[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Simple bind through GSSAPI issues on Solaris 9
- To: openldap-software@OpenLDAP.org
- Subject: Simple bind through GSSAPI issues on Solaris 9
- From: aay@bellsouth.net
- Date: Mon, 27 Oct 2003 20:41:49 -0500
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007
Greetings,
My setup is as follows:
OpenLDAP - 2.1.23
Cyrus SASL - 2.1.15
MIT Kerberos - 1.3.1
After having configured everything "by the book", I can successfully
initiate SASL bind through GSSAPI, by issuing:
# ldapsearch -b "" -s base -LLL supportedSASLMechanisms
SASLMechanisms
SASL/GSSAPI authentication started
SASL username: krbtest@MYREALM.NET
SASL SSF: 56
SASL installing layers
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: OTP
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
Issuing 'klist' yields:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: krbtest@MYREALM.NET
Valid starting Expires Service principal
10/27/03 19:13:39 10/28/03 05:13:39 krbtgt/MYREALM.NET@MYREALM.NET
renew until 10/28/03 19:13:39
10/27/03 19:13:43 10/28/03 05:13:39 ldap/ldapsrv.myrealm.net@MYREALM.NET
renew until 10/28/03 19:13:39
All this suggests that Kerberos is functioning as expected (I'm also
successfully using kerberized client/server apps).
However, I cannot initiate a simple bind through GSSAPI even though I do
have proper entries in the LDAP database:
dn: uid=krbtest,ou=people,dc=myrealm,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: krb5Principal
krb5PrincipalName: krbtest@MYREALM.NET
cn: LDAP_Krb5 Tester
givenName: LDAP_Krb5
sn: Tester
mail: krbtest@myrealm.net
telephoneNumber: (222) 333-4444
title: LDAP Kerberos 5 Tester
uid: krbtest
uidNumber: 12335
gidNumber: 12443
userPassword: {KERBEROS}krbtest@MYREALM.NET
homeDirectory: /home/krbtest
loginShell: /no/shell
Furthermore, 'slapd.conf' ACLs are very loose for testing purposes:
access to *
by * read
To further illustrate the fact that I can successfully bypass ACL
restrictions, I also have another user in the database which
does not use GSSAPI for password retrieval, instead it utilizes MD5 in
the userPassword field, and I can succesfully issue:
# ldapsearch -x -D 'uid=sasltest,ou=people,dc=myrealm,dc=net' -W -b ""
-s base -LLL supportedSASLMechanisms
which yields the same results as the SASL bind through GSSAPI mentioned
above.
So, to summarize, everything seems to work, I can populate the database,
modify entries and perform searches on all the data except that I cannot
perform a successful simple bind through GSSAPI. Now, I have searched
the archives, Google groups, and other mediums and unfortunately was not
able to find exactly the same problem description, albeit a few similar
problems which, after many attempts, were to no avail.
So basically, issuing: (see above: 'krbtest' entry in the database is
configured to retrieve password from KDC)
# ldapsearch -x -D 'uid=krbtest,ou=people,dc=myrealm,dc=net' -W -b "" -s
base -LLL supportedSASLMechanisms
yields:
"ldap_bind: Invalid credentials (49)"
on the client, and on the server, with debug level of 256 I get:
Oct 27 19:32:06 ldapsrv slapd[954]: [ID 848112 local4.debug] conn=18
fd=12 ACCEPT from IP=192.168.0.55:33209 (IP=0.0.0.0:636)
Oct 27 19:32:06 ldapsrv slapd[954]: [ID 347666 local4.debug] conn=18
op=0 BIND dn="uid=krbtest,ou=people,dc=myrealm,dc=net" method=128
Oct 27 19:32:06 ldapsrv slapd[954]: [ID 217296 local4.debug] conn=18
op=0 RESULT tag=97 err=49 text=
Oct 27 19:32:06 ldapsrv slapd[954]: [ID 952275 local4.debug] conn=18
fd=12 closed
If anyone has experienced a similar problem, your input would be very
welcome.
TIA,
Alex
P.S: I have built everything from source, if that makes any difference.