[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldapsearch & ldapadd SASL problems



[apologies; sent from unsubscribed mail address first time round!]
Hi,

I'm trying to set up OpenLDAP + SASL + Kerberos V, on a Debian server.

There seems to be an authentication problem when I try ldapsearch or ldapadd. If I kinit as ldapadm (my admin user) & then do ldapsearch (no filter) I get output with no error messages, but no results back; if I put the 'rootdn' & 'rootpw' options back in slapd.access & execute 'ldapsearch -D [rootdn user]' I get the expected 3 entries back. Looking at the slapd logs (log level 65) the only dubious-looking lines are:

localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)

and

localhost slapd[1486]: bdb_search: 1 does not match filter

(that entry should match the filter!  Similar lines for other entries)

Similarly, ldapadd fails - error message is given in this instance:

ldap_add: Insufficient access (50)
        additional info: no write access to parent

The logs give the same 'Resource temporarily unavailable' line as above. I also get

bdb_dn2entry("uid=test,dc=ph,dc=ic,dc=ac,dc=uk")
=> bdb_dn2id( "uid=test,dc=ph,dc=ic,dc=ac,dc=uk" )
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)


but I read this (hopefully correctly!) as a check that the 'test' user I'm trying to add doesn't already exist (i.e. the failure is correct).

ldapwhoami gives:

SASL/GSSAPI authentication started
SASL username: ldapadm@PH.IC.AC.UK
SASL SSF: 56
SASL installing layers
dn:uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk

(which is what I expect)

slapd.access:

access to dn.base="" by * read

# The admin dn has full write access
access to dn.subtree="dc=ph,dc=ic,dc=ac,dc=uk"
        by dn="uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk" write
        by * read

Any suggestions?  I reproduce the full logs of the ldapsearch underneath.


Many thanks,

Juliet Kemp

Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1486]: do_search
Feb 8 13:36:24 localhost slapd[1486]: >>> dnPrettyNormal: <>
Feb 8 13:36:24 localhost slapd[1486]: <<< dnPrettyNormal: <>, <>
Feb 8 13:36:24 localhost slapd[1486]: => send_search_entry: dn=""
Feb 8 13:36:24 localhost slapd[1486]: <= send_search_entry
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_result: conn=7 op=0 p=3
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_response: msgid=1 tag=101 err=0
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1490]: do_bind
Feb 8 13:36:24 localhost slapd[1490]: >>> dnPrettyNormal: <>
Feb 8 13:36:24 localhost slapd[1490]: <<< dnPrettyNormal: <>, <>
Feb 8 13:36:24 localhost slapd[1490]: do_sasl_bind: dn () mech GSSAPI
Feb 8 13:36:24 localhost slapd[1490]: send_ldap_sasl: err=14 len=153
Feb 8 13:36:24 localhost slapd[1490]: send_ldap_response: msgid=2 tag=97 err=14
Feb 8 13:36:24 localhost slapd[1490]: <== slap_sasl_bind: rc=14
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1486]: do_bind
Feb 8 13:36:24 localhost slapd[1486]: >>> dnPrettyNormal: <>
Feb 8 13:36:24 localhost slapd[1486]: <<< dnPrettyNormal: <>, <>
Feb 8 13:36:24 localhost slapd[1486]: do_sasl_bind: dn () mech GSSAPI
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_sasl: err=14 len=65
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_response: msgid=3 tag=97 err=14
Feb 8 13:36:24 localhost slapd[1486]: <== slap_sasl_bind: rc=14
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1490]: do_bind
Feb 8 13:36:24 localhost slapd[1490]: >>> dnPrettyNormal: <>
Feb 8 13:36:24 localhost slapd[1490]: <<< dnPrettyNormal: <>, <>
Feb 8 13:36:24 localhost slapd[1490]: do_sasl_bind: dn () mech GSSAPI
Feb 8 13:36:24 localhost slapd[1490]: slap_sasl_getdn: u:id converted to uid=ldapadm,cn=PH.IC.AC.UK,cn=GSSAPI,cn=auth
Feb 8 13:36:24 localhost slapd[1490]: >>> dnNormalize: <uid=ldapadm,cn=PH.IC.AC.UK,cn=GSSAPI,cn=auth>
Feb 8 13:36:24 localhost slapd[1490]: <<< dnNormalize: <uid=ldapadm,cn=ph.ic.ac.uk,cn=gssapi,cn=auth>
Feb 8 13:36:24 localhost slapd[1490]: ==>slap_sasl2dn: converting SASL name uid=ldapadm,cn=ph.ic.ac.uk,cn=gssapi,cn=auth to a DN
Feb 8 13:36:24 localhost slapd[1490]: slap_sasl_regexp: converting SASL name uid=ldapadm,cn=ph.ic.ac.uk,cn=gssapi,cn=auth
Feb 8 13:36:24 localhost slapd[1490]: slap_sasl_regexp: converted SASL name to uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk
Feb 8 13:36:24 localhost slapd[1490]: slap_parseURI: parsing uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk
Feb 8 13:36:24 localhost slapd[1490]: >>> dnNormalize: <uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk>
Feb 8 13:36:24 localhost slapd[1490]: <<< dnNormalize: <uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk>
Feb 8 13:36:24 localhost slapd[1490]: <==slap_sasl2dn: Converted SASL name to uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk
Feb 8 13:36:24 localhost slapd[1490]: getdn: dn:id converted to uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk
Feb 8 13:36:24 localhost slapd[1490]: SASL Authorize [conn=7]: proxy authorization allowed
Feb 8 13:36:24 localhost slapd[1490]: send_ldap_sasl: err=0 len=-1
Feb 8 13:36:24 localhost slapd[1490]: send_ldap_response: msgid=4 tag=97 err=0
Feb 8 13:36:24 localhost slapd[1490]: <== slap_sasl_bind: rc=0
Feb 8 13:36:24 localhost slapd[1490]: do_bind: SASL/GSSAPI bind: dn="uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk" ssf=56
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1486]: do_search
Feb 8 13:36:24 localhost slapd[1486]: >>> dnPrettyNormal: <dc=ph,dc=ic,dc=ac,dc=uk>
Feb 8 13:36:24 localhost slapd[1486]: <<< dnPrettyNormal: <dc=ph,dc=ic,dc=ac,dc=uk>, <dc=ph,dc=ic,dc=ac,dc=uk>
Feb 8 13:36:24 localhost slapd[1486]: ==> limits_get: conn=7 op=4 dn="uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk"
Feb 8 13:36:24 localhost slapd[1486]: => bdb_search
Feb 8 13:36:24 localhost slapd[1486]: bdb_dn2entry("dc=ph,dc=ic,dc=ac,dc=uk")
Feb 8 13:36:24 localhost slapd[1486]: search_candidates: base="dc=ph,dc=ic,dc=ac,dc=uk" (0x00000001) scope=2
Feb 8 13:36:24 localhost slapd[1486]: => bdb_dn2idl( "dc=ph,dc=ic,dc=ac,dc=uk" )
Feb 8 13:36:24 localhost slapd[1486]: => bdb_presence_candidates (objectClass)
Feb 8 13:36:24 localhost slapd[1486]: bdb_search_candidates: id=-1 first=1 last=7
Feb 8 13:36:24 localhost slapd[1486]: bdb_search: 1 does not match filter
Feb 8 13:36:24 localhost slapd[1486]: bdb_search: 3 does not match filter
Feb 8 13:36:24 localhost slapd[1486]: bdb_search: 5 does not match filter
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_result: conn=7 op=4 p=3
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_response: msgid=5 tag=101 err=0
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1490]: do_unbind
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed errno=0 (Success)
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): input error=-2 id=7, closing.
Feb 8 13:36:24 localhost slapd[1484]: connection_closing: readying conn=7 sd=12 for close
Feb 8 13:36:24 localhost slapd[1484]: connection_close: deferring conn=7 sd=12
Feb 8 13:36:24 localhost slapd[1490]: connection_resched: attempting closing conn
Feb 8 13:36:24 localhost slapd[1490]: connection_close: conn=7 sd=12



-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + Ms Juliet Kemp + + Computer Manager star@imperial.ac.uk + + Astrophysics Group + + Imperial College Tel: +44 (0)20759 47543 + + London. SW7 2AZ Fax: +44 (0)20759 47541 + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++