[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/GSSAPI authentication problems - Invalid credentials

To: openldap-software@OpenLDAP.org
Subject: Re: SASL/GSSAPI authentication problems - Invalid credentials
From: Ben Poliakoff <benp@reed.edu>
Date: Tue, 29 Apr 2003 12:23:00 -0700
Content-disposition: inline
In-reply-to: <m3ptn5v7hj.fsf@marin.l4b.de>
References: <20030428233337.GA19094@tesuji.reed.edu> <m3ptn5v7hj.fsf@marin.l4b.de>
User-agent: Mutt/1.4.1i

* Dieter Kluenter <dieter@dkluenter.de> [030429 05:24]:
> 
> Test your setup with the cyrus-sasl test-suite. Change to sample
> directory within cyrus-sasl source file. As root start ./server in a
> xterm and as user start "./client -s ldap -m GSSAPI hostname" in a
> second xterm.
> 

The test suite stuff seems to be working properly as well:

.....snip....
---------------------------------------------------------------------------
send: {53}
`3[6][9]*[86]H[86][F7][12][1][2][2][2][1][0][0][FF][FF][FF][FF][F9][AD][DA][91][E4][86]p[F1][96][D9][E5][C6][A7][D9][9F]&g>:y![A3][DB][0][1][0][0][0][4][4][4][4]
recv: {61}
`;[6][9]*[86]H[86][F7][12][1][2][2][2][1][0][0][FF][FF][FF][FF][95][D4][C1][D6][F1][D7][E6]*[C][19][F9]UG[82]?Q[94][AB][E9]]i[A][AF][EB][1][0][0][0]benp[8][8][8][8][8][8][8][8]
successful authentication 'benp'
closing connection
---------------------------------------------------------------------------

But unfortunately I'm still seeing the same error with ldapwhoami:

    [benp@thingone sample]$ ldapwhoami
    SASL/GSSAPI authentication started
    ldap_sasl_interactive_bind_s: Invalid credentials (49)
            additional info: SASL(-13): authentication failure: GSSAPI
    Failure: gss_accept_sec_context

One thing that catches my eye in the debug output from slapd is the dn
"normalization" stuff:

---------------------------------------------------------------------------
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech GSSAPI
conn=0 op=1 BIND dn="" method=163
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=49
ber_flush: 87 bytes to sd 13
  0000:  30 55 02 01 02 61 50 0a  01 31 04 00 04 49 53 41 0U...aP..1...ISA
  0010:  53 4c 28 2d 31 33 29 3a  20 61 75 74 68 65 6e 74   SL(-13): authent
  0020:  69 63 61 74 69 6f 6e 20  66 61 69 6c 75 72 65 3a   ication failure:
  0030:  20 47 53 53 41 50 49 20  46 61 69 6c 75 72 65 3a    GSSAPI Failure:
---------------------------------------------------------------------------

The dn is empty, but perhaps that's just because of earlier
authentication errors.

My sasl-regexp at this point looks like this:

    sasl-regexp     uid=(.*),cn=reed.edu,cn=gssapi,cn=auth
                    uid=$1,ou=People,dc=reed,dc=edu

This is really getting tricky!  Any further ideas would be greatly
appreciated!

Ben

-- 
---------------------------------------------------------------------------
Ben Poliakoff                                       email: <benp@reed.edu>
Reed College                                          tel:  (503)-788-6674
Unix System Administrator      PGP key: http://www.reed.edu/~benp/key.html
---------------------------------------------------------------------------
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019

Attachment: pgp3tN7WO75BN.pgp
Description: PGP signature

References:
- SASL/GSSAPI authentication problems - Invalid credentials
  - From: Ben Poliakoff <benp@reed.edu>
- Re: SASL/GSSAPI authentication problems - Invalid credentials
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: Re: BDB notes
Next by Date: Re: help with groups?
Index(es):
- Chronological
- Thread