 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: myserver  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Jun 12 10:25:40 2002

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 74 contents:
ldap_read: message type search-entry msgid 1, original id 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: myserver  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Jun 12 10:25:40 2002

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
 * msgid 1,  type 100
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
ldap_read: message type search-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
adding response id 1 type 101:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_msgfree
ldap_interactive_sasl_bind_s: server supports: GSSAPI GSS-SPNEGO
ldap_int_sasl_bind: GSSAPI GSS-SPNEGO
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 1176 bytes to sd 3
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: myserver  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Jun 12 10:25:40 2002

** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 2, all 1
ber_get_next
ber_get_next: tag 0x30 len 151 contents:
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
sasl_client_start: 1
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 22 bytes to sd 3
ldap_result msgid 3
ldap_chkResponseList for msgid=3, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 3
wait4msg continue, msgid 3, all 1
** Connections:
* host: myserver  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Jun 12 10:25:40 2002

** Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=3, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 3, all 1
ber_get_next
ber_get_next: tag 0x30 len 71 contents:
ldap_read: message type bind msgid 3, original id 3
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 3
request 3 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
sasl_client_start: 0
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 77 bytes to sd 3
ldap_result msgid 4
ldap_chkResponseList for msgid=4, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 4
wait4msg continue, msgid 4, all 1
** Connections:
* host: myserver  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Jun 12 10:25:40 2002

** Outstanding Requests:
 * msgid 4,  origid 4, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=4, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 4, all 1
ber_get_next
ber_get_next: tag 0x30 len 18 contents:
ldap_read: message type bind msgid 4, original id 4
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 4
request 4 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 4, msgid 4)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
SASL SSF: 56
SASL installing layers
ldap_pvt_sasl_install
version: 2

#
# filter: (objectclass=*)
# requesting: ALL
#

ldap_search_ext
put_filter "(objectclass=*)"
put_filter: simple
put_simple_filter "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_flush: 39 bytes to sd 3
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: myserver  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Jun 12 10:25:40 2002

** Outstanding Requests:
 * msgid 5,  origid 5, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid -1, all 0
ber_get_next
ldap_perror
ldap_result: Can't contact LDAP server
ldap_unbind
ldap_free_request (origid 5, msgid 5)
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 3
ldap_free_connection: actually freed
TLS trace: SSL3 alert write:warning:close notify

---

What is wrong? Anyone? I would really, really appreciate any help or
hints. 

Best regards,
Antti

-- 

Antti.Tikkanen@hut.fi 
Helsinki University of Technology 
Computing Centre