[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: "Invalid Credentials" with Heimdal and Cyrus SASL
"Resource temporarily unavailable" is not a critical error. It just means
there's nothing left for slapd to read from the socket, because the client
hasn't sent anything else yet.
Run slapd with debug -d -1 and examine the output from the point the SASL
bind begins to the point where the actual "gss_accept_sec_context" error
message appears.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: Ben Poliakoff [mailto:benp@reed.edu]
> Sent: Monday, March 03, 2003 5:26 PM
> To: Howard Chu
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: "Invalid Credentials" with Heimdal and Cyrus SASL
>
>
> My slapd is currently running as root, and it's definitely parsing the
> keytab file.
>
> I turned on debugging in my slapd. The most obvious errors I see are
> the following:
>
> (the command)
> [benp@thingone benp]$ ldapwhoami
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): authentication failure: GSSAPI
> Failure: gss_accept_sec_context
>
> (a snippet of the debug output)
> ldap_read: want=57, got=57
> 0000: 0a 01 00 0a 01 00 02 02 02 bc 02 02 00 96 01 01
> ................
> 0010: 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 30 19
> ...objectclass0.
> 0020: 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 4c 4d
> ..supportedSASLM
> 0030: 65 63 68 61 6e 69 73 6d 73 echanisms
> ldap_read: want=9 error=Resource temporarily unavailable
>
> The above error should probably tip me off, but I just can't
> figure out
> what slapd wants to access...
>
> Are there particular debugging options that I should use?
>
> Additional info: Heimdal is built without Berkeley DB, Cyrus
> SASL and OpenLDAP are both built with Berkeley DB 4.1.25.
>
> By the way, the anonymous binds show all of the SASL modules
> available:
>
> --------------------------------------------------------------
> -------------
> [benp@thingone benp]$ ldapsearch -H
> ldaps://thingone.reed.edu/ -x -b "" -s base -LLL
> supportedSASLMechanisms
> dn:
> supportedSASLMechanisms: PLAIN
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: OTP
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: CRAM-MD5
> --------------------------------------------------------------
> -------------
>
>
> * Howard Chu <hyc@highlandsun.com> [030228 14:53]:
> > Make sure your slapd has access to read the keytab file.
> Make sure your
> > keytab file actually contains a key for the ldap principal.
> Turn up the debug
> > level on slapd and see what else it complains about, if
> anything, during the
> > GSSAPI sequence.
> >
> > -- Howard Chu
> > Chief Architect, Symas Corp. Director, Highland Sun
> > http://www.symas.com http://highlandsun.com/hyc
> > Symas: Premier OpenSource Development and Support
> >
> > > -----Original Message-----
> > > From: owner-openldap-software@OpenLDAP.org
> > > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> Ben Poliakoff
> >
> > > Having been directed towards Heimdal instead of the MIT
> krb5 libs I'm
> > > now having a different problem with GSSAPI binds. Slapd
> is no longer
> > > seg faulting (thank heavens!), but when I try a GSSAPI bind with
> > > ldapsearch I get:
> > >
> > > SASL/GSSAPI authentication started
> > > ldap_sasl_interactive_bind_s: Invalid credentials (49)
> > > additional info: SASL(-13): authentication
> failure: GSSAPI
> > > Failure: gss_accept_sec_context
> > >
> > > Heimdal seems to be installed properly (per Quanah's
> recommendation,
> > > it's a snapshot from CVS) , and indeed I can get and have tickets.
> > > Heimdal's klist gives me this:
> > >
> > > Credentials cache: FILE:/tmp/krb5cc_25022_t4AWP0
> > > Principal: benp@REED.EDU
> > >
> > > Issued Expires Principal
> > > Feb 28 12:29:33 Feb 28 19:09:33 krbtgt/REED.EDU@REED.EDU
> > > Feb 28 12:31:37 Feb 28 19:09:33
> ldap/MYSERVER.reed.edu@REED.EDU
> > >
> > > I get the same results (Invalid credentials) if I specify
> a dn with
> > > which to bind.
> > >
> > > Might this be sasl regex related? My sasl-regex lines in
> slapd.conf
> > > look like:
> > >
> > > sasl-regexp
> > > uid=(.*),cn=reed.edu,cn=gssapi,cn=auth
> > > uid=$1,ou=Person,dc=reed,dc=edu
> > >
> > > I found what appeared to be someone with the same problem
> > > earlier on the
> > > list, but the thread went nowhere:
> > >
> > >
> > http://www.openldap.org/lists/openldap-software/200302/msg00591.html
> >
> > Any suggestions would be very much appreciated!
> >
> > Ben
> >
> > --
> >
> --------------------------------------------------------------
> -------------
> > Ben Poliakoff email:
> <benp@reed.edu>
> > Reed College tel:
> (503)-788-6674
> > Unix System Administrator PGP key:
http://www.reed.edu/~benp/key.html
> ---------------------------------------------------------------------------
> 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
>
--
---------------------------------------------------------------------------
Ben Poliakoff email: <benp@reed.edu>
Reed College tel: (503)-788-6674
Unix System Administrator PGP key: http://www.reed.edu/~benp/key.html
---------------------------------------------------------------------------
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019