[Date Prev][Date Next] [Chronological] [Thread] [Top]

Simple Binds / Invalid credentials



Hi everyone,

I've been working on setting up an enterprise directory 
using Heimdal Kerberos and OpenLDAP. The one part I'm stuck
on is getting simple binds to successfully use SASL to 
authenticate against Kerberos.  Below I've add some of my 
config files, logs, and other stuff in hope that someone
will see what I'm missing. (Its probably too much info.)
Also, I know I'm not doing anything over tls/ssl yet.  I'm
just trying to get everything up and running first...

Any help is greatly appreciated.

Grant

[simple bind]

[root@ldap-1 bin]# /usr/local/bin/ldapsearch -x -D
"uid=235807,ou=people,dc=shorter,dc=edu" -w somepass -b
"ou=people,dc=shorter,dc=edu" uid
ldap_bind: Invalid credentials (49)

[ldap log from simple bind]

Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on 1 descriptors
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: new connection on 9
Sep 20 12:06:26 ldap-1 slapd[1419]: conn=6 fd=9 ACCEPT from
IP=127.0.0.1:51780 (IP=0.0.0.0:389)
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: added 9r
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on:
Sep 20 12:06:26 ldap-1 slapd[1419]:
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: select: listen=6
active_threads=0 tvp=NULL
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on 1 descriptors
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on:
Sep 20 12:06:26 ldap-1 slapd[1419]:  9r
Sep 20 12:06:26 ldap-1 slapd[1419]:
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: read activity on 9
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_get(9)
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_get(9): got connid=6
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_read(9): checking for
input on id=6
Sep 20 12:06:26 ldap-1 slapd[1419]: ber_get_next on fd 9 failed
errno=11 (Resource temporarily unavailable)
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: select: listen=6
active_threads=0 tvp=NULL
Sep 20 12:06:26 ldap-1 slapd[1419]: do_bind
Sep 20 12:06:26 ldap-1 slapd[1419]: >>> dnPrettyNormal:
<uid=235807,ou=people,dc=shorter,dc=edu>
Sep 20 12:06:26 ldap-1 slapd[1419]: <<< dnPrettyNormal:
<uid=235807,ou=people,dc=shorter,dc=edu>,
<uid=235807,ou=people,dc=shorter,dc=edu>
Sep 20 12:06:26 ldap-1 slapd[1419]: do_bind: version=3
dn="uid=235807,ou=people,dc=shorter,dc=edu" method=128
Sep 20 12:06:26 ldap-1 slapd[1419]: conn=6 op=0 BIND
dn="uid=235807,ou=people,dc=shorter,dc=edu" method=128
Sep 20 12:06:26 ldap-1 slapd[1419]: ==> bdb_bind: dn:
uid=235807,ou=people,dc=shorter,dc=edu
Sep 20 12:06:26 ldap-1 slapd[1419]:
bdb_dn2entry("uid=235807,ou=people,dc=shorter,dc=edu")
Sep 20 12:06:26 ldap-1 slapd[1419]: => access_allowed: auth access to
"uid=235807,ou=people,dc=shorter,dc=edu" "userPassword" requested
Sep 20 12:06:26 ldap-1 slapd[1419]: => acl_get: [1] attr userPassword
Sep 20 12:06:26 ldap-1 slapd[1419]: => acl_mask: access to entry
"uid=235807,ou=people,dc=shorter,dc=edu", attr "userPassword"
requested
Sep 20 12:06:26 ldap-1 slapd[1419]: => acl_mask: to all values by "", (=n)
Sep 20 12:06:26 ldap-1 slapd[1419]: <= check a_dn_pat: self
Sep 20 12:06:26 ldap-1 slapd[1419]: <= check a_dn_pat: anonymous
Sep 20 12:06:26 ldap-1 slapd[1419]: <= acl_mask: [2] applying auth(=x) (stop)
Sep 20 12:06:26 ldap-1 slapd[1419]: <= acl_mask: [2] mask: auth(=x)
Sep 20 12:06:26 ldap-1 slapd[1419]: => access_allowed: auth access
granted by auth(=x)
Sep 20 12:06:26 ldap-1 slapd[1419]: SASL Canonicalize [conn=6]:
authcid="235807@shorter.edu"
Sep 20 12:06:26 ldap-1 slapd[1419]: send_ldap_result: conn=6 op=0 p=3
Sep 20 12:06:26 ldap-1 slapd[1419]: send_ldap_result: err=49 matched="" text=""
Sep 20 12:06:26 ldap-1 slapd[1419]: send_ldap_response: msgid=1 tag=97 err=49
Sep 20 12:06:26 ldap-1 slapd[1419]: conn=6 op=0 RESULT tag=97 err=49 text=
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on 1 descriptors
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on:
Sep 20 12:06:26 ldap-1 slapd[1419]:  9r
Sep 20 12:06:26 ldap-1 slapd[1419]:
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: read activity on 9
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_get(9)
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_get(9): got connid=6
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_read(9): checking for
input on id=6
Sep 20 12:06:26 ldap-1 slapd[1419]: ber_get_next on fd 9 failed
errno=0 (Success)
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_read(9): input error=-2
id=6, closing.
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_closing: readying
conn=6 sd=9 for close
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_close: conn=6 sd=9
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: removing 9
Sep 20 12:06:26 ldap-1 slapd[1419]: conn=6 fd=9 closed
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: select: listen=6
active_threads=0 tvp=NULL
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on 1 descriptors
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: select: listen=6
active_threads=0 tvp=NULL


[Supported SASL Mechanisms]

[root@ldap-1 bin]# ./ldapsearch -h ldap-1.shorter.edu -x -b "" -s base
-LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: OTP
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI

[testsaslauthd]

[root@ldap-1 saslauthd]# ./testsaslauthd -u 235807 -p somepass
0: OK "Success."

[kinit and GSSAPI ldapsearch]

[root@ldap-1 bin]# ./kinit 235807
235807@SHORTER.EDU's Password:
[root@ldap-1 bin]# ./klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: 235807@SHORTER.EDU

  Issued           Expires          Principal
Sep 20 11:59:03  Sep 20 18:39:03  krbtgt/SHORTER.EDU@SHORTER.EDU
[root@ldap-1 bin]# /usr/local/bin/ldapsearch -Y GSSAPI -b
"ou=people,dc=shorter,dc=edu" uid=235807 dn
SASL/GSSAPI authentication started
SASL username: 235807@SHORTER.EDU
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=shorter,dc=edu> with scope sub
# filter: uid=235807
# requesting: dn
#

# 235807, people, shorter.edu
dn: uid=235807,ou=people,dc=shorter,dc=edu

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1




Here are my build parameters:

[OpenSSL]

config shared

[Heimdal Kerberos 0.7]

CFLAGS='-O2' CXXFLAGS='-O2' ./configure "CCFLAGS=-O2 -D_REENTRANT"
--prefix=/usr/local --enable-shared --with-openssl=/usr/local/ssl
--without-readline --without-openldap --without-hesiod
--disable-berkeley-db --without-ipv6

[BerkeleyDB 4.3.28.NC]

CFLAGS='-O2' CXXFLAGS='-O2' ../dist/configure --prefix=/usr/local
--disable-java --disable-tcl

[SASL 2.1.22]

./configure --with-openssl=/usr/local/ssl
--with-saslauthd=/usr/local/sbin --without-dblib
--enable-gssapi=/usr/local --with-gss_impl=heimdal --enable-login
--enable-shared --disable-krb4 --with-plugindir=/usr/local/lib/sasl2

[OpenLDAP 2.2.27]

./configure  --prefix=/usr/local --disable-ipv6 --with-cyrus-sasl
--with-kerberos --with-tls --enable-monitor --enable-dynamic
--enable-phonetic --enable-slapd --enable-spasswd --enable-rlookups
--enable-wrappers --enable-hdb --enable-dyngroup=yes
--enable-proxycache=yes

Here are my config files and such:

[slapd.conf]

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/eduperson-200412.ldif
include         /usr/local/etc/openldap/schema/krb5-kdc.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/openldap.schema

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

access to attr=userPassword
        by self write
        by anonymous auth
        by dn.base="cn=Manager,dc=shorter,dc=edu" write
        by * none
access to *
        by self write
        by dn.base="cn=Manager,dc=shorter,dc=edu" write
        by * read

loglevel -1

sasl-regexp
        uid=(.*),cn=shorter.edu,cn=gssapi,cn=auth
        uid=$1,ou=people,dc=shorter,dc=edu

database        bdb
suffix          "dc=shorter,dc=edu"
rootdn          "cn=Manager,dc=shorter,dc=edu"

rootpw          somepass

directory       /usr/local/var/openldap-data

index   objectClass     eq
sasl-host       ldap-1.shorter.edu
sasl-realm      SHORTER.EDU
password-hash   {CLEARTEXT}
sasl-authz-policy both

[krb5.conf]

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = SHORTER.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 permittend_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true

[realms]
 SHORTER.EDU = {
  kdc = ldap-1.shorter.edu:88
  admin_server = ldap-1.shorter.edu:749
  default_domain = shorter.edu
 }

[domain_realm]
 .shorter.edu = SHORTER.EDU
 shorter.edu = SHORTER.EDU

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
   krb4_get_tickets = false
 }

[sasl2 slapd.conf]
pwcheck_method: saslauthd
saslauthd_path: /usr/local/sbin/mux

Here is my sample ldif for a person:

dn: uid=235807,ou=people,dc=shorter,dc=edu
objectClass: top
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: krb5Principal
objectClass: krb5KDCEntry
cn: 235807
sn: Carmichael
givenName: Grant
displayName: Grant Carmichael
title: Systems Engineer
mail: gcarmichael@shorter.edu
roomNumber: 1234 Some Where
departmentNumber: IT
homePhone: +1 770 387 7777
telephoneNumber: +1 706 233 7777
facsimileTelephoneNumber: +1 706 233 7777
mobile: +1 770 714 7777
pager: +1 770 714 7777
carLicense: 77777
employeeNumber: 235807
givenName: Grant Micajah Carmichael
homePhone: 770-387-7777
o: Shorter College
postOfficeBox: 7777
homePostalAddress: 79 Some Drive Dr.$Some City, GA 77777
postalAddress: 333 Some Ave.
l: Rome
st: GA
postalCode: 77777
uid: 235807
krb5PrincipalName: 235807@SHORTER.EDU
userPassword: {SASL}235807@shorter.edu
eduPersonAffiliation: staff
eduPersonPrimaryAffiliation: staff
eduPersonNickname: Grant
eduPersonOrgDN: dc=shorter,dc=edu
eduPersonOrgUnitDN: ou=People,dc=shorter,dc=edu