[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldapsearch: ldap_sasl_interactive_bind_s: Local error (-2)
- To: openldap-software@OpenLDAP.org
- Subject: ldapsearch: ldap_sasl_interactive_bind_s: Local error (-2)
- From: Roman Sommer <roman.sommer@gmail.com>
- Date: Mon, 24 Oct 2005 11:12:56 +0200
- Content-disposition: inline
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=gbPplUwnQWD9d/RDTY5NZFNlZjNa5sTiJJw1HGRRxN4mP1DUNUv7SEeFm1c2jRQcKT9nMzibx91X1XIOlr8DKprOeu4CmLG6voSO55E+us1gqGKyYKFQMi6nbH2A5O2AID53UVbCdQM+ff3Mvp8GzpurZqD8Ff9fb4l6OlpHAAA=
hello everyone,
the topic already says what this is all about.
and this is how I achieve this error message...
first of all I do a klist -e -5 to see wheter I got a valid tgt ticket or not..
playground:/etc# klist -e -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser2@LINUX.LOCAL
Valid starting Expires Service principal
10/24/05 11:06:19 10/24/05 21:06:19 krbtgt/LINUX.LOCAL@LINUX.LOCAL
renew until 10/24/05 21:06:19, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
(good)
next I try a simple (-x) ldapsearch.. (works, good).
now it's getting more interesting:
playground:/usr/src/# ldapsearch "(cn=test)" -v
ldap_initialize( <DEFAULT> )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
unfortunately this error message is not very descriptive..at least for me.
So I went on and logged some packets..
1. Lightweight Directory Access Protocol, Search Request
Message Id: 1
Message Type: Search Request (0x03)
Message Length: 57
Base DN: (null)
Scope: Base (0x00)
Dereference: Never (0x00)
Size Limit: 0
Time Limit: 0
Attributes Only: False
Filter: (objectclass=*)
Attribute: supportedSASLMechanisms
2. Lightweight Directory Access Protocol, Search Entry
Message Id: 1
Message Type: Search Entry (0x04)
Message Length: 87
Response To: 1
Time: 0.000108000 seconds
Distinguished Name: (null)
Attribute: supportedSASLMechanisms
Value: GSSAPI
Value: GSS-SPNEGO
Value: EXTERNAL
Value: DIGEST-MD5
Lightweight Directory Access Protocol, Search Result
Message Id: 1
Message Type: Search Result (0x05)
Message Length: 7
Response To: 1
Time: 0.000108000 seconds
Result Code: success (0x00)
Matched DN: (null)
Error Message: (null)
3. Lightweight Directory Access Protocol, Bind Request
Message Id: 2
Message Type: Bind Request (0x00)
Message Length: 1201
Version: 3
DN: (null)
Auth Type: SASL (0x03)
Mechanism: GSSAPI
GSS-API Token
GSS-API
OID: 1.2.840.113554.1.2.2 (iso.2.840.113554.1.2.2)
(KRB5 - Kerberos 5)
krb5_blob: 01006E82048730820483A003020105A10302010EA2070305...
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 20000000 (Mutual required)
.0.. .... .... .... .... .... .... ....
= Use Session Key: Do NOT use the session key to encrypt the ticket
..1. .... .... .... .... .... .... ....
= Mutual required: MUTUAL authentication is REQUIRED
Ticket
Tkt-vno: 5
Realm: LINUX.LOCAL
Server Name (Service and Host):
ldap/linuxdc.linux.local
Name-type: Service and Host (3)
Name: ldap
Name: linuxdc.linux.local
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part:
1648F15B206A9CE45BA2BFE241AD64662199F48767CFDA4F...
Authenticator rc4-hmac
Encryption type: rc4-hmac (23)
Authenticator data:
7162B1762F025853E4C4F380EA44DD04F960B4AF27660FA2...
4. Lightweight Directory Access Protocol, Bind Result
Message Id: 2
Message Type: Bind Result (0x01)
Message Length: 145
Response To: 1
Time: 0.000811000 seconds
Result Code: saslBindInProgress (0x0e)
Matched DN: (null)
Error Message: (null)
GSS-API Token
GSS-API
OID: 1.2.840.113554.1.2.2 (iso.2.840.113554.1.2.2)
(KRB5 - Kerberos 5)
krb5_blob: 02006F743072A003020105A10302010FA2663064A0030201...
krb5_tok_id: KRB5_AP_REP (0x0002)
Kerberos AP-REP
Pvno: 5
MSG Type: AP-REP (15)
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
enc-part:
83EDCC454952FF26E72D16EFE7A3FA9BDDADBAE9C3B3B9E7...
so everything seems to be just fine except for the last packet where
it says Result Code: saslBindInProgress (0x0e). In my opinion it
should be something like success (0x00) or similar :)
and again I do a klist -e -5 and here is what I have now:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser2@LINUX.LOCAL
Valid starting Expires Service principal
10/24/05 11:06:19 10/24/05 21:06:19 krbtgt/LINUX.LOCAL@LINUX.LOCAL
renew until 10/24/05 21:06:19, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
10/24/05 11:09:59 10/24/05 21:06:19 ldap/linuxdc.linux.local@LINUX.LOCAL
renew until 10/24/05 21:06:19, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
so the kerberos part should be fine right? At least I have permission
to use the ldap service.. ticket is present.
Can anyone throw some light on this?
best regards,
Roman