[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
invalid parameter supplied: Error putting OTP secret
Hi,
I have following problem with configuring openldap to use SASL authentication (GSSAPI mechanism):
shade:/home/prema# ldappasswd -h shade -Y GSSAPI -D uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth
SASL/GSSAPI authentication started
SASL username: curley@MOJEDOMENA
SASL SSF: 56
SASL installing layers
New password: fSW3gdZg
Result: Internal (implementation specific) error (80)
Additional info: SASL(-7): invalid parameter supplied: Error putting OTP secret
I have everything installed on one single system (shade) for testing purpose: MIT Kerberos 5 release 1.4.2, cyrus-sasl 2.1.21, openldap 2.3.11.
here is slapd.conf:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/etc/openldap/schema/core.schema
include /usr/etc/openldap/schema/cosine.schema
include /usr/etc/openldap/schema/nis.schema
include /usr/etc/openldap/schema/inetorgperson.schema
include /usr/etc/openldap/schema/openldap.schema
include /usr/etc/openldap/schema/ppolicy.schema
include /usr/etc/openldap/schema/misc.schema
# Define global ACLs to disable default read access.
#olcAccess: to * by * auth
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/var/run/slapd.pid
argsfile /usr/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
#security ssf=0 update_ssf=0 simple_bind=0
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
authz-regexp
uid=([^,]*),cn=MOJEDOMENA,cn=gssapi,cn=auth
cn=$1,dc=domena,dc=cz
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=domena,dc=cz"
rootdn "cn=mastah,dc=domena,dc=cz"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/var/openldap-data
# Indices to maintain
index cn,sn,uid pres,eq,approx,sub
index objectClass eq
------------------------------------------------------------------------
LDIF, user I want authenticate as:
# curley, domena.cz
dn: cn=curley,dc=domena,dc=cz
ou: MemberGroupB
o: stooges
cn: curley
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: CHoward@isp.com
givenName: Curley
sn: Howard
uid: curley
initials: Joe
homePostalAddress: 14 Cherry Ln.$Plano TX 78888
postalAddress: 2908 Greenville Ave.
l: Dallas
st: TX
postalCode: 75206
pager: 800-555-1319
homePhone: 800-555-1313
telephoneNumber: (800)555-1214
mobile: 800-555-1318
title: Developemnt Engineer
facsimileTelephoneNumber: 800-555-3318
destinationIndicator: /bios/images/choward.jpg
userPassword:: e1NTSEF9V1ArcExYcEdlbU1OQ203NituMklXdEtIdXpPREZWcGI=
--------------------------------------------------------------------------------
and kerberos informations:
shade:/home/prema# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: curley@MOJEDOMENA
Valid starting Expires Service principal
11/25/05 20:55:08 11/25/05 22:35:03 krbtgt/MOJEDOMENA@MOJEDOMENA
11/25/05 20:56:26 11/25/05 22:35:03 ldap/shade@MOJEDOMENA
------------------------------------------------------------------------------------------------
and here is syslog:
Nov 25 20:56:26 shade slapd[7060]: conn=2 fd=11 ACCEPT from IP=192.168.11.48:57405 (IP=0.0.0.0:389)
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=0 BIND dn="uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth" method=163
Nov 25 20:56:26 shade slapd[7060]: connection_input: conn=2 deferring operation: binding
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=0 RESULT tag=97 err=14 text=
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=1 BIND dn="uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth" method=163
Nov 25 20:56:26 shade slapd[7060]: connection_input: conn=2 deferring operation: binding
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=1 RESULT tag=97 err=14 text=
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=2 BIND dn="uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth" method=163
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=2 BIND authcid="curley" authzid="curley"
Nov 25 20:56:26 shade slapd[7060]: connection_input: conn=2 deferring operation: binding
Nov 25 20:56:26 shade slapd[7060]: conn=2 op=2 RESULT tag=97 err=0 text=
Nov 25 20:56:27 shade slapd[7060]: conn=2 op=2 BIND dn="uid=curley,cn=gssapi,cn=auth" mech=GSSAPI ssf=56
Nov 25 20:56:27 shade slapd[7060]: conn=2 op=3 PASSMOD
Nov 25 20:56:27 shade slapd[7060]: SASL [conn=2] Error: setpass failed for curley: invalid parameter supplied
Nov 25 20:56:27 shade slapd[7060]: SASL [conn=2] Failure: Error putting OTP secret
Nov 25 20:56:27 shade slapd[7060]: SASL [conn=2] Error: OTP: failed to set secret for curley: invalid parameter supplied (No such file or directory)
Nov 25 20:56:27 shade slapd[7060]: conn=2 op=4 UNBIND
Nov 25 20:56:27 shade slapd[7060]: conn=2 op=3 RESULT oid= err=80 text=SASL(-7): invalid parameter supplied: Error putting OTP secret
Nov 25 20:56:27 shade slapd[7060]: conn=2 fd=11 closed
It is question for me, why there are errors wit OTP. Isn't it true that OTP is one-time password mechanism for SASL ? But i' am using GSSAPI (explicitly saying -Y GSSAPI) so why OTP do something.
Thanks a lot for any help.
Prema