[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapsearch & ldapadd SASL problems

To: openldap-software@OpenLDAP.org
Subject: ldapsearch & ldapadd SASL problems
From: Juliet Kemp <j.kemp@imperial.ac.uk>
Date: Wed, 08 Feb 2006 15:54:50 +0000
User-agent: Mozilla Thunderbird 1.0.7 (X11/20050923)

[apologies; sent from unsubscribed mail address first time round!]
Hi,

I'm trying to set up OpenLDAP + SASL + Kerberos V, on a Debian server.

There seems to be an authentication problem when I try ldapsearch or ldapadd. If I kinit as ldapadm (my admin user) & then do ldapsearch (no filter) I get output with no error messages, but no results back; if I put the 'rootdn' & 'rootpw' options back in slapd.access & execute 'ldapsearch -D [rootdn user]' I get the expected 3 entries back. Looking at the slapd logs (log level 65) the only dubious-looking lines are:

localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)

and

localhost slapd[1486]: bdb_search: 1 does not match filter

(that entry should match the filter!  Similar lines for other entries)

Similarly, ldapadd fails - error message is given in this instance:

ldap_add: Insufficient access (50)
        additional info: no write access to parent

The logs give the same 'Resource temporarily unavailable' line as above. I also get

bdb_dn2entry("uid=test,dc=ph,dc=ic,dc=ac,dc=uk") => bdb_dn2id( "uid=test,dc=ph,dc=ic,dc=ac,dc=uk" ) <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)

but I read this (hopefully correctly!) as a check that the 'test' user I'm trying to add doesn't already exist (i.e. the failure is correct).

ldapwhoami gives:

SASL/GSSAPI authentication started
SASL username: ldapadm@PH.IC.AC.UK
SASL SSF: 56
SASL installing layers
dn:uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk

(which is what I expect)

slapd.access:

access to dn.base="" by * read

# The admin dn has full write access
access to dn.subtree="dc=ph,dc=ic,dc=ac,dc=uk"
        by dn="uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk" write
        by * read

Any suggestions?  I reproduce the full logs of the ldapsearch underneath.


Many thanks,

Juliet Kemp

Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7 Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on id=7 Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) Feb 8 13:36:24 localhost slapd[1486]: do_search Feb 8 13:36:24 localhost slapd[1486]: >>> dnPrettyNormal: <> Feb 8 13:36:24 localhost slapd[1486]: <<< dnPrettyNormal: <>, <> Feb 8 13:36:24 localhost slapd[1486]: => send_search_entry: dn="" Feb 8 13:36:24 localhost slapd[1486]: <= send_search_entry Feb 8 13:36:24 localhost slapd[1486]: send_ldap_result: conn=7 op=0 p=3 Feb 8 13:36:24 localhost slapd[1486]: send_ldap_response: msgid=1 tag=101 err=0 Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7 Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on id=7 Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) Feb 8 13:36:24 localhost slapd[1490]: do_bind Feb 8 13:36:24 localhost slapd[1490]: >>> dnPrettyNormal: <> Feb 8 13:36:24 localhost slapd[1490]: <<< dnPrettyNormal: <>, <> Feb 8 13:36:24 localhost slapd[1490]: do_sasl_bind: dn () mech GSSAPI Feb 8 13:36:24 localhost slapd[1490]: send_ldap_sasl: err=14 len=153 Feb 8 13:36:24 localhost slapd[1490]: send_ldap_response: msgid=2 tag=97 err=14 Feb 8 13:36:24 localhost slapd[1490]: <== slap_sasl_bind: rc=14 Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7 Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on id=7 Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) Feb 8 13:36:24 localhost slapd[1486]: do_bind Feb 8 13:36:24 localhost slapd[1486]: >>> dnPrettyNormal: <> Feb 8 13:36:24 localhost slapd[1486]: <<< dnPrettyNormal: <>, <> Feb 8 13:36:24 localhost slapd[1486]: do_sasl_bind: dn () mech GSSAPI Feb 8 13:36:24 localhost slapd[1486]: send_ldap_sasl: err=14 len=65 Feb 8 13:36:24 localhost slapd[1486]: send_ldap_response: msgid=3 tag=97 err=14 Feb 8 13:36:24 localhost slapd[1486]: <== slap_sasl_bind: rc=14 Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7 Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on id=7 Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) Feb 8 13:36:24 localhost slapd[1490]: do_bind Feb 8 13:36:24 localhost slapd[1490]: >>> dnPrettyNormal: <> Feb 8 13:36:24 localhost slapd[1490]: <<< dnPrettyNormal: <>, <> Feb 8 13:36:24 localhost slapd[1490]: do_sasl_bind: dn () mech GSSAPI Feb 8 13:36:24 localhost slapd[1490]: slap_sasl_getdn: u:id converted to uid=ldapadm,cn=PH.IC.AC.UK,cn=GSSAPI,cn=auth Feb 8 13:36:24 localhost slapd[1490]: >>> dnNormalize: <uid=ldapadm,cn=PH.IC.AC.UK,cn=GSSAPI,cn=auth> Feb 8 13:36:24 localhost slapd[1490]: <<< dnNormalize: <uid=ldapadm,cn=ph.ic.ac.uk,cn=gssapi,cn=auth> Feb 8 13:36:24 localhost slapd[1490]: ==>slap_sasl2dn: converting SASL name uid=ldapadm,cn=ph.ic.ac.uk,cn=gssapi,cn=auth to a DN Feb 8 13:36:24 localhost slapd[1490]: slap_sasl_regexp: converting SASL name uid=ldapadm,cn=ph.ic.ac.uk,cn=gssapi,cn=auth Feb 8 13:36:24 localhost slapd[1490]: slap_sasl_regexp: converted SASL name to uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk Feb 8 13:36:24 localhost slapd[1490]: slap_parseURI: parsing uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk Feb 8 13:36:24 localhost slapd[1490]: >>> dnNormalize: <uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk> Feb 8 13:36:24 localhost slapd[1490]: <<< dnNormalize: <uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk> Feb 8 13:36:24 localhost slapd[1490]: <==slap_sasl2dn: Converted SASL name to uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk Feb 8 13:36:24 localhost slapd[1490]: getdn: dn:id converted to uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk Feb 8 13:36:24 localhost slapd[1490]: SASL Authorize [conn=7]: proxy authorization allowed Feb 8 13:36:24 localhost slapd[1490]: send_ldap_sasl: err=0 len=-1 Feb 8 13:36:24 localhost slapd[1490]: send_ldap_response: msgid=4 tag=97 err=0 Feb 8 13:36:24 localhost slapd[1490]: <== slap_sasl_bind: rc=0 Feb 8 13:36:24 localhost slapd[1490]: do_bind: SASL/GSSAPI bind: dn="uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk" ssf=56 Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7 Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on id=7 Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) Feb 8 13:36:24 localhost slapd[1486]: do_search Feb 8 13:36:24 localhost slapd[1486]: >>> dnPrettyNormal: <dc=ph,dc=ic,dc=ac,dc=uk> Feb 8 13:36:24 localhost slapd[1486]: <<< dnPrettyNormal: <dc=ph,dc=ic,dc=ac,dc=uk>, <dc=ph,dc=ic,dc=ac,dc=uk> Feb 8 13:36:24 localhost slapd[1486]: ==> limits_get: conn=7 op=4 dn="uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk" Feb 8 13:36:24 localhost slapd[1486]: => bdb_search Feb 8 13:36:24 localhost slapd[1486]: bdb_dn2entry("dc=ph,dc=ic,dc=ac,dc=uk") Feb 8 13:36:24 localhost slapd[1486]: search_candidates: base="dc=ph,dc=ic,dc=ac,dc=uk" (0x00000001) scope=2 Feb 8 13:36:24 localhost slapd[1486]: => bdb_dn2idl( "dc=ph,dc=ic,dc=ac,dc=uk" ) Feb 8 13:36:24 localhost slapd[1486]: => bdb_presence_candidates (objectClass) Feb 8 13:36:24 localhost slapd[1486]: bdb_search_candidates: id=-1 first=1 last=7 Feb 8 13:36:24 localhost slapd[1486]: bdb_search: 1 does not match filter Feb 8 13:36:24 localhost slapd[1486]: bdb_search: 3 does not match filter Feb 8 13:36:24 localhost slapd[1486]: bdb_search: 5 does not match filter Feb 8 13:36:24 localhost slapd[1486]: send_ldap_result: conn=7 op=4 p=3 Feb 8 13:36:24 localhost slapd[1486]: send_ldap_response: msgid=5 tag=101 err=0 Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7 Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on id=7 Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) Feb 8 13:36:24 localhost slapd[1490]: do_unbind Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7 Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on id=7 Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=0 (Success) Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): input error=-2 id=7, closing. Feb 8 13:36:24 localhost slapd[1484]: connection_closing: readying conn=7 sd=12 for close Feb 8 13:36:24 localhost slapd[1484]: connection_close: deferring conn=7 sd=12 Feb 8 13:36:24 localhost slapd[1490]: connection_resched: attempting closing conn Feb 8 13:36:24 localhost slapd[1490]: connection_close: conn=7 sd=12


--
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Ms Juliet Kemp                                                +
+ Computer Manager		    star@imperial.ac.uk         +
+ Astrophysics Group                                            +
+ Imperial College                  Tel: +44 (0)20759 47543     +
+ London. SW7 2AZ                   Fax: +44 (0)20759 47541     +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Follow-Ups:
- Re: ldapsearch & ldapadd SASL problems
  - From: Howard Chu <hyc@symas.com>

Prev by Date: change password event and openLdap
Next by Date: Re: change password event and openLdap
Index(es):
- Chronological
- Thread