[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: openLDAP/SASL/KerberosV(heimdal)
On Thu, 2002-10-10 at 21:34, Kurt D. Zeilenga wrote:
> At 11:32 AM 2002-10-07, Chris Maxwell wrote:
> >Hello,
> >
> >I am having trouble with GSSAPI. I can authenticate and work locally,
> >but whenever I attempt to ldapsearch from another box, it fails.
> >
> >Before Running "kinit" (for reference)
> >/usr/local/bin/ldapsearch -Y GSSAPI -H ldap://<machineB> -b '' -s base
> >-LLL supportedSASLMechanisms
> > ldap_sasl_interactive_bind_s: Local error
>
> So run kinit(1) first...
I appreciate the humour ... really; after beating my head against this
for a few hours it make me chuckle.
The problem was not with running kinit - I just wanted to include the
results of testing I did on both machines to show it wasn't something I
overlooked (like kinit, or using the wrong KDC, or other oversight).
- ldapsearch(GSSAPI) DOES work for me when connecting to LDAP, but ONLY
on the local host.
- ldapsearch DOES work on both machines (again, local only), and they
both use the same KDC
- ldapsearch DOES NOT work when connecting to the OTHER machine.
A-->A works
B-->B works
A-->B "Local error"
B-->A "Local error"
What really throws me for a loop, is that ldapsearch doesn't display the
"SASL/GSSAPI authentication started" message before it dies,
This below was just to prove that it was working locally (K5 working, etc)
> >After Running "kinit"
> > SASL/GSSAPI authentication started
> > SASL SSF: 56
> > SASL installing layers
> > dn:
> > supportedSASLMechanisms: GSSAPI
YES, I did run kinit(1) first :-) and yes, I checked the ticket works
using kerberized telnet.
Thanks for any help
--chris
---
Here is the <sanitized> debug from "ldapsearch -Y GSSAPI -d 4095 -h
<HOSTNAME> -b '' -s base -LLL supportedSASLMechanisms"
ldap_create
ldap_url_parse_ext(ldap://<HOSTNAME>)
ldap_interactive_sasl_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: <HOSTNAME>
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.232:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_perror
ldap_sasl_interactive_bind_s: Local error
------------------------
And from the server:
daemon: activity on 1 descriptors
daemon: new connection on 11
daemon: conn=13 fd=11 connection from IP=192.168.0.231:42752
(IP=0.0.0.0:389) accepted.
daemon: added 11r
daemon: activity on:
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 11r
daemon: read activity on 11
connection_get(11)
connection_get(11): got connid=13
connection_read(11): checking for input on id=13
ber_get_next
ldap_read: want=1, got=0
ber_get_next on fd 11 failed errno=0 (Undefined error: 0)
connection_read(11): input error=-2 id=13, closing.
connection_closing: readying conn=13 sd=11 for close
connection_close: conn=13 sd=11
daemon: removing 11
conn=-1 fd=11 closed
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL