[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldapsearch & ldapadd SASL problems
[apologies; sent from unsubscribed mail address first time round!]
Hi,
I'm trying to set up OpenLDAP + SASL + Kerberos V, on a Debian server.
There seems to be an authentication problem when I try ldapsearch or
ldapadd. If I kinit as ldapadm (my admin user) & then do ldapsearch (no
filter) I get output with no error messages, but no results back; if I
put the 'rootdn' & 'rootpw' options back in slapd.access & execute
'ldapsearch -D [rootdn user]' I get the expected 3 entries back. Looking
at the slapd logs (log level 65) the only dubious-looking lines are:
localhost slapd[1484]: ber_get_next on fd 12 failed errno=11 (Resource
temporarily unavailable)
and
localhost slapd[1486]: bdb_search: 1 does not match filter
(that entry should match the filter! Similar lines for other entries)
Similarly, ldapadd fails - error message is given in this instance:
ldap_add: Insufficient access (50)
additional info: no write access to parent
The logs give the same 'Resource temporarily unavailable' line as above.
I also get
bdb_dn2entry("uid=test,dc=ph,dc=ic,dc=ac,dc=uk")
=> bdb_dn2id( "uid=test,dc=ph,dc=ic,dc=ac,dc=uk" )
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
(-30990)
but I read this (hopefully correctly!) as a check that the 'test' user
I'm trying to add doesn't already exist (i.e. the failure is correct).
ldapwhoami gives:
SASL/GSSAPI authentication started
SASL username: ldapadm@PH.IC.AC.UK
SASL SSF: 56
SASL installing layers
dn:uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk
(which is what I expect)
slapd.access:
access to dn.base="" by * read
# The admin dn has full write access
access to dn.subtree="dc=ph,dc=ic,dc=ac,dc=uk"
by dn="uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk" write
by * read
Any suggestions? I reproduce the full logs of the ldapsearch underneath.
Many thanks,
Juliet Kemp
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for
input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed
errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1486]: do_search
Feb 8 13:36:24 localhost slapd[1486]: >>> dnPrettyNormal: <>
Feb 8 13:36:24 localhost slapd[1486]: <<< dnPrettyNormal: <>, <>
Feb 8 13:36:24 localhost slapd[1486]: => send_search_entry: dn=""
Feb 8 13:36:24 localhost slapd[1486]: <= send_search_entry
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_result: conn=7 op=0 p=3
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_response: msgid=1
tag=101 err=0
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for
input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed
errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1490]: do_bind
Feb 8 13:36:24 localhost slapd[1490]: >>> dnPrettyNormal: <>
Feb 8 13:36:24 localhost slapd[1490]: <<< dnPrettyNormal: <>, <>
Feb 8 13:36:24 localhost slapd[1490]: do_sasl_bind: dn () mech GSSAPI
Feb 8 13:36:24 localhost slapd[1490]: send_ldap_sasl: err=14 len=153
Feb 8 13:36:24 localhost slapd[1490]: send_ldap_response: msgid=2
tag=97 err=14
Feb 8 13:36:24 localhost slapd[1490]: <== slap_sasl_bind: rc=14
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for
input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed
errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1486]: do_bind
Feb 8 13:36:24 localhost slapd[1486]: >>> dnPrettyNormal: <>
Feb 8 13:36:24 localhost slapd[1486]: <<< dnPrettyNormal: <>, <>
Feb 8 13:36:24 localhost slapd[1486]: do_sasl_bind: dn () mech GSSAPI
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_sasl: err=14 len=65
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_response: msgid=3
tag=97 err=14
Feb 8 13:36:24 localhost slapd[1486]: <== slap_sasl_bind: rc=14
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for
input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed
errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1490]: do_bind
Feb 8 13:36:24 localhost slapd[1490]: >>> dnPrettyNormal: <>
Feb 8 13:36:24 localhost slapd[1490]: <<< dnPrettyNormal: <>, <>
Feb 8 13:36:24 localhost slapd[1490]: do_sasl_bind: dn () mech GSSAPI
Feb 8 13:36:24 localhost slapd[1490]: slap_sasl_getdn: u:id converted
to uid=ldapadm,cn=PH.IC.AC.UK,cn=GSSAPI,cn=auth
Feb 8 13:36:24 localhost slapd[1490]: >>> dnNormalize:
<uid=ldapadm,cn=PH.IC.AC.UK,cn=GSSAPI,cn=auth>
Feb 8 13:36:24 localhost slapd[1490]: <<< dnNormalize:
<uid=ldapadm,cn=ph.ic.ac.uk,cn=gssapi,cn=auth>
Feb 8 13:36:24 localhost slapd[1490]: ==>slap_sasl2dn: converting SASL
name uid=ldapadm,cn=ph.ic.ac.uk,cn=gssapi,cn=auth to a DN
Feb 8 13:36:24 localhost slapd[1490]: slap_sasl_regexp: converting SASL
name uid=ldapadm,cn=ph.ic.ac.uk,cn=gssapi,cn=auth
Feb 8 13:36:24 localhost slapd[1490]: slap_sasl_regexp: converted SASL
name to uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk
Feb 8 13:36:24 localhost slapd[1490]: slap_parseURI: parsing
uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk
Feb 8 13:36:24 localhost slapd[1490]: >>> dnNormalize:
<uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk>
Feb 8 13:36:24 localhost slapd[1490]: <<< dnNormalize:
<uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk>
Feb 8 13:36:24 localhost slapd[1490]: <==slap_sasl2dn: Converted SASL
name to uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk
Feb 8 13:36:24 localhost slapd[1490]: getdn: dn:id converted to
uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk
Feb 8 13:36:24 localhost slapd[1490]: SASL Authorize [conn=7]: proxy
authorization allowed
Feb 8 13:36:24 localhost slapd[1490]: send_ldap_sasl: err=0 len=-1
Feb 8 13:36:24 localhost slapd[1490]: send_ldap_response: msgid=4
tag=97 err=0
Feb 8 13:36:24 localhost slapd[1490]: <== slap_sasl_bind: rc=0
Feb 8 13:36:24 localhost slapd[1490]: do_bind: SASL/GSSAPI bind:
dn="uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk" ssf=56
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for
input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed
errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1486]: do_search
Feb 8 13:36:24 localhost slapd[1486]: >>> dnPrettyNormal:
<dc=ph,dc=ic,dc=ac,dc=uk>
Feb 8 13:36:24 localhost slapd[1486]: <<< dnPrettyNormal:
<dc=ph,dc=ic,dc=ac,dc=uk>, <dc=ph,dc=ic,dc=ac,dc=uk>
Feb 8 13:36:24 localhost slapd[1486]: ==> limits_get: conn=7 op=4
dn="uid=ldapadm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk"
Feb 8 13:36:24 localhost slapd[1486]: => bdb_search
Feb 8 13:36:24 localhost slapd[1486]:
bdb_dn2entry("dc=ph,dc=ic,dc=ac,dc=uk")
Feb 8 13:36:24 localhost slapd[1486]: search_candidates:
base="dc=ph,dc=ic,dc=ac,dc=uk" (0x00000001) scope=2
Feb 8 13:36:24 localhost slapd[1486]: => bdb_dn2idl(
"dc=ph,dc=ic,dc=ac,dc=uk" )
Feb 8 13:36:24 localhost slapd[1486]: => bdb_presence_candidates
(objectClass)
Feb 8 13:36:24 localhost slapd[1486]: bdb_search_candidates: id=-1
first=1 last=7
Feb 8 13:36:24 localhost slapd[1486]: bdb_search: 1 does not match filter
Feb 8 13:36:24 localhost slapd[1486]: bdb_search: 3 does not match filter
Feb 8 13:36:24 localhost slapd[1486]: bdb_search: 5 does not match filter
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_result: conn=7 op=4 p=3
Feb 8 13:36:24 localhost slapd[1486]: send_ldap_response: msgid=5
tag=101 err=0
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for
input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed
errno=11 (Resource temporarily unavailable)
Feb 8 13:36:24 localhost slapd[1490]: do_unbind
Feb 8 13:36:24 localhost slapd[1484]: connection_get(12): got connid=7
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): checking for
input on
id=7
Feb 8 13:36:24 localhost slapd[1484]: ber_get_next on fd 12 failed
errno=0 (Success)
Feb 8 13:36:24 localhost slapd[1484]: connection_read(12): input
error=-2 id=7, closing.
Feb 8 13:36:24 localhost slapd[1484]: connection_closing: readying
conn=7 sd=12 for close
Feb 8 13:36:24 localhost slapd[1484]: connection_close: deferring
conn=7 sd=12
Feb 8 13:36:24 localhost slapd[1490]: connection_resched: attempting
closing conn
Feb 8 13:36:24 localhost slapd[1490]: connection_close: conn=7 sd=12
--
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Ms Juliet Kemp +
+ Computer Manager star@imperial.ac.uk +
+ Astrophysics Group +
+ Imperial College Tel: +44 (0)20759 47543 +
+ London. SW7 2AZ Fax: +44 (0)20759 47541 +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++