[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: gssapi and sasl with openldap
Oliver,
I was able to get openldap, sasl, and gssapi working
together using the following versions:
Heimdal Kerberos 04.e (I also had it working with
MIT
Kerberos 1.2.5).
Cyrus SASL 2.1.4
OpenLDAP 2.1.2
I would recommend trying with these versions. They may
be less buggy. Then again, I was using version 5
Kerberos, and not version 4 as you are.
Good luck,
Dave
--- Olivier SALAUN <olivier.salaun@intranode.com>
wrote:
> Hello,
>
> I can't manage to get OpenLDAP 2.0.25 working with
> SASL(1.5.27 or 1.5.24
> patched) and Kerberos... When I try a bind with
> simple auth (ldapsearch
> -x) it works... but with a SASL bind, I have the
> error "Can't contact
> LDAP server"
>
> Here is an output of the command ldapsearch:
>
> "
> -=(root@numerobis : /home/osa)=- $ klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root@INTRANODE.LAN
>
> Valid starting Expires Service
> principal
> 07/03/02 18:06:14 07/04/02 04:06:14
> krbtgt/INTRANODE.LAN@INTRANODE.LAN
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> -=(root@numerobis : /home/osa)=- $ ldapsearch
> SASL/GSSAPI authentication started
> SASL SSF: 56
> SASL installing layers
> version: 2
>
> #
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> ldap_result: Can't contact LDAP server
> "
> When I make a klist after the command:
> "
> -=(root@numerobis : /home/osa)=- $ klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root@INTRANODE.LAN
>
> Valid starting Expires Service
> principal
> 07/03/02 18:06:14 07/04/02 04:06:14
> krbtgt/INTRANODE.LAN@INTRANODE.LAN
> 07/03/02 18:07:39 07/04/02 04:06:14
> ldap/numerobis.intranode.lan@INTRANODE.LAN
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached"
>
> "
> Output from slapd:
> "
> ber_get_next on fd 9 failed errno=11 (Resource
> temporarily unavailable)
> <== slap_sasl_bind: rc=14
> do_bind
> ber_scanf fmt ({iat) ber:
> ber_scanf fmt ({a) ber:
> ber_scanf fmt (}}) ber:
> do_sasl_bind: dn () mech GSSAPI
> ==> sasl_bind: dn="" mech=<continuing> datalen=0
> send_ldap_sasl: err=14 len=65
> send_ldap_response: msgid=3 tag=97 err=14
> ber_flush: 81 bytes to sd 9
> connection_get(9)
> connection_get(9): got connid=0
> connection_read(9): checking for input on id=0
> ber_get_next
> ber_get_next: tag 0x30 len 87 contents:
> deferring operation
> ber_get_next
> ber_get_next on fd 9 failed errno=11 (Resource
> temporarily unavailable)
> <== slap_sasl_bind: rc=14
> do_bind
> ber_scanf fmt ({iat) ber:
> ber_scanf fmt ({a) ber:
> ber_scanf fmt (o) ber:
> ber_scanf fmt (}}) ber:
> do_sasl_bind: dn () mech GSSAPI
> ==> sasl_bind: dn="" mech=<continuing> datalen=65
> SASL Authorize [conn=0]: authcid="root"
> authzid="<empty>"
> SASL Authorize [conn=0]: "root" as "u:root"
> slap_sasl_bind: username="u:root" realm="" ssf=56
> <== slap_sasl_bind: authzdn: "uid=root"
> send_ldap_sasl: err=0 len=-1
> send_ldap_response: msgid=4 tag=97 err=0
> ber_flush: 14 bytes to sd 9
> connection_get(9)
> connection_get(9): got connid=0
> connection_read(9): checking for input on id=0
> ldap_pvt_sasl_install
> ber_get_next
> sb_sasl_pkt_length: received illegal packet length
> of 121 bytes
> ber_get_next on fd 9 failed errno=0 (Success)
> connection_read(9): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=9 for close
> connection_close: deferring conn=0 sd=9
> <== slap_sasl_bind: rc=0
> connection_resched: attempting closing conn=0 sd=9
> connection_close: conn=0 sd=9
> "
>
> Regards,
> Olivier SALAUN
>
__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com