[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gssapi and sasl with openldap



Oliver,

I was able to get openldap, sasl, and gssapi working
together using the following versions:

  Heimdal Kerberos 04.e (I also had it working with
MIT
  Kerberos 1.2.5).

  Cyrus SASL 2.1.4

  OpenLDAP 2.1.2

I would recommend trying with these versions. They may
be less buggy. Then again, I was using version 5
Kerberos, and not version 4 as you are.

Good luck,
Dave

--- Olivier SALAUN <olivier.salaun@intranode.com>
wrote:
> Hello,
> 
> I can't manage to get OpenLDAP 2.0.25 working with
> SASL(1.5.27 or 1.5.24 
> patched) and Kerberos... When I try a bind with
> simple auth (ldapsearch 
> -x) it works... but with a SASL bind, I have the
> error "Can't contact 
> LDAP server"
> 
> Here is an output of the command ldapsearch:
> 
> "
> -=(root@numerobis : /home/osa)=- $ klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root@INTRANODE.LAN
> 
> Valid starting     Expires            Service
> principal
> 07/03/02 18:06:14  07/04/02 04:06:14 
> krbtgt/INTRANODE.LAN@INTRANODE.LAN
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> -=(root@numerobis : /home/osa)=- $ ldapsearch
> SASL/GSSAPI authentication started
> SASL SSF: 56
> SASL installing layers
> version: 2
> 
> #
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> ldap_result: Can't contact LDAP server
> "
> When I make a klist after the command:
> "
> -=(root@numerobis : /home/osa)=- $ klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: root@INTRANODE.LAN
> 
> Valid starting     Expires            Service
> principal
> 07/03/02 18:06:14  07/04/02 04:06:14 
> krbtgt/INTRANODE.LAN@INTRANODE.LAN
> 07/03/02 18:07:39  07/04/02 04:06:14  
> ldap/numerobis.intranode.lan@INTRANODE.LAN
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached"
> 
> "
> Output from slapd:
> "
> ber_get_next on fd 9 failed errno=11 (Resource
> temporarily unavailable)
> <== slap_sasl_bind: rc=14
> do_bind
> ber_scanf fmt ({iat) ber:
> ber_scanf fmt ({a) ber:
> ber_scanf fmt (}}) ber:
> do_sasl_bind: dn () mech GSSAPI
> ==> sasl_bind: dn="" mech=<continuing> datalen=0
> send_ldap_sasl: err=14 len=65
> send_ldap_response: msgid=3 tag=97 err=14
> ber_flush: 81 bytes to sd 9
> connection_get(9)
> connection_get(9): got connid=0
> connection_read(9): checking for input on id=0
> ber_get_next
> ber_get_next: tag 0x30 len 87 contents:
> deferring operation
> ber_get_next
> ber_get_next on fd 9 failed errno=11 (Resource
> temporarily unavailable)
> <== slap_sasl_bind: rc=14
> do_bind
> ber_scanf fmt ({iat) ber:
> ber_scanf fmt ({a) ber:
> ber_scanf fmt (o) ber:
> ber_scanf fmt (}}) ber:
> do_sasl_bind: dn () mech GSSAPI
> ==> sasl_bind: dn="" mech=<continuing> datalen=65
> SASL Authorize [conn=0]: authcid="root"
> authzid="<empty>"
> SASL Authorize [conn=0]: "root" as "u:root"
> slap_sasl_bind: username="u:root" realm="" ssf=56
> <== slap_sasl_bind: authzdn: "uid=root"
> send_ldap_sasl: err=0 len=-1
> send_ldap_response: msgid=4 tag=97 err=0
> ber_flush: 14 bytes to sd 9
> connection_get(9)
> connection_get(9): got connid=0
> connection_read(9): checking for input on id=0
> ldap_pvt_sasl_install
> ber_get_next
> sb_sasl_pkt_length: received illegal packet length
> of 121 bytes
> ber_get_next on fd 9 failed errno=0 (Success)
> connection_read(9): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=9 for close
> connection_close: deferring conn=0 sd=9
> <== slap_sasl_bind: rc=0
> connection_resched: attempting closing conn=0 sd=9
> connection_close: conn=0 sd=9
> "
> 
> Regards,
> Olivier SALAUN
> 


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com