[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Simple Binds / Invalid credentials
- To: OpenLDAP-software@OpenLDAP.org
- Subject: Simple Binds / Invalid credentials
- From: Grant Carmichael <germanshorthairpointer@gmail.com>
- Date: Tue, 20 Sep 2005 13:18:24 -0400
- Content-disposition: inline
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ZsbeezdW/iYHcxVOgIelp3Yy/R5W7Vx1ZLYVHwMyz9vsRRNKF4gUXw8SN3PDMgPg2KWk3uXV1AR+VytGzkgCQCUZIL486EnKj3UsU89vHbTDEmmgGHk4gazS+tf1ASbFeAQlcSBcOk1zSpFM+NbMQWR1m3mJNt2wU/iTpTxhefQ=
Hi everyone,
I've been working on setting up an enterprise directory
using Heimdal Kerberos and OpenLDAP. The one part I'm stuck
on is getting simple binds to successfully use SASL to
authenticate against Kerberos. Below I've add some of my
config files, logs, and other stuff in hope that someone
will see what I'm missing. (Its probably too much info.)
Also, I know I'm not doing anything over tls/ssl yet. I'm
just trying to get everything up and running first...
Any help is greatly appreciated.
Grant
[simple bind]
[root@ldap-1 bin]# /usr/local/bin/ldapsearch -x -D
"uid=235807,ou=people,dc=shorter,dc=edu" -w somepass -b
"ou=people,dc=shorter,dc=edu" uid
ldap_bind: Invalid credentials (49)
[ldap log from simple bind]
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on 1 descriptors
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: new connection on 9
Sep 20 12:06:26 ldap-1 slapd[1419]: conn=6 fd=9 ACCEPT from
IP=127.0.0.1:51780 (IP=0.0.0.0:389)
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: added 9r
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on:
Sep 20 12:06:26 ldap-1 slapd[1419]:
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: select: listen=6
active_threads=0 tvp=NULL
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on 1 descriptors
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on:
Sep 20 12:06:26 ldap-1 slapd[1419]: 9r
Sep 20 12:06:26 ldap-1 slapd[1419]:
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: read activity on 9
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_get(9)
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_get(9): got connid=6
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_read(9): checking for
input on id=6
Sep 20 12:06:26 ldap-1 slapd[1419]: ber_get_next on fd 9 failed
errno=11 (Resource temporarily unavailable)
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: select: listen=6
active_threads=0 tvp=NULL
Sep 20 12:06:26 ldap-1 slapd[1419]: do_bind
Sep 20 12:06:26 ldap-1 slapd[1419]: >>> dnPrettyNormal:
<uid=235807,ou=people,dc=shorter,dc=edu>
Sep 20 12:06:26 ldap-1 slapd[1419]: <<< dnPrettyNormal:
<uid=235807,ou=people,dc=shorter,dc=edu>,
<uid=235807,ou=people,dc=shorter,dc=edu>
Sep 20 12:06:26 ldap-1 slapd[1419]: do_bind: version=3
dn="uid=235807,ou=people,dc=shorter,dc=edu" method=128
Sep 20 12:06:26 ldap-1 slapd[1419]: conn=6 op=0 BIND
dn="uid=235807,ou=people,dc=shorter,dc=edu" method=128
Sep 20 12:06:26 ldap-1 slapd[1419]: ==> bdb_bind: dn:
uid=235807,ou=people,dc=shorter,dc=edu
Sep 20 12:06:26 ldap-1 slapd[1419]:
bdb_dn2entry("uid=235807,ou=people,dc=shorter,dc=edu")
Sep 20 12:06:26 ldap-1 slapd[1419]: => access_allowed: auth access to
"uid=235807,ou=people,dc=shorter,dc=edu" "userPassword" requested
Sep 20 12:06:26 ldap-1 slapd[1419]: => acl_get: [1] attr userPassword
Sep 20 12:06:26 ldap-1 slapd[1419]: => acl_mask: access to entry
"uid=235807,ou=people,dc=shorter,dc=edu", attr "userPassword"
requested
Sep 20 12:06:26 ldap-1 slapd[1419]: => acl_mask: to all values by "", (=n)
Sep 20 12:06:26 ldap-1 slapd[1419]: <= check a_dn_pat: self
Sep 20 12:06:26 ldap-1 slapd[1419]: <= check a_dn_pat: anonymous
Sep 20 12:06:26 ldap-1 slapd[1419]: <= acl_mask: [2] applying auth(=x) (stop)
Sep 20 12:06:26 ldap-1 slapd[1419]: <= acl_mask: [2] mask: auth(=x)
Sep 20 12:06:26 ldap-1 slapd[1419]: => access_allowed: auth access
granted by auth(=x)
Sep 20 12:06:26 ldap-1 slapd[1419]: SASL Canonicalize [conn=6]:
authcid="235807@shorter.edu"
Sep 20 12:06:26 ldap-1 slapd[1419]: send_ldap_result: conn=6 op=0 p=3
Sep 20 12:06:26 ldap-1 slapd[1419]: send_ldap_result: err=49 matched="" text=""
Sep 20 12:06:26 ldap-1 slapd[1419]: send_ldap_response: msgid=1 tag=97 err=49
Sep 20 12:06:26 ldap-1 slapd[1419]: conn=6 op=0 RESULT tag=97 err=49 text=
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on 1 descriptors
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on:
Sep 20 12:06:26 ldap-1 slapd[1419]: 9r
Sep 20 12:06:26 ldap-1 slapd[1419]:
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: read activity on 9
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_get(9)
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_get(9): got connid=6
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_read(9): checking for
input on id=6
Sep 20 12:06:26 ldap-1 slapd[1419]: ber_get_next on fd 9 failed
errno=0 (Success)
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_read(9): input error=-2
id=6, closing.
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_closing: readying
conn=6 sd=9 for close
Sep 20 12:06:26 ldap-1 slapd[1419]: connection_close: conn=6 sd=9
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: removing 9
Sep 20 12:06:26 ldap-1 slapd[1419]: conn=6 fd=9 closed
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: select: listen=6
active_threads=0 tvp=NULL
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: activity on 1 descriptors
Sep 20 12:06:26 ldap-1 slapd[1419]: daemon: select: listen=6
active_threads=0 tvp=NULL
[Supported SASL Mechanisms]
[root@ldap-1 bin]# ./ldapsearch -h ldap-1.shorter.edu -x -b "" -s base
-LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: OTP
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
[testsaslauthd]
[root@ldap-1 saslauthd]# ./testsaslauthd -u 235807 -p somepass
0: OK "Success."
[kinit and GSSAPI ldapsearch]
[root@ldap-1 bin]# ./kinit 235807
235807@SHORTER.EDU's Password:
[root@ldap-1 bin]# ./klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: 235807@SHORTER.EDU
Issued Expires Principal
Sep 20 11:59:03 Sep 20 18:39:03 krbtgt/SHORTER.EDU@SHORTER.EDU
[root@ldap-1 bin]# /usr/local/bin/ldapsearch -Y GSSAPI -b
"ou=people,dc=shorter,dc=edu" uid=235807 dn
SASL/GSSAPI authentication started
SASL username: 235807@SHORTER.EDU
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=shorter,dc=edu> with scope sub
# filter: uid=235807
# requesting: dn
#
# 235807, people, shorter.edu
dn: uid=235807,ou=people,dc=shorter,dc=edu
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
Here are my build parameters:
[OpenSSL]
config shared
[Heimdal Kerberos 0.7]
CFLAGS='-O2' CXXFLAGS='-O2' ./configure "CCFLAGS=-O2 -D_REENTRANT"
--prefix=/usr/local --enable-shared --with-openssl=/usr/local/ssl
--without-readline --without-openldap --without-hesiod
--disable-berkeley-db --without-ipv6
[BerkeleyDB 4.3.28.NC]
CFLAGS='-O2' CXXFLAGS='-O2' ../dist/configure --prefix=/usr/local
--disable-java --disable-tcl
[SASL 2.1.22]
./configure --with-openssl=/usr/local/ssl
--with-saslauthd=/usr/local/sbin --without-dblib
--enable-gssapi=/usr/local --with-gss_impl=heimdal --enable-login
--enable-shared --disable-krb4 --with-plugindir=/usr/local/lib/sasl2
[OpenLDAP 2.2.27]
./configure --prefix=/usr/local --disable-ipv6 --with-cyrus-sasl
--with-kerberos --with-tls --enable-monitor --enable-dynamic
--enable-phonetic --enable-slapd --enable-spasswd --enable-rlookups
--enable-wrappers --enable-hdb --enable-dyngroup=yes
--enable-proxycache=yes
Here are my config files and such:
[slapd.conf]
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/eduperson-200412.ldif
include /usr/local/etc/openldap/schema/krb5-kdc.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
access to attr=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=shorter,dc=edu" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=shorter,dc=edu" write
by * read
loglevel -1
sasl-regexp
uid=(.*),cn=shorter.edu,cn=gssapi,cn=auth
uid=$1,ou=people,dc=shorter,dc=edu
database bdb
suffix "dc=shorter,dc=edu"
rootdn "cn=Manager,dc=shorter,dc=edu"
rootpw somepass
directory /usr/local/var/openldap-data
index objectClass eq
sasl-host ldap-1.shorter.edu
sasl-realm SHORTER.EDU
password-hash {CLEARTEXT}
sasl-authz-policy both
[krb5.conf]
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = SHORTER.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permittend_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
SHORTER.EDU = {
kdc = ldap-1.shorter.edu:88
admin_server = ldap-1.shorter.edu:749
default_domain = shorter.edu
}
[domain_realm]
.shorter.edu = SHORTER.EDU
shorter.edu = SHORTER.EDU
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
krb4_get_tickets = false
}
[sasl2 slapd.conf]
pwcheck_method: saslauthd
saslauthd_path: /usr/local/sbin/mux
Here is my sample ldif for a person:
dn: uid=235807,ou=people,dc=shorter,dc=edu
objectClass: top
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: krb5Principal
objectClass: krb5KDCEntry
cn: 235807
sn: Carmichael
givenName: Grant
displayName: Grant Carmichael
title: Systems Engineer
mail: gcarmichael@shorter.edu
roomNumber: 1234 Some Where
departmentNumber: IT
homePhone: +1 770 387 7777
telephoneNumber: +1 706 233 7777
facsimileTelephoneNumber: +1 706 233 7777
mobile: +1 770 714 7777
pager: +1 770 714 7777
carLicense: 77777
employeeNumber: 235807
givenName: Grant Micajah Carmichael
homePhone: 770-387-7777
o: Shorter College
postOfficeBox: 7777
homePostalAddress: 79 Some Drive Dr.$Some City, GA 77777
postalAddress: 333 Some Ave.
l: Rome
st: GA
postalCode: 77777
uid: 235807
krb5PrincipalName: 235807@SHORTER.EDU
userPassword: {SASL}235807@shorter.edu
eduPersonAffiliation: staff
eduPersonPrimaryAffiliation: staff
eduPersonNickname: Grant
eduPersonOrgDN: dc=shorter,dc=edu
eduPersonOrgUnitDN: ou=People,dc=shorter,dc=edu