[Date Prev][Date Next] [Chronological] [Thread] [Top]

GSSAPI Binds openldap 2.1.12



I am having a issue with getting my gssapi/sasl binds working. I was wondering
if someone could give me a little insight,

ldapsearch -Y GSSAPI -b 'dc=csic,dc=umd,dc=edu' '(uid=derek)'

Here is the server output,

Jan 22 14:43:36 queasy slapd[10595]: conn=0 fd=13 ACCEPT from IP=127.0.0.1:56125 (IP=0.0.0.0:389) 
Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=0 BIND dn="" method=163 
Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=1 BIND dn="" method=163 
Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND dn="" method=163 
Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND authcid="derek" 
Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 AUTHZ dn="uid=derek,ou=staff,dc=csic,dc=umd,dc=edu" mech=GSSAPI ssf=56 
Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SRCH base="ou=staff,dc=csic,dc=umd,dc=edu" scope=2 filter="(uid=derek)" 
Jan 22 14:43:36 queasy slapd[10604]: <= bdb_equality_candidates: index_param failed (18) 
Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text= 
Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=4 UNBIND 
Jan 22 14:43:36 queasy slapd[10604]: conn=0 fd=13 closed 

----------------------------------------------------------
derek@queasy:~> /csic/openldap/bin/ldapsearch -Y GSSAPI -b 'ou=staff,dc=csic,dc=umd,dc=edu' '(uid=derek)'
SASL/GSSAPI authentication started
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <ou=staff,dc=csic,dc=umd,dc=edu> with scope sub
# filter: (uid=derek)
# requesting: ALL
#

# search result
search: 4
result: 0 Success

# numResponses: 1
----------------------------------------------------------

But it doesn't return anything, but a normal bind will return something,

----------------------------------------------------------
derek@queasy:~> /csic/openldap/bin/ldapsearch -x -D 'cn=staff,dc=csic,dc=umd,dc=edu' -b 'dc=csic,dc=umd,dc=edu' -W '(uid=derek)'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=csic,dc=umd,dc=edu> with scope sub
# filter: (uid=derek)
# requesting: ALL
#

# derek, staff, csic.umd.edu
dn: uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
objectClass: csicAccount
objectClass: account
cn: Derek Yarnell
uid: derek
uidNumber: 2174
gidNumber: 10
homeDirectory: /afs/csic/staff/derek
loginShell: /bin/tcsh
mailHost: cs.umd.edu
mailRoutingAddress: derek@cs.umd.edu
mailLocalAddress: derek@cs.umd.edu

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
----------------------------------------------------------

here is my sasl-regex,


sasl-regexp     uid=(.*),cn=gssapi,cn=auth
                uid=$1,ou=staff,dc=csic,dc=umd,dc=edu


and the only other access control i have,

access to attr=loginShell,gecos,cn,mailroutingaddress
        by dn="cn=staff,dc=csic,dc=umd,dc=edu"
        by self write
        by users read

thanks for any help.


-- 
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek@cs.umd.edu