[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP with GSSAPI problem



Hello Turbo,

    Yes the OpenLDAP is linked with system libraries(for Kerberos and
GSSAPI),The sasl libraries are not shown in ldd output , because i compiled
OpenLDAP with static SASL libraries and not with shared one.

    All other mechanism like CRAM-MD5 and DIGEST-MD5 are working fine.So i
donot think problem in SASL library with OpenLDAP linking. Am i Right?

The SASL all so linked with Kerberos and GSSAPI as same way and it is
working fine with GSSAPI.
Here is the SASL GSSAPI sample-server ,sample-client output:
sample-server:
--------------
# ./sample-server -s ldap -p ../plugins/.libs
Generating client mechanism list...
Sending list of 6 mechanism(s)
S: UExBSU4gT1RQIEdTU0FQSSBESUdFU1QtTUQ1IENSQU0tTUQ1IEFOT05ZTU9VUw==
Waiting for client mechanism...
C:
R1NTQVBJAGCCAdsGCSqGSIb3EgECAgEAboIByjCCAcagAwIBBaEDAgEOogcDBQAgAAAAo4IBDmGC
AQowggEGoAMCAQWhDxsNS09WQUlURUFNLkNPTaIoMCagAwIBA6EfMB0bBGxkYXAbFWtyaXNobmEu
a292YWl0ZWFtLmNvbaOBwzCBwKADAgEBoQMCAQGigbMEgbBEH3r4Kj5Ln3gswgnxV1gx0ZJJbign
ByWRGrvvhj+7CATg3oylUpvlWGkjw+afkNIJPfouWGt8LEItC+dwf1lQN1+pPCOPRtxO0zBDsR2l
gz6ekbeB91o+5AOQ8sJRrqQk4yPT5hI83PAl8hu3FKFJo9U77anpKXLPh9UcBzNQWWILxRdDAS3l
TIDQxiuDXEJU/eKlWvd+LQ9zDaQOQJZvxnZlL3U5NJhxCN10Zi3OKqSBnjCBm6ADAgEBooGTBIGQ
jvqvCxIRxjiN659mUiBFZ9UaD/ixOJE1pakVovqM62YauGRpZq87q93zwnc22pXG5rjIN2hKMMup
DoMZLqIHP54kTnT2c6UhIjQI881NvGLJuBOAB8M8QdwISdBPIrA+LnxEKEsLY9NbX8QMSVI5Gt59
k+iDb3BM2katHIkwdRbsUyKoOvyLI4HfE8n2307C
got 'GSSAPI'
Sending response...
S:
YGgGCSqGSIb3EgECAgIAb1kwV6ADAgEFoQMCAQ+iSzBJoAMCAQGiQgRANjiHYCkAd4A4yVUKpTag
ItWlmdm8Fk6L2iTWaIRGFOKIrFzpA5HTAZfo4KC/8eNx827IfQrBginJl82tQP0MDw==
Waiting for client reply...
C:
R1NTQVBJAGCCAdsGCSqGSIb3EgECAgEAboIByjCCAcagAwIBBaEDAgEOogcDBQAgAAAAo4IBDmGC
AQowggEGoAMCAQWhDxsNS09WQUlURUFNLkNPTaIoMCagAwIBA6EfMB0bBGxkYXAbFWtyaXNobmEu
a292YWl0ZWFtLmNvbaOBwzCBwKADAgEBoQMCAQGigbMEgbBEH3r4Kj5Ln3gswgnxV1gx0ZJJbign
ByWRGrvvhj+7CATg3oylUpvlWGkjw+afkNIJPfouWGt8LEItC+dwf1lQN1+pPCOPRtxO0zBDsR2l
gz6ekbeB91o+5AOQ8sJRrqQk4yPT5hI83PAl8hu3FKFJo9U77anpKXLPh9UcBzNQWWILxRdDAS3l
TIDQxiuDXEJU/eKlWvd+LQ9zDaQOQJZvxnZlL3U5NJhxCN10Zi3OKqSBnjCBm6ADAgEBooGTBIGQ
jvqvCxIRxjiN659mUiBFZ9UaD/ixOJE1pakVovqM62YauGRpZq87q93zwnc22pXG5rjIN2hKMMup
DoMZLqIHP54kTnT2c6UhIjQI881NvGLJuBOAB8M8QdwISdBPIrA+LnxEKEsLY9NbX8QMSVI5Gt59
k+iDb3BM2katHIkwdRbsUyKoOvyLI4HfE8n2307C
got 'GSSAPI'
Sending response...
S: YDMGCSqGSIb3EgECAgIBAAD/////It7xnkdYQT2+ooiDJiJ3s1WHNEs1CkVkBwAIAAQEBAQ=
Waiting for client reply...
C:
YDsGCSqGSIb3EgECAgIBAAD/////E8JAsYGtSDRsEUleShNKeCFchgOEW87fBAAIAHMwMDEICAgI
CAgICA==
got '`; *H÷'
Negotiation complete
Username: s001
Realm:
SSF: 56
sending encrypted message 'srv message 1'
S:
AAAAPWA7BgkqhkiG9xIBAgICAQAAAAD//5xGlEWd9d3qUGBj5uUGmdj/066bRUJXkbkIIUd8wNvx
AvdwIksT7OQ=
Waiting for encrypted message...
C:
AAAARWBDBgkqhkiG9xIBAgICAQAAAAD//zHo/Nujmnoctz7p63VaKladrizagdiatZKpaV9Goszy
jHSNbimCElgYODQHqUFfhg==
got ''
recieved decoded message 'client message 1'

sample-client:
--------------
#  ./sample-client -s ldap -n krishna.kovaiteam.com -u s001 -p
../plugins/.libs
service=ldap
Waiting for mechanism list from server...
S: UExBSU4gT1RQIEdTU0FQSSBESUdFU1QtTUQ1IENSQU0tTUQ1IEFOT05ZTU9VUw==
recieved 46 byte message
Choosing best mechanism from: PLAIN OTP GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS
returning OK: s001
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C:
R1NTQVBJAGCCAdsGCSqGSIb3EgECAgEAboIByjCCAcagAwIBBaEDAgEOogcDBQAgAAAAo4IBDmGC
AQowggEGoAMCAQWhDxsNS09WQUlURUFNLkNPTaIoMCagAwIBA6EfMB0bBGxkYXAbFWtyaXNobmEu
a292YWl0ZWFtLmNvbaOBwzCBwKADAgEBoQMCAQGigbMEgbBEH3r4Kj5Ln3gswgnxV1gx0ZJJbign
ByWRGrvvhj+7CATg3oylUpvlWGkjw+afkNIJPfouWGt8LEItC+dwf1lQN1+pPCOPRtxO0zBDsR2l
gz6ekbeB91o+5AOQ8sJRrqQk4yPT5hI83PAl8hu3FKFJo9U77anpKXLPh9UcBzNQWWILxRdDAS3l
TIDQxiuDXEJU/eKlWvd+LQ9zDaQOQJZvxnZlL3U5NJhxCN10Zi3OKqSBnjCBm6ADAgEBooGTBIGQ
jvqvCxIRxjiN659mUiBFZ9UaD/ixOJE1pakVovqM62YauGRpZq87q93zwnc22pXG5rjIN2hKMMup
DoMZLqIHP54kTnT2c6UhIjQI881NvGLJuBOAB8M8QdwISdBPIrA+LnxEKEsLY9NbX8QMSVI5Gt59
k+iDb3BM2katHIkwdRbsUyKoOvyLI4HfE8n2307C
Waiting for server reply...
S:
YGgGCSqGSIb3EgECAgIAb1kwV6ADAgEFoQMCAQ+iSzBJoAMCAQGiQgRANjiHYCkAd4A4yVUKpTag
ItWlmdm8Fk6L2iTWaIRGFOKIrFzpA5HTAZfo4KC/8eNx827IfQrBginJl82tQP0MDw==
recieved 106 byte message
C:
Waiting for server reply...
S: YDMGCSqGSIb3EgECAgIBAAD/////It7xnkdYQT2+ooiDJiJ3s1WHNEs1CkVkBwAIAAQEBAQ=
recieved 53 byte message
Sending response...
C:
YDsGCSqGSIb3EgECAgIBAAD/////E8JAsYGtSDRsEUleShNKeCFchgOEW87fBAAIAHMwMDEICAgI
CAgICA==
Negotiation complete
Username: s001
SSF: 56
Waiting for encoded message...
S:
AAAAPWA7BgkqhkiG9xIBAgICAQAAAAD//5xGlEWd9d3qUGBj5uUGmdj/066bRUJXkbkIIUd8wNvx
AvdwIksT7OQ=
recieved 65 byte message
recieved decoded message 'srv message 1'
sending encrypted message 'client message 1'
C:
AAAARWBDBgkqhkiG9xIBAgICAQAAAAD//zHo/Nujmnoctz7p63VaKladrizagdiatZKpaV9Goszy
jHSNbimCElgYODQHqUFfhg==

Thanks,
-Shaick.

> Quoting "Shaick" <shaick_mlist1@lycos.co.uk>:
>
> > 5. HP-UX 11.11 comes with default Kerberos and GSSAPI libraries with
it.It
> >    does not comes with SASL or LDAP.
> >    In openldap compilation i used the system default kerberos and
libraries.
> >
> >    Note:- CyrusSASL sample-server,client is worked fine with This build.
> >
> > 6. My ldd out for the libldap libraries is,
> > # ldd libldap.sl.2
> >         /usr/lib/libc.2 =>      /usr/lib/libc.2
> >         /usr/lib/libdld.2 =>    /usr/lib/libdld.2
> >         /usr/lib/libc.2 =>      /usr/lib/libc.2
> >         /usr/lib/libgss.sl =>   /usr/lib/libgss.sl
> >         /vob/hpux_buildenv/hp700_ux1111/usr/lib/libdld.2 =>
/usr/lib/libdld.2
> >         /vob/hpux_buildenv/hp700_ux1111/usr/lib/libc.2 =>
/usr/lib/libc.2
> >         /usr/lib/libcom_err.sl =>       /usr/lib/libcom_err.sl
> >         /usr/lib/libk5crypto.sl =>      /usr/lib/libk5crypto.sl
> >         /usr/lib/libkrb5.sl =>  /usr/lib/libkrb5.sl
> >         /usr/lib/libcom_err.sl =>       /usr/lib/libcom_err.sl
> >         /usr/lib/libk5crypto.sl =>      /usr/lib/libk5crypto.sl
> >         /usr/lib/libnsl.1 =>    /usr/lib/libnsl.1
> >         /usr/lib/libxti.2 =>    /usr/lib/libxti.2
> >         /opt/iexpress/openldap/lib/liblber.sl.2 =>
/opt/iexpress/openldap/lib/liblber.sl.2
> >         /usr/lib/libc.2 =>      /usr/lib/libc.2
>
> Don't know exactly what this means, since I'm not sure what is HP-UX
> libs and what's not, but the fourth lib (/usr/lib/libgss.sl) seems
> 'strange' to me. But that's maybe because it was ten years since I
> logged into a HP-UX last :)
>
> But since it's in /usr/lib, it must be a 'system library' (ie, included
> with the Operating System). And if the OpenLDAP lib is linked with this,
> and then later with the kerberos libs from the system
(/usr/lib/libkrb5.sl)
> etc, and NOT (?) with the cyrus sasl lib (which SHOULD be called
libsasl.so.7,
> at least it is on my Linux system) there might be some missmatches...
>
> I'm not sure, but this all looks like you're compiling/linking your
OpenLDAP
> binaries/libraries with the wrong Kerberos and/or SASL libs...
>
> You better ask someone that knows HP-UX...
>
> > But still i got the same error,
> > # ldapsearch -Y GSSAPI
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Invalid credentials (49)
> >         additional info: SASL(-13): authentication failure: GSSAPI
Failure
>
> Since it says 'GSSAPI Failure', missmatches in the libraries doesn't sound
> to farfetched to me...
>