[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openLDAP/SASL/KerberosV(heimdal)



On Thu, 2002-10-10 at 21:34, Kurt D. Zeilenga wrote:
> At 11:32 AM 2002-10-07, Chris Maxwell wrote:
> >Hello,
> >
> >I am having trouble with GSSAPI.  I can authenticate and work locally,
> >but whenever I attempt to ldapsearch from another box, it fails.
> >

> >Before Running "kinit" (for reference)
> >/usr/local/bin/ldapsearch -Y GSSAPI -H ldap://<machineB> -b '' -s base
> >-LLL supportedSASLMechanisms
> >        ldap_sasl_interactive_bind_s: Local error
> 
> So run kinit(1) first...

I appreciate the humour ... really; after beating my head against this
for a few hours it make me chuckle.

The problem was not with running kinit - I just wanted to include the
results of testing I did on both machines to show it wasn't something I
overlooked (like kinit, or using the wrong KDC, or other oversight).

- ldapsearch(GSSAPI) DOES work for me when connecting to LDAP, but ONLY
on the local host.

- ldapsearch DOES work on both machines (again, local only), and they
both use the same KDC

- ldapsearch DOES NOT work when connecting to the OTHER machine.

        A-->A   works
        B-->B   works
        A-->B   "Local error"
        B-->A   "Local error"

What really throws me for a loop, is that ldapsearch doesn't display the
"SASL/GSSAPI authentication started" message before it dies,

This below was just to prove that it was working locally (K5 working, etc)
> >After Running "kinit"
> >        SASL/GSSAPI authentication started
> >        SASL SSF: 56
> >        SASL installing layers
> >        dn:
> >        supportedSASLMechanisms: GSSAPI

YES, I did run kinit(1) first :-) and yes, I checked the ticket works
using kerberized telnet.

Thanks for any help

--chris

---

Here is the <sanitized> debug from "ldapsearch -Y GSSAPI -d 4095 -h
<HOSTNAME> -b '' -s base -LLL supportedSASLMechanisms"

ldap_create
ldap_url_parse_ext(ldap://<HOSTNAME>)
ldap_interactive_sasl_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: <HOSTNAME>
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.232:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_perror
ldap_sasl_interactive_bind_s: Local error

------------------------
And from the server:

daemon: activity on 1 descriptors
daemon: new connection on 11
daemon: conn=13 fd=11 connection from IP=192.168.0.231:42752
(IP=0.0.0.0:389) accepted.
daemon: added 11r
daemon: activity on:
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 11r
daemon: read activity on 11
connection_get(11)
connection_get(11): got connid=13
connection_read(11): checking for input on id=13
ber_get_next
ldap_read: want=1, got=0

ber_get_next on fd 11 failed errno=0 (Undefined error: 0)
connection_read(11): input error=-2 id=13, closing.
connection_closing: readying conn=13 sd=11 for close
connection_close: conn=13 sd=11
daemon: removing 11
conn=-1 fd=11 closed
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL