[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SASL/Kerberos V4 & openldap
--On Thursday, October 31, 2002 3:12 PM -0800 Howard Chu
<hyc@highlandsun.com> wrote:
OK, looks like a bug in slapd/sasl.c. Please try this change and tell me
if there are any other problems. If it works I'll commit the fix.
Howard,
I rebuilt with the fix. That error no longer occurs. However, now I get
something more interesting:
ldap4:~> ldapsearch -h localhost -s base -Y KERBEROS_V4
SASL/KERBEROS_V4 authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: Inappropriate
authentication
When I look in the ldap log, I see what follows this. My understanding
from the ldap administrators guide, is that my authentication I should
follow this format:
When the service ticket is obtained, it will be passed to the LDAP server
as proof of the user's identity. The server will extract the identity and
realm out of the service ticket using SASL library calls, and convert them
into an authentication request DN of the form
uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth
So in our above example, if the user's name were "adamson", the
authentication request DN would be:
uid=adamsom,cn=example.com,cn=kerberos_v4,cn=auth
Where in this case, it would be:
uid=quanah,cn=ir.stanford.edu,cn=kerberos_v4,cn=auth
However, it just sees me as id=quanah ?? Not even uid?
I have a correct kerberos ticket as well:
ldap4:/var/log> klist
Kerberos 4 ticket cache: /tmp/tkt54046
Principal: quanah@IR.STANFORD.EDU
Issued Expires Principal
10/31/02 16:01:29 11/01/02 17:27:50 krbtgt.IR.STANFORD.EDU@IR.STANFORD.EDU
10/31/02 16:01:29 11/01/02 17:27:50 afs@IR.STANFORD.EDU
10/31/02 16:01:50 11/01/02 17:28:11 ldap.ldap4@IR.STANFORD.EDU
--Quanah
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228 local4.debug]
do_bind
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug]
daemon: select: listen=7 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467 local4.debug]
dnPrettyNormal: <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug]
daemon: select: listen=8 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344 local4.debug]
<<< dnPrettyNormal: <>, <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591 local4.debug]
do_sasl_bind: dn () mech KERBEROS_V4
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666 local4.debug]
conn=7 op=0 BIND dn="" method=163
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069 local4.debug]
==> sasl_bind: dn="" mech=KERBEROS_V4 datalen=0
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 335269 local4.debug]
send_ldap_sasl: err=14 len=4
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658 local4.debug]
send_ldap_response: msgid=1 tag=97 err=14
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187 local4.debug]
<== slap_sasl_bind: rc=14
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241 local4.debug]
daemon: activity on 1 descriptors
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679 local4.debug]
daemon: activity on:
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297 local4.debug]
12r
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 100000 local4.debug]
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 694296 local4.debug]
daemon: read activity on 12
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 525477 local4.debug]
connection_get(12)
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 611214 local4.debug]
connection_get(12): got connid=7
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 138202 local4.debug]
connection_read(12): checking for input on id=7
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228 local4.debug]
do_bind
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 812316 local4.debug]
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug]
daemon: select: listen=7 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467 local4.debug]
dnPrettyNormal: <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug]
daemon: select: listen=8 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344 local4.debug]
<<< dnPrettyNormal: <>, <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591 local4.debug]
do_sasl_bind: dn () mech KERBEROS_V4
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666 local4.debug]
conn=7 op=1 BIND dn="" method=163
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069 local4.debug]
==> sasl_bind: dn="" mech=<continuing> datalen=117
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 335269 local4.debug]
send_ldap_sasl: err=14 len=8
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658 local4.debug]
send_ldap_response: msgid=2 tag=97 err=14
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187 local4.debug]
<== slap_sasl_bind: rc=14
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241 local4.debug]
daemon: activity on 1 descriptors
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679 local4.debug]
daemon: activity on:
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297 local4.debug]
12r
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 100000 local4.debug]
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 694296 local4.debug]
daemon: read activity on 12
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 525477 local4.debug]
connection_get(12)
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 611214 local4.debug]
connection_get(12): got connid=7
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 138202 local4.debug]
connection_read(12): checking for input on id=7
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 812316 local4.debug]
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228 local4.debug]
do_bind
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug]
daemon: select: listen=7 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467 local4.debug]
dnPrettyNormal: <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug]
daemon: select: listen=8 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344 local4.debug]
<<< dnPrettyNormal: <>, <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591 local4.debug]
do_sasl_bind: dn () mech KERBEROS_V4
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666 local4.debug]
conn=7 op=2 BIND dn="" method=163
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069 local4.debug]
==> sasl_bind: dn="" mech=<continuing> datalen=16
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347708 local4.debug]
SASL Canonicalize [conn=7]: authzid="quanah"
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 702030 local4.debug]
slap_sasl_getdn: id=quanah
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 668004 local4.debug]
SASL [conn=7] Failure: Inappropriate authentication
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 246281 local4.debug]
send_ldap_result: conn=7 op=2 p=3
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 291653 local4.debug]
send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure:
Inappropriate authentication"
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658 local4.debug]
send_ldap_response: msgid=3 tag=97 err=50
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 217296 local4.debug]
conn=7 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure:
Inappropriate authentication
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187 local4.debug]
<== slap_sasl_bind: rc=50
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241 local4.debug]
daemon: activity on 1 descriptors
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679 local4.debug]
daemon: activity on:
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297 local4.debug]
12r
--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html