[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL/Kerberos V4 & openldap

To: Howard Chu <hyc@highlandsun.com>, openldap-software@OpenLDAP.org
Subject: RE: SASL/Kerberos V4 & openldap
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 31 Oct 2002 16:09:39 -0800
Content-disposition: inline
In-reply-to: <02bc01c28133$00fc5fd0$0e01a8c0@CELLO>
References: <02bc01c28133$00fc5fd0$0e01a8c0@CELLO>

--On Thursday, October 31, 2002 3:12 PM -0800 Howard Chu <hyc@highlandsun.com> wrote:

OK, looks like a bug in slapd/sasl.c. Please try this change and tell me
if there are any other problems. If it works I'll commit the fix.


Howard,

I rebuilt with the fix. That error no longer occurs. However, now I get something more interesting:

ldap4:~> ldapsearch -h localhost -s base -Y KERBEROS_V4 SASL/KERBEROS_V4 authentication started ldap_sasl_interactive_bind_s: Insufficient access (50) additional info: SASL(-14): authorization failure: Inappropriate authentication

When I look in the ldap log, I see what follows this. My understanding from the ldap administrators guide, is that my authentication I should follow this format: When the service ticket is obtained, it will be passed to the LDAP server as proof of the user's identity. The server will extract the identity and realm out of the service ticket using SASL library calls, and convert them into an authentication request DN of the form

       uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth

So in our above example, if the user's name were "adamson", the authentication request DN would be:

       uid=adamsom,cn=example.com,cn=kerberos_v4,cn=auth


Where in this case, it would be:

uid=quanah,cn=ir.stanford.edu,cn=kerberos_v4,cn=auth

However, it just sees me as id=quanah ??  Not even uid?

I have a correct kerberos ticket as well:

ldap4:/var/log> klist

Kerberos 4 ticket cache: /tmp/tkt54046
Principal: quanah@IR.STANFORD.EDU

 Issued              Expires             Principal
10/31/02 16:01:29  11/01/02 17:27:50  krbtgt.IR.STANFORD.EDU@IR.STANFORD.EDU
10/31/02 16:01:29  11/01/02 17:27:50  afs@IR.STANFORD.EDU
10/31/02 16:01:50  11/01/02 17:28:11  ldap.ldap4@IR.STANFORD.EDU


--Quanah

Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228 local4.debug] do_bind Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=NULL Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467 local4.debug]

dnPrettyNormal: <>

Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=NULL Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344 local4.debug] <<< dnPrettyNormal: <>, <> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591 local4.debug] do_sasl_bind: dn () mech KERBEROS_V4 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666 local4.debug] conn=7 op=0 BIND dn="" method=163 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069 local4.debug] ==> sasl_bind: dn="" mech=KERBEROS_V4 datalen=0 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 335269 local4.debug] send_ldap_sasl: err=14 len=4 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658 local4.debug] send_ldap_response: msgid=1 tag=97 err=14 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187 local4.debug] <== slap_sasl_bind: rc=14 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241 local4.debug] daemon: activity on 1 descriptors Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679 local4.debug] daemon: activity on: Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297 local4.debug] 12r Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 100000 local4.debug] Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 694296 local4.debug] daemon: read activity on 12 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 525477 local4.debug] connection_get(12) Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 611214 local4.debug] connection_get(12): got connid=7 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 138202 local4.debug] connection_read(12): checking for input on id=7 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228 local4.debug] do_bind Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 812316 local4.debug] ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=NULL Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467 local4.debug]

dnPrettyNormal: <>

Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=NULL Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344 local4.debug] <<< dnPrettyNormal: <>, <> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591 local4.debug] do_sasl_bind: dn () mech KERBEROS_V4 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666 local4.debug] conn=7 op=1 BIND dn="" method=163 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069 local4.debug] ==> sasl_bind: dn="" mech=<continuing> datalen=117 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 335269 local4.debug] send_ldap_sasl: err=14 len=8 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658 local4.debug] send_ldap_response: msgid=2 tag=97 err=14 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187 local4.debug] <== slap_sasl_bind: rc=14 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241 local4.debug] daemon: activity on 1 descriptors Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679 local4.debug] daemon: activity on: Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297 local4.debug] 12r Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 100000 local4.debug] Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 694296 local4.debug] daemon: read activity on 12 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 525477 local4.debug] connection_get(12) Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 611214 local4.debug] connection_get(12): got connid=7 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 138202 local4.debug] connection_read(12): checking for input on id=7 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 812316 local4.debug] ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228 local4.debug] do_bind Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=NULL Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467 local4.debug]

dnPrettyNormal: <>

Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=NULL Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344 local4.debug] <<< dnPrettyNormal: <>, <> Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591 local4.debug] do_sasl_bind: dn () mech KERBEROS_V4 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666 local4.debug] conn=7 op=2 BIND dn="" method=163 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069 local4.debug] ==> sasl_bind: dn="" mech=<continuing> datalen=16 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347708 local4.debug] SASL Canonicalize [conn=7]: authzid="quanah" Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 702030 local4.debug] slap_sasl_getdn: id=quanah Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 668004 local4.debug] SASL [conn=7] Failure: Inappropriate authentication Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 246281 local4.debug] send_ldap_result: conn=7 op=2 p=3 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 291653 local4.debug] send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: Inappropriate authentication" Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658 local4.debug] send_ldap_response: msgid=3 tag=97 err=50 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 217296 local4.debug] conn=7 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure: Inappropriate authentication Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187 local4.debug] <== slap_sasl_bind: rc=50 Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241 local4.debug] daemon: activity on 1 descriptors Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679 local4.debug] daemon: activity on: Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297 local4.debug] 12r


--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- RE: SASL/Kerberos V4 & openldap
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: smbldap tools
Next by Date: RE: SASL/Kerberos V4 & openldap
Index(es):
- Chronological
- Thread