[Date Prev][Date Next] [Chronological] [Thread] [Top]

invalid parameter supplied: Error putting OTP secret



Hi,

I have  following problem with configuring openldap to use SASL authentication (GSSAPI mechanism):

shade:/home/prema# ldappasswd -h shade -Y GSSAPI -D uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth
SASL/GSSAPI authentication started
SASL username: curley@MOJEDOMENA
SASL SSF: 56
SASL installing layers
New password: fSW3gdZg
Result: Internal (implementation specific) error (80)
Additional info: SASL(-7): invalid parameter supplied: Error putting OTP secret




I have everything installed on one single system (shade) for testing purpose: MIT Kerberos 5 release 1.4.2, cyrus-sasl 2.1.21, openldap 2.3.11.



here is slapd.conf:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/usr/etc/openldap/schema/core.schema
include         /usr/etc/openldap/schema/cosine.schema
include         /usr/etc/openldap/schema/nis.schema
include         /usr/etc/openldap/schema/inetorgperson.schema
include         /usr/etc/openldap/schema/openldap.schema
include         /usr/etc/openldap/schema/ppolicy.schema
include         /usr/etc/openldap/schema/misc.schema


# Define global ACLs to disable default read access.
#olcAccess: to  * by * auth

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/usr/var/run/slapd.pid
argsfile	/usr/var/run/slapd.args

# Load dynamic backend modules:
# modulepath	/usr/libexec/openldap
# moduleload	back_bdb.la
# moduleload	back_ldap.la
# moduleload	back_ldbm.la
# moduleload	back_passwd.la
# moduleload	back_shell.la

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
#security ssf=0 update_ssf=0 simple_bind=0

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
access to *
	by self write
	by users read
	by anonymous auth

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
authz-regexp
  uid=([^,]*),cn=MOJEDOMENA,cn=gssapi,cn=auth
  cn=$1,dc=domena,dc=cz


#######################################################################
# BDB database definitions
#######################################################################

database	bdb
suffix		"dc=domena,dc=cz"
rootdn		"cn=mastah,dc=domena,dc=cz"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw		secret
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/usr/var/openldap-data
# Indices to maintain

index cn,sn,uid pres,eq,approx,sub
index objectClass eq




------------------------------------------------------------------------
LDIF, user I want authenticate as: 



# curley, domena.cz
dn: cn=curley,dc=domena,dc=cz
ou: MemberGroupB
o: stooges
cn: curley
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: CHoward@isp.com
givenName: Curley
sn: Howard
uid: curley
initials: Joe
homePostalAddress: 14 Cherry Ln.$Plano TX 78888
postalAddress: 2908 Greenville Ave.
l: Dallas
st: TX
postalCode: 75206
pager: 800-555-1319
homePhone: 800-555-1313
telephoneNumber: (800)555-1214
mobile: 800-555-1318
title: Developemnt Engineer
facsimileTelephoneNumber: 800-555-3318
destinationIndicator: /bios/images/choward.jpg
userPassword:: e1NTSEF9V1ArcExYcEdlbU1OQ203NituMklXdEtIdXpPREZWcGI=




--------------------------------------------------------------------------------
and kerberos informations: 



shade:/home/prema# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: curley@MOJEDOMENA

Valid starting     Expires            Service principal
11/25/05 20:55:08  11/25/05 22:35:03  krbtgt/MOJEDOMENA@MOJEDOMENA
11/25/05 20:56:26  11/25/05 22:35:03  ldap/shade@MOJEDOMENA





------------------------------------------------------------------------------------------------
and here is syslog:




Nov 25 20:56:26 shade slapd[7060]: conn=2 fd=11 ACCEPT from IP=192.168.11.48:57405 (IP=0.0.0.0:389) 
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=0 BIND dn="uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth" method=163 
Nov 25 20:56:26 shade slapd[7060]: connection_input: conn=2 deferring operation: binding 
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=0 RESULT tag=97 err=14 text= 
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=1 BIND dn="uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth" method=163 
Nov 25 20:56:26 shade slapd[7060]: connection_input: conn=2 deferring operation: binding 
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=1 RESULT tag=97 err=14 text= 
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=2 BIND dn="uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth" method=163 
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=2 BIND authcid="curley" authzid="curley" 
Nov 25 20:56:26 shade slapd[7060]: connection_input: conn=2 deferring operation: binding 
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=2 RESULT tag=97 err=0 text= 
Nov 25 20:56:27 shade slapd[7060]: conn=2 op=2 BIND dn="uid=curley,cn=gssapi,cn=auth" mech=GSSAPI ssf=56 
Nov 25 20:56:27 shade slapd[7060]: conn=2 op=3 PASSMOD  
Nov 25 20:56:27 shade slapd[7060]: SASL [conn=2] Error: setpass failed for curley: invalid parameter supplied 
Nov 25 20:56:27 shade slapd[7060]: SASL [conn=2] Failure: Error putting OTP secret 
Nov 25 20:56:27 shade slapd[7060]: SASL [conn=2] Error: OTP: failed to set secret for curley: invalid parameter supplied (No such file or directory) 
Nov 25 20:56:27 shade slapd[7060]: conn=2 op=4 UNBIND 
Nov 25 20:56:27 shade slapd[7060]: conn=2 op=3 RESULT oid= err=80 text=SASL(-7): invalid parameter supplied: Error putting OTP secret 
Nov 25 20:56:27 shade slapd[7060]: conn=2 fd=11 closed 





It is question for me, why there are errors wit OTP. Isn't it true that OTP is one-time password mechanism for SASL ? But i' am using GSSAPI (explicitly saying -Y GSSAPI) so why OTP do something. 

Thanks a lot for any help.
Prema