[Date Prev][Date Next] [Chronological] [Thread] [Top]

sb_sasl_pkt_length: received illegal packet length of 113 bytes



Howdy!  After a week of reading every manual, cookbook, and howto,
trying every combination of config options, and twenty google searches
an hour, I've managed to get openldap (redhat stock 2.0.25), krb5
(redhat nearly stock 1.2.5), SSL/TLS, and sasl (redhat stock 2.1.7,
which include 1.5.28) working on a RH8.0 box.  Mostly.

Sorry for the lengthy email, I'm not sure which parts are important
for debugging, so I'm sticking them all in.  :)

(One other, separate, little problem, before going on:  with the
cyrus-sasl-gssapi and cyrus-sasl-plain packages both installed,
ldapsearch returned "ldap_sasl_interactive_bind_s: Unknown
authentication method"; after removing the cyrus-sasl-plain package,
it started working.  Hmm....)

Here's the problem.  Ldapsearch works like this:

    # ldapsearch -X u:root -H ldap://ldap-2.lan.butchwax.com/ -v  \
            -LLL -ZZ o=butchwax
    ldap_initialize( ldap://ldap-2.lan.butchwax.com/ )
    SASL/GSSAPI authentication started
    SASL username: u:root
    SASL SSF: 56
    SASL installing layers
    filter: o=butchwax
    requesting: ALL
    dn: o=butchwax
    objectClass: top
    objectClass: organization
    o: butchwax

Perfect.  But this doesn't work:

    # ldapsearch -Q -H ldap://ldap-2.lan.butchwax.com/ -v  \
            -LLL -ZZ o=butchwax
    ldap_initialize( ldap://ldap-2.lan.butchwax.com/ )
    filter: o=butchwax
    requesting: ALL
    ldap_result: Can't contact LDAP server

The sasl sample client and server work perfectly (and they're linked
to the 1.5.28 sasl libraries).  This search grabs the correct krb
service ticket before failing.

Running -d -1 on the server and comparing the output for the two
searches reveals this after about 1200 lines of otherwise nearly
identical debugging info:

Without the -X u:root option:
    Jan 21 15:53:02 greaser slapd: ldap_pvt_sasl_install
[...snip ~10 lines]
    Jan 21 15:53:02 greaser slapd: sasl_read: want=4, got=4
    Jan 21 15:53:02 greaser slapd:   0000:  00 00 00 71
               ...q
    Jan 21 15:53:02 greaser slapd: sb_sasl_pkt_length: received illegal packet length of 113 bytes
    Jan 21 15:53:02 greaser slapd: sasl_read: want=16, got=16
    Jan 21 15:53:02 greaser slapd:   0000:  60 6f 06 09 2a 86 48 86  f7 12 01 02 02 02 01 04   `o..*.H.........
    Jan 21 15:53:02 greaser slapd: ldap_read: want=1, got=0
    Jan 21 15:53:02 greaser slapd:
    Jan 21 15:53:02 greaser slapd: ber_get_next on fd 11 failed errno=0 (Success)
    Jan 21 15:53:02 greaser slapd: connection_read(11): input error=-2 id=14, closing.
    Jan 21 15:53:02 greaser slapd: connection_closing: readying conn=14 sd=11 for close
    Jan 21 15:53:02 greaser slapd: connection_close: conn=14 sd=11
    Jan 21 15:53:02 greaser slapd: daemon: removing 11
[...ends a few lines later]

With the -X u:root option:
    Jan 21 15:54:51 greaser slapd: ldap_pvt_sasl_install
[...snip ~10 lines]
    Jan 21 15:54:51 greaser slapd: sasl_read: want=4, got=4
    Jan 21 15:54:51 greaser slapd:   0000:  00 00 00 71
               ...q
    Jan 21 15:54:51 greaser slapd: sasl_read: want=113, got=113
    Jan 21 15:54:51 greaser slapd:   0000:  60 6f 06 09 2a 86 48 86  f7 12 01 02 02 02 01 04   `o..*.H.........
    Jan 21 15:54:51 greaser slapd:   0010:  00 02 00 ff ff 2b c3 0e  dd 33 b7 d6 5d c6 d7 c0   .....+...3..]...
[...900 lines later the desired output is given]

As far as ldapsearch -d -1 output:

With -X u:root:
[snip about 700 lines]
    sasl_client_step: 0
    ldap_sasl_bind_s
    ldap_sasl_bind
    ldap_send_initial_request
    ldap_send_server_request
    ber_flush: 97 bytes to sd 3
      0000:  30 5f 02 01 05 60 5a 02  01 03 04 00 a3 53 04 06   0_...`Z......S..  
      0010:  47 53 53 41 50 49 04 49  60 47 06 09 2a 86 48 86   GSSAPI.I`G..*.H.  
      0020:  f7 12 01 02 02 02 01 04  00 ff ff ff ff a8 d9 79   ...............y  
      0030:  94 8b 58 b1 8c 57 22 4a  e4 af fd 4b d4 41 a3 f5   ..X..W"J...K.A..  
      0040:  72 ad 9a 8b 24 5d e9 ce  9a d1 5a 72 cf 21 79 47   r...$]....Zr.!yG  
      0050:  51 04 0f ff ff 75 3a 72  6f 6f 74 06 06 06 06 06   Q....u:root.....  
      0060:  06                                                 .                 


With no -X:
[snip same 700 lines]
    ldap_msgfree
    sasl_client_step: 0
    ldap_sasl_bind_s
    ldap_sasl_bind
    ldap_send_initial_request
    ldap_send_server_request
    ber_flush: 89 bytes to sd 3
      0000:  30 57 02 01 05 60 52 02  01 03 04 00 a3 4b 04 06   0W...`R......K..  
      0010:  47 53 53 41 50 49 04 41  60 3f 06 09 2a 86 48 86   GSSAPI.A`?..*.H.  
      0020:  f7 12 01 02 02 02 01 04  00 ff ff ff ff a6 6c c2   ..............l.  
      0030:  35 31 ac ed 83 e4 50 a2  63 cf 35 6e 83 25 2f f5   51....P.c.5n.%/.  
      0040:  ab 7a db 04 2d 6a 41 88  5e 09 99 f5 65 ca 8a 2d   .z..-jA.^...e..-  
      0050:  04 04 0f ff ff 04 04 04  04                        .........         

Maybe the 'u:root' in in the -X output is significant?  Then:

With no -X:
[snip about 70 more lines]
    ldap_msgfree
    SASL SSF: 56
    SASL installing layers
    ldap_pvt_sasl_install
    filter: o=butchwax

With -X:
    ldap_msgfree
    SASL username: u:root
    SASL SSF: 56
    SASL installing layers
    ldap_pvt_sasl_install
    filter: o=butchwax

Here it is again.  Then:

With no -X:
[snip 100 more lines]
    do_ldap_select
    read1msg: msgid -1, all 0
    ber_get_next
    tls_read: want=5, got=5
      0000:  15 03 01 00 18                                     .....             
    tls_read: want=24, got=24
      0000:  9a 00 0c 7a c0 76 6e 08  41 42 8a ac ad 8b 01 77   ...z.vn.AB.....w  
      0010:  18 ea cc b4 63 f1 2b d3                            ....c.+.          
    TLS trace: SSL3 alert read:warning:close notify
    sasl_read: want=4, got=0
    ldap_read: want=1, got=0
    ber_get_next failed.
    ldap_perror
    ldap_result: Can't contact LDAP server
    ldap_unbind
    ldap_free_request (origid 6, msgid 6)
    ldap_free_connection
    ldap_send_unbind

And with -X:
[snip same 100 lines]
    do_ldap_select
    read1msg: msgid -1, all 0
    ber_get_next
    tls_read: want=5, got=5
      0000:  17 03 01 00 d0                                     .....             
    tls_read: want=208, got=208
[...]
    sasl_read: want=4, got=4
      0000:  00 00 00 b2                                        ....              
    sasl_read: want=178, got=178
[... and soon we see the results of the query come over.]


What else is needed to debug this?  I'll include any config file
that'll help clear this up.  Thanks for any help!

        John


-- 
John Morris
+1-888-717-4279