[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap + kerberos simple bind invalid credentials

To: OpenLDAP-software@OpenLDAP.org
Subject: openldap + kerberos simple bind invalid credentials
From: Karen R McArthur <kmcarthu@bates.edu>
Date: Wed, 15 Feb 2006 11:07:30 -0500
Organization: Bates College
User-agent: Thunderbird 1.5 (Windows/20051201)

krb5-libs 1.2.5
openldap 2.2.15
cyrus-sasl 2.1.10
(will be upgrading to latest stable releases this summer)

I am attempting to enable simple binds through ldap for some applications. All of our passwords are stored in a kerberos database, all of our users have the userPassword field populated with {SASL}uid@REALM.EXAMPLE.COM, and krb5PrincipleName populated with uid@REALM.EXAMPLE.COM. I am getting no entries in my krb5kdc.log file - indicating to me that the simple bind is not even trying to query the kerberos database. I'm leaning toward the possibility that my sasl-regexp is wrong or that one of my configuration files is missing a parameter. Any ideas?

I have included in this email output from a SASL ldapsearch, a simple bind ldapsearch, ldapwhoami, and some local configuration files - as well as the ldapsearch with debug level "-1".

Thank you!

testsaslauthd successful:

./testsaslauthd -u user -p password
0: OK "Success."

Simple Bind is not working:

ldapsearch -x -D "uid=username,ou=People,dc=example,dc=com" -W -s sub -b "ou=People,dc=example,dc=com" -u "uid=username" Enter LDAP Password: ldap_bind: Invalid credentials (49)

SASL bind is working correctly:

ldapsearch -s sub -b "ou=People,dc=example,dc=com" -u "uid=username"
SASL/GSSAPI authentication started
SASL username: username@REALM.EXAMPLE.COM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=example,dc=com> with scope sub
# filter: uid=username
# requesting: ALL
#

# username, People, example.com
dn: uid=username,ou=People,dc=example,dc=com
objectClass: krb5Principal
uid: username
cn: User Name
sn: Name
mail: username@example.com
krb5PrincipalName: username@REALM.EXAMPLE.COM
userPassword: {SASL}username@REALM.EXAMPLE.COM


ldapwhoami
SASL/GSSAPI authentication started
SASL username: username@REALM.EXAMPLE.COM
SASL SSF: 56
SASL installing layers
dn:uid=username,ou=people,dc=example,dc=com

*************************
local configuration files
*************************
/usr/local/lib/sasl2/slapd.conf
pwcheck_method: saslauthd
mech_list: gssapi plain login
saslauthd_path: /var/state/saslauthd/mux
keytab: /usr/local/var/krb5kdc/ldap.keytab

/usr/local/etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1/
ldap_bind_dn: <proxy user DN>
ldap_bind_pw: <proxy user password>
ldap_auth_method: fastbind
ldap_search_base: dc=example,dc=com

/usr/local/etc/openldap/slapd.conf (excerpts from)
#SASL configuration
sasl-realm      REALM.EXAMPLE.COM
sasl-host       ldap.example.com
sasl-secprops   noanonymous
sasl-regexp
uid=(.*),cn=realm.example.com,cn=(.*),cn=auth
ldap:///ou=People,dc=example,dc=com??sub?(userPassword=\{SASL\}$1@REALM.EXAMPLE.COM)
#Access Lists
access to attr=userPassword
        by dn="cn=Manager,dc=example,dc=com" write
        by dn="uid=ldapadm.+\+(realm=REALM\.EXAMPLE\.COM)" write
        by anonymous auth
        by * none

access to *
        by dn="cn=Manager,dc=example,dc=com" write
        by dn="uid=ldapadm.+\+(realm=REALM\.EXAMPLE\.COM)" write
        by * read

ldapsearch - simple bind - with debug level "-1"

ldapsearch -x -D "uid=username,ou=People,dc=example,dc=com" -W -s sub -b "ou=People,dc=example,dc=com" -u "uid=username" mail cn sn -d-1 ldap_create Enter LDAP Password: ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_int_sasl_open: host=ldap.example.com ldap_open_defconn: successful ldap_send_server_request ber_flush: 58 bytes to sd 3 0000:30 38 02 01 01 60 33 02 01 03 04 26 75 69 64 3d 08...`3....&uid= 0010:6b 6d 63 61 72 74 68 75 2c 6f 75 3d 50 65 6f 70 username,ou=Peop 0020:6c 65 2c 64 63 3d 62 61 74 65 73 2c 64 63 3d 65 le,dc=example,dc=c 0030:64 75 80 06 32 72 52 6d 79 4b om..password ldap_write: want=58, written=58 0000:30 38 02 01 01 60 33 02 01 03 04 26 75 69 64 3d 08...`3....&uid= 0010:6b 6d 63 61 72 74 68 75 2c 6f 75 3d 50 65 6f 70 username,ou=Peop 0020:6c 65 2c 64 63 3d 62 61 74 65 73 2c 64 63 3d 65 le,dc=example,dc=c 0030:64 75 80 06 32 72 52 6d 79 4b om..password ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Wed Feb 15 10:44:06 2006

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 61 07 0a                            0....a..
ldap_read: want=6, got=6
  0000:  01 31 04 00 04 00                                  .1....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x080889e8 ptr=0x080889e8 end=0x080889f4 len=12
  0000:  02 01 01 61 07 0a 01 31  04 00 04 00               ...a...1....
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x080889e8 ptr=0x080889eb end=0x080889f4 len=9
  0000:  61 07 0a 01 31 04 00 04  00                        a...1....
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x080889e8 ptr=0x080889eb end=0x080889f4 len=9
  0000:  61 07 0a 01 31 04 00 04  00                        a...1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x080889e8 ptr=0x080889f4 end=0x080889f4 len=0

ldap_msgfree
ldap_perror
ldap_bind: Invalid credentials (49)

--
Karen R. McArthur <kmcarthu@bates.edu>
Systems Administrator
Information and Library Services, Bates College
Lewiston, Maine 04240
ph:(207) 786-8236   fax:(207) 786-6057

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: openldap + kerberos simple bind invalid credentials
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: openldap + kerberos simple bind invalid credentials
  - From: Howard Chu <hyc@symas.com>

Prev by Date: newbie: I cannot get admin password to work
Next by Date: make test failure
Index(es):
- Chronological
- Thread