[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "Invalid Credentials" with Heimdal and Cyrus SASL

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: "Invalid Credentials" with Heimdal and Cyrus SASL
From: Ben Poliakoff <benp@reed.edu>
Date: Tue, 4 Mar 2003 10:09:35 -0800
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <005601c2e1f0$68c3ac90$0e01a8c0@CELLO>
References: <20030304012600.GA8002@tesuji.reed.edu> <005601c2e1f0$68c3ac90$0e01a8c0@CELLO>
User-agent: Mutt/1.4i

Perhaps my attempted SASL bind isn't mapping to a valid DN?

Here's some of the debug output from slapd -d -1:

---------------------------------------------------------------------------
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech GSSAPI
conn=0 op=1 BIND dn="" method=163
==> sasl_bind: dn="" mech=GSSAPI datalen=467
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=49 matched="" text="SASL(-13): authentication
failure: GSSAPI Failure: gss_accept_sec_context"
send_ldap_response: msgid=2 tag=97 err=49
ber_flush: 87 bytes to sd 13
---------------------------------------------------------------------------

For what it's worth the acl on this installation is just set to:

    access to * by * read

Ben

* Howard Chu <hyc@highlandsun.com> [030303 17:50]:
> "Resource temporarily unavailable" is not a critical error. It just means
> there's nothing left for slapd to read from the socket, because the client
> hasn't sent anything else yet.
> 
> Run slapd with debug -d -1 and examine the output from the point the SASL
> bind begins to the point where the actual "gss_accept_sec_context" error
> message appears.
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> > -----Original Message-----
> > From: Ben Poliakoff [mailto:benp@reed.edu]
> > Sent: Monday, March 03, 2003 5:26 PM
> > To: Howard Chu
> > Cc: openldap-software@OpenLDAP.org
> > Subject: Re: "Invalid Credentials" with Heimdal and Cyrus SASL
> >
> >
> > My slapd is currently running as root, and it's definitely parsing the
> > keytab file.
> >
> > I turned on debugging in my slapd.  The most obvious errors I see are
> > the following:
> >
> > (the command)
> > [benp@thingone benp]$ ldapwhoami
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Invalid credentials (49)
> >         additional info: SASL(-13): authentication failure: GSSAPI
> > Failure: gss_accept_sec_context
> >
> > (a snippet of the debug output)
> > ldap_read: want=57, got=57
> >   0000:  0a 01 00 0a 01 00 02 02  02 bc 02 02 00 96 01 01
> > ................
> >   0010:  00 87 0b 6f 62 6a 65 63  74 63 6c 61 73 73 30 19
> > ...objectclass0.
> >   0020:  04 17 73 75 70 70 6f 72  74 65 64 53 41 53 4c 4d
> > ..supportedSASLM
> >   0030:  65 63 68 61 6e 69 73 6d  73                        echanisms
> > ldap_read: want=9 error=Resource temporarily unavailable
> >
> > The above error should probably tip me off, but I just can't
> > figure out
> > what slapd wants to access...
> >
> > Are there particular debugging options that I should use?
> >
> > Additional info: Heimdal is built without Berkeley DB, Cyrus
> > SASL and OpenLDAP are both built with Berkeley DB 4.1.25.
> >
> > By the way, the anonymous binds show all of the SASL modules
> > available:
> >
> > --------------------------------------------------------------
> > -------------
> > [benp@thingone benp]$ ldapsearch -H
> > ldaps://thingone.reed.edu/ -x -b "" -s base -LLL
> > supportedSASLMechanisms
> > dn:
> > supportedSASLMechanisms: PLAIN
> > supportedSASLMechanisms: GSSAPI
> > supportedSASLMechanisms: OTP
> > supportedSASLMechanisms: DIGEST-MD5
> > supportedSASLMechanisms: CRAM-MD5
> > --------------------------------------------------------------
> > -------------
> >
> >
> > * Howard Chu <hyc@highlandsun.com> [030228 14:53]:
> > > Make sure your slapd has access to read the keytab file.
> > Make sure your
> > > keytab file actually contains a key for the ldap principal.
> > Turn up the debug
> > > level on slapd and see what else it complains about, if
> > anything, during the
> > > GSSAPI sequence.
> > >
> > >   -- Howard Chu
> > >   Chief Architect, Symas Corp.       Director, Highland Sun
> > >   http://www.symas.com               http://highlandsun.com/hyc
> > >   Symas: Premier OpenSource Development and Support
> > >
> > > > -----Original Message-----
> > > > From: owner-openldap-software@OpenLDAP.org
> > > > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> > Ben Poliakoff
> > >
> > > > Having been directed towards Heimdal instead of the MIT
> > krb5 libs I'm
> > > > now having a different problem with GSSAPI binds.  Slapd
> > is no longer
> > > > seg faulting (thank heavens!), but when I try a GSSAPI bind with
> > > > ldapsearch I get:
> > > >
> > > >     SASL/GSSAPI authentication started
> > > >     ldap_sasl_interactive_bind_s: Invalid credentials (49)
> > > >             additional info: SASL(-13): authentication
> > failure: GSSAPI
> > > >     Failure: gss_accept_sec_context
> > > >
> > > > Heimdal seems to be installed properly (per Quanah's
> > recommendation,
> > > > it's a snapshot from CVS) , and indeed I can get and have tickets.
> > > > Heimdal's klist gives me this:
> > > >
> > > >     Credentials cache: FILE:/tmp/krb5cc_25022_t4AWP0
> > > >             Principal: benp@REED.EDU
> > > >
> > > >       Issued           Expires          Principal
> > > >     Feb 28 12:29:33  Feb 28 19:09:33  krbtgt/REED.EDU@REED.EDU
> > > >     Feb 28 12:31:37  Feb 28 19:09:33
> > ldap/MYSERVER.reed.edu@REED.EDU
> > > >
> > > > I get the same results (Invalid credentials) if I specify
> > a dn with
> > > > which to bind.
> > > >
> > > > Might this be sasl regex related?  My sasl-regex lines in
> > slapd.conf
> > > > look like:
> > > >
> > > >     sasl-regexp
> > > >             uid=(.*),cn=reed.edu,cn=gssapi,cn=auth
> > > >             uid=$1,ou=Person,dc=reed,dc=edu
> > > >
> > > > I found what appeared to be someone with the same problem
> > > > earlier on the
> > > > list, but the thread went nowhere:
> > > >
> > > >
> > > http://www.openldap.org/lists/openldap-software/200302/msg00591.html
> > >
> > > Any suggestions would be very much appreciated!
> > >
> > > Ben
> > >
> > > --
> > >
> > --------------------------------------------------------------
> > -------------
> > > Ben Poliakoff                                       email:
> > <benp@reed.edu>
> > > Reed College                                          tel:
> > (503)-788-6674
> > > Unix System Administrator      PGP key:
> http://www.reed.edu/~benp/key.html
> > ---------------------------------------------------------------------------
> > 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019
> >
> 
> --
> ---------------------------------------------------------------------------
> Ben Poliakoff                                       email: <benp@reed.edu>
> Reed College                                          tel:  (503)-788-6674
> Unix System Administrator      PGP key: http://www.reed.edu/~benp/key.html
> ---------------------------------------------------------------------------
> 0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019

-- 
---------------------------------------------------------------------------
Ben Poliakoff                                       email: <benp@reed.edu>
Reed College                                          tel:  (503)-788-6674
Unix System Administrator      PGP key: http://www.reed.edu/~benp/key.html
---------------------------------------------------------------------------
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019

References:
- Re: "Invalid Credentials" with Heimdal and Cyrus SASL
  - From: Ben Poliakoff <benp@reed.edu>
- RE: "Invalid Credentials" with Heimdal and Cyrus SASL
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: linux slapadd: backend_startup: bi_db_open failed! (-1)
Next by Date: Adding a group
Index(es):
- Chronological
- Thread