[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL/Kerberos V4 & openldap





--On Thursday, October 31, 2002 3:12 PM -0800 Howard Chu <hyc@highlandsun.com> wrote:

OK, looks like a bug in slapd/sasl.c. Please try this change and tell me
if there are any other problems. If it works I'll commit the fix.

Howard,

I rebuilt with the fix. That error no longer occurs. However, now I get something more interesting:

ldap4:~> ldapsearch -h localhost -s base -Y KERBEROS_V4
SASL/KERBEROS_V4 authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: Inappropriate authentication


When I look in the ldap log, I see what follows this. My understanding from the ldap administrators guide, is that my authentication I should follow this format:
When the service ticket is obtained, it will be passed to the LDAP server as proof of the user's identity. The server will extract the identity and realm out of the service ticket using SASL library calls, and convert them into an authentication request DN of the form


       uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth

So in our above example, if the user's name were "adamson", the authentication request DN would be:

       uid=adamsom,cn=example.com,cn=kerberos_v4,cn=auth


Where in this case, it would be:

uid=quanah,cn=ir.stanford.edu,cn=kerberos_v4,cn=auth

However, it just sees me as id=quanah ??  Not even uid?

I have a correct kerberos ticket as well:

ldap4:/var/log> klist

Kerberos 4 ticket cache: /tmp/tkt54046
Principal: quanah@IR.STANFORD.EDU

 Issued              Expires             Principal
10/31/02 16:01:29  11/01/02 17:27:50  krbtgt.IR.STANFORD.EDU@IR.STANFORD.EDU
10/31/02 16:01:29  11/01/02 17:27:50  afs@IR.STANFORD.EDU
10/31/02 16:01:50  11/01/02 17:28:11  ldap.ldap4@IR.STANFORD.EDU


--Quanah



Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228 local4.debug] do_bind
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467 local4.debug]
dnPrettyNormal: <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344 local4.debug] <<< dnPrettyNormal: <>, <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591 local4.debug] do_sasl_bind: dn () mech KERBEROS_V4
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666 local4.debug] conn=7 op=0 BIND dn="" method=163
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069 local4.debug] ==> sasl_bind: dn="" mech=KERBEROS_V4 datalen=0
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 335269 local4.debug] send_ldap_sasl: err=14 len=4
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658 local4.debug] send_ldap_response: msgid=1 tag=97 err=14
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187 local4.debug] <== slap_sasl_bind: rc=14
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241 local4.debug] daemon: activity on 1 descriptors
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679 local4.debug] daemon: activity on:
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297 local4.debug] 12r
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 100000 local4.debug]
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 694296 local4.debug] daemon: read activity on 12
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 525477 local4.debug] connection_get(12)
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 611214 local4.debug] connection_get(12): got connid=7
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 138202 local4.debug] connection_read(12): checking for input on id=7
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228 local4.debug] do_bind
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 812316 local4.debug] ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467 local4.debug]
dnPrettyNormal: <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344 local4.debug] <<< dnPrettyNormal: <>, <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591 local4.debug] do_sasl_bind: dn () mech KERBEROS_V4
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666 local4.debug] conn=7 op=1 BIND dn="" method=163
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069 local4.debug] ==> sasl_bind: dn="" mech=<continuing> datalen=117
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 335269 local4.debug] send_ldap_sasl: err=14 len=8
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658 local4.debug] send_ldap_response: msgid=2 tag=97 err=14
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187 local4.debug] <== slap_sasl_bind: rc=14
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241 local4.debug] daemon: activity on 1 descriptors
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679 local4.debug] daemon: activity on:
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297 local4.debug] 12r
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 100000 local4.debug]
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 694296 local4.debug] daemon: read activity on 12
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 525477 local4.debug] connection_get(12)
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 611214 local4.debug] connection_get(12): got connid=7
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 138202 local4.debug] connection_read(12): checking for input on id=7
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 812316 local4.debug] ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 948228 local4.debug] do_bind
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 198467 local4.debug]
dnPrettyNormal: <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=NULL
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 147344 local4.debug] <<< dnPrettyNormal: <>, <>
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 124591 local4.debug] do_sasl_bind: dn () mech KERBEROS_V4
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347666 local4.debug] conn=7 op=2 BIND dn="" method=163
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 458069 local4.debug] ==> sasl_bind: dn="" mech=<continuing> datalen=16
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 347708 local4.debug] SASL Canonicalize [conn=7]: authzid="quanah"
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 702030 local4.debug] slap_sasl_getdn: id=quanah
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 668004 local4.debug] SASL [conn=7] Failure: Inappropriate authentication
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 246281 local4.debug] send_ldap_result: conn=7 op=2 p=3
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 291653 local4.debug] send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: Inappropriate authentication"
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 324658 local4.debug] send_ldap_response: msgid=3 tag=97 err=50
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 217296 local4.debug] conn=7 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure: Inappropriate authentication
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 540187 local4.debug] <== slap_sasl_bind: rc=50
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 454241 local4.debug] daemon: activity on 1 descriptors
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 802679 local4.debug] daemon: activity on:
Oct 31 16:01:50 ldap4.Stanford.EDU slapd[19177]: [ID 522297 local4.debug] 12r



-- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html