[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: invalid parameter supplied: Error putting OTP secret



This error comes from Cyrus SASL, likely the same
error you would get by running the command:
        saslpasswd -a slapd curley

Note that setting the password of a directory user is
generally independent of the authentication mechanism
used.  I don't recall Cyrus SASL having any ability
to set Kerberos passwords, seems like you should
be using kpasswd(1) instead.  Anyways, none of this
is really specific to OpenLDAP Software.  slapd(8)
is just sasl_setpass(3) for user "curley" and the
new password and leaves the rest to Cyrus SASL.

Kurt

At 12:10 PM 11/25/2005, rave247 rave247 wrote:
>Hi,
>
>I have  following problem with configuring openldap to use SASL authentication (GSSAPI mechanism):
>
>shade:/home/prema# ldappasswd -h shade -Y GSSAPI -D uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth
>SASL/GSSAPI authentication started
>SASL username: curley@MOJEDOMENA
>SASL SSF: 56
>SASL installing layers
>New password: fSW3gdZg
>Result: Internal (implementation specific) error (80)
>Additional info: SASL(-7): invalid parameter supplied: Error putting OTP secret
>
>
>
>
>I have everything installed on one single system (shade) for testing purpose: MIT Kerberos 5 release 1.4.2, cyrus-sasl 2.1.21, openldap 2.3.11.
>
>
>
>here is slapd.conf:
>
>#
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>#
>include         /usr/etc/openldap/schema/core.schema
>include         /usr/etc/openldap/schema/cosine.schema
>include         /usr/etc/openldap/schema/nis.schema
>include         /usr/etc/openldap/schema/inetorgperson.schema
>include         /usr/etc/openldap/schema/openldap.schema
>include         /usr/etc/openldap/schema/ppolicy.schema
>include         /usr/etc/openldap/schema/misc.schema
>
>
># Define global ACLs to disable default read access.
>#olcAccess: to  * by * auth
>
># Do not enable referrals until AFTER you have a working directory
># service AND an understanding of referrals.
>#referral       ldap://root.openldap.org
>
>pidfile         /usr/var/run/slapd.pid
>argsfile        /usr/var/run/slapd.args
>
># Load dynamic backend modules:
># modulepath    /usr/libexec/openldap
># moduleload    back_bdb.la
># moduleload    back_ldap.la
># moduleload    back_ldbm.la
># moduleload    back_passwd.la
># moduleload    back_shell.la
>
># Sample security restrictions
>#       Require integrity protection (prevent hijacking)
>#       Require 112-bit (3DES or better) encryption for updates
>#       Require 63-bit encryption for simple bind
>#security ssf=0 update_ssf=0 simple_bind=0
>
># Sample access control policy:
>#       Root DSE: allow anyone to read it
>#       Subschema (sub)entry DSE: allow anyone to read it
>#       Other DSEs:
>#               Allow self write access
>#               Allow authenticated users read access
>#               Allow anonymous users to authenticate
>#       Directives needed to implement policy:
># access to dn.base="" by * read
># access to dn.base="cn=Subschema" by * read
>access to *
>        by self write
>        by users read
>        by anonymous auth
>
># if no access controls are present, the default policy
># allows anyone and everyone to read anything but restricts
># updates to rootdn.  (e.g., "access to * by * read")
>#
># rootdn can always read and write EVERYTHING!
>authz-regexp
>  uid=([^,]*),cn=MOJEDOMENA,cn=gssapi,cn=auth
>  cn=$1,dc=domena,dc=cz
>
>
>#######################################################################
># BDB database definitions
>#######################################################################
>
>database        bdb
>suffix          "dc=domena,dc=cz"
>rootdn          "cn=mastah,dc=domena,dc=cz"
># Cleartext passwords, especially for the rootdn, should
># be avoid.  See slappasswd(8) and slapd.conf(5) for details.
># Use of strong authentication encouraged.
>rootpw          secret
># The database directory MUST exist prior to running slapd AND 
># should only be accessible by the slapd and slap tools.
># Mode 700 recommended.
>directory       /usr/var/openldap-data
># Indices to maintain
>
>index cn,sn,uid pres,eq,approx,sub
>index objectClass eq
>
>
>
>
>------------------------------------------------------------------------
>LDIF, user I want authenticate as: 
>
>
>
># curley, domena.cz
>dn: cn=curley,dc=domena,dc=cz
>ou: MemberGroupB
>o: stooges
>cn: curley
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: inetOrgPerson
>mail: CHoward@isp.com
>givenName: Curley
>sn: Howard
>uid: curley
>initials: Joe
>homePostalAddress: 14 Cherry Ln.$Plano TX 78888
>postalAddress: 2908 Greenville Ave.
>l: Dallas
>st: TX
>postalCode: 75206
>pager: 800-555-1319
>homePhone: 800-555-1313
>telephoneNumber: (800)555-1214
>mobile: 800-555-1318
>title: Developemnt Engineer
>facsimileTelephoneNumber: 800-555-3318
>destinationIndicator: /bios/images/choward.jpg
>userPassword:: e1NTSEF9V1ArcExYcEdlbU1OQ203NituMklXdEtIdXpPREZWcGI=
>
>
>
>
>--------------------------------------------------------------------------------
>and kerberos informations: 
>
>
>
>shade:/home/prema# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: curley@MOJEDOMENA
>
>Valid starting     Expires            Service principal
>11/25/05 20:55:08  11/25/05 22:35:03  krbtgt/MOJEDOMENA@MOJEDOMENA
>11/25/05 20:56:26  11/25/05 22:35:03  ldap/shade@MOJEDOMENA
>
>
>
>
>
>------------------------------------------------------------------------------------------------
>and here is syslog:
>
>
>
>
>Nov 25 20:56:26 shade slapd[7060]: conn=2 fd=11 ACCEPT from IP=192.168.11.48:57405 (IP=0.0.0.0:389) 
>Nov 25 20:56:26 shade slapd[7060]: conn=2 op=0 BIND dn="uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth" method=163 
>Nov 25 20:56:26 shade slapd[7060]: connection_input: conn=2 deferring operation: binding 
>Nov 25 20:56:26 shade slapd[7060]: conn=2 op=0 RESULT tag=97 err=14 text= 
>Nov 25 20:56:26 shade slapd[7060]: conn=2 op=1 BIND dn="uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth" method=163 
>Nov 25 20:56:26 shade slapd[7060]: connection_input: conn=2 deferring operation: binding 
>Nov 25 20:56:26 shade slapd[7060]: conn=2 op=1 RESULT tag=97 err=14 text= 
>Nov 25 20:56:26 shade slapd[7060]: conn=2 op=2 BIND dn="uid=curley,cn=MOJEDOMENA,cn=gssapi,cn=auth" method=163 
>Nov 25 20:56:26 shade slapd[7060]: conn=2 op=2 BIND authcid="curley" authzid="curley" 
>Nov 25 20:56:26 shade slapd[7060]: connection_input: conn=2 deferring operation: binding 
>Nov 25 20:56:26 shade slapd[7060]: conn=2 op=2 RESULT tag=97 err=0 text= 
>Nov 25 20:56:27 shade slapd[7060]: conn=2 op=2 BIND dn="uid=curley,cn=gssapi,cn=auth" mech=GSSAPI ssf=56 
>Nov 25 20:56:27 shade slapd[7060]: conn=2 op=3 PASSMOD  
>Nov 25 20:56:27 shade slapd[7060]: SASL [conn=2] Error: setpass failed for curley: invalid parameter supplied 
>Nov 25 20:56:27 shade slapd[7060]: SASL [conn=2] Failure: Error putting OTP secret 
>Nov 25 20:56:27 shade slapd[7060]: SASL [conn=2] Error: OTP: failed to set secret for curley: invalid parameter supplied (No such file or directory) 
>Nov 25 20:56:27 shade slapd[7060]: conn=2 op=4 UNBIND 
>Nov 25 20:56:27 shade slapd[7060]: conn=2 op=3 RESULT oid= err=80 text=SASL(-7): invalid parameter supplied: Error putting OTP secret 
>Nov 25 20:56:27 shade slapd[7060]: conn=2 fd=11 closed 
>
>
>
>
>
>It is question for me, why there are errors wit OTP. Isn't it true that OTP is one-time password mechanism for SASL ? But i' am using GSSAPI (explicitly saying -Y GSSAPI) so why OTP do something. 
>
>Thanks a lot for any help.
>Prema