[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP, SASL2, and KERBEROS5

To: openldap-software@OpenLDAP.org
Subject: LDAP, SASL2, and KERBEROS5
From: O Plameras <oscarp@acay.com.au>
Date: Sat, 21 Aug 2004 10:41:20 +1000
User-agent: Mozilla Thunderbird 0.7.3 (X11/20040803)

Hi,

Got this error,

SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No such file or directory)

with commands: [root@otr ssh] ldapsearch -H ldap:/// -b "dc=example,dc=com" ( w/ SASL, NO SSL) [root@otr ssh] ldapsearch -H ldaps:/// -b "dc=example,dc=com" (w/ SASL, w/ SSL) [root@otr ssh] ldapsearch -H ldap:/// -ZZ -b "dc=example,dc=com" (w/SASL,w/SSL)

I get correct (no error like above) results with: [root@otr ssh] ldapsearch -H ldap:/// -b "dc=example,dc=com" -x (no SASL, no SSL) [root@otr ssh] ldapsearch -H ldaps:/// -b "dc=example,dc=com" -x (no SASL,w/SSL) [root@otr ssh] ldapsearch -H ldap:/// -ZZ -b "dc=example,dc=com" -x (no SASL,w/SSL)

I tested GSSAPI/Kerberos5 with SASL as follows:

Server side:

[root@otr ssh]sasl2-sample-server -s host
trying 10, 1, 6
....
....
accepted new connection
send: {48}
PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI ANONYMOUS
... lots of  characters
...
successful authentication 'oscar'
closing connection

On client side:
[oscarp@otr oscarp]$ kinit oscar
Password for oscar@NOY.COM.AU:
[oscarp@otr oscarp]$ sasl2-sample-client -s host -m GSSAPI otr.noy.com.au
receiving capability list... recv: {48}
PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI ANONYMOUS
PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI ANONYMOUS
please enter an authorization id: oscar

.... lots of characters
successful authentication
closing connection

So, SASL/GSSAPI/Kerberos works with test but
does not work with 'ldapsearch' (Openldap)

I have this on my Linux :

[oscarp@otr oscarp]$ rpm -qa | grep sasl
cyrus-sasl-devel-2.1.19-1
cyrus-sasl-gssapi-2.1.19-1
cyrus-sasl-md5-2.1.19-1
cyrus-sasl-2.1.19-1
cyrus-sasl-plain-2.1.19-1
[oscarp@otr oscarp]$ rpm -qa | grep openldap
openldap-devel-2.1.22-8
openldap-clients-2.1.22-8
openldap-servers-2.1.22-8
openldap-2.1.22-8
[oscarp@otr oscarp]$ rpm -qa | grep krb5
krb5-devel-1.3.4-1
krb5-server-1.3.4-1
krb5-workstation-1.3.4-1
pam_krb5-2.0.4-1
krb5-libs-1.3.4-1
$[oscarp@otr oscarp]$ rpm -qa | grep openssl
openssl-0.9.7a-23
openssl-devel-0.9.7a-23
[oscarp@otr oscarp]$

[oscarp@otr oscarp]$ ldapsearch -H ldap:/// -b "" supportedSASLMechanims -x
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: supportedSASLMechanims
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
[oscarp@otr oscarp]$

Can someone point me into where I'll
check to fix this problem ? Thanks.

O Plameras

Follow-Ups:
- Re: LDAP, SASL2, and KERBEROS5
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: LDAP, SASL2, and KERBEROS5
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>
- Re: LDAP, SASL2, and KERBEROS5
  - From: Jose Gonzalez Gomez <jgonzalez@opentechnet.com>

Prev by Date: Also, Re: What is err=52?
Next by Date: Re: LDAP, SASL2, and KERBEROS5
Index(es):
- Chronological
- Thread