[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL auth not working



Hello all,

I'm trying to set up openldap to authenticate using my kerberos
service, but I'm not having success so far. I've already set up MIT
Kerberos V and I can successfully get tickets from it:

root@filesystem:~# kinit diego.lima
Password for diego.lima@USERS:
root@filesystem:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: diego.lima@USERS

Valid starting     Expires            Service principal
06/23/10 09:44:49  06/23/10 19:44:49  krbtgt/USERS@USERS
	renew until 06/24/10 09:44:46


I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:

root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456
0: OK "Success."

The saslauthd output looks like this:

saslauthd[28383] :rel_accept_lock : released accept lock
saslauthd[28385] :get_accept_lock : acquired accept lock
saslauthd[28383] :do_auth         : auth success:
[user=diego.lima@USERS] [service=imap] [realm=] [mech=kerberos5]
saslauthd[28383] :do_request      : response: OK

I've set up my user account on LDAP like this:

dn: krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br
krbPrincipalName: diego.lima@USERS
krbPrincipalKey:: (big key)
krbLastPwdChange: 20100622215607Z
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
objectClass: posixAccount
structuralObjectClass: krbPrincipal
entryUUID: b4d16a7a-1294-102f-8f9b-2759be64cd18
creatorsName: cn=admin,dc=domain,dc=com,dc=br
createTimestamp: 20100622215607Z
uid: diego.lima
uidNumber: 10001
gidNumber: 10001
cn: diego.lima
homeDirectory: /home/diego.lima
loginShell: /bin/bash
userPassword:: e1NBU0x9ZGllZ28ubGltYUBVU0VSUw==
krbLastSuccessfulAuth: 20100623124649Z
krbLoginFailedCount: 0
krbExtraData:: (data)
krbExtraData:: (data)
entryCSN: 20100623124649.354631Z#000000#000#000000
modifiersName: cn=admin,dc=domain,dc=com,dc=br
modifyTimestamp: 20100623124649Z


The userPassword value translates to {SASL}diego.lima@USERS

When I try to do an authenticated search on LDAP I see the following:

# ldapsearch -D
krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b
dc=domain,dc=com,dc=br '(objectClass=*)' -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)


And on the slapd output:

daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(7):
daemon: epoll: listen=7 busy
daemon: epoll: listen=8 active_threads=0 tvp=zero
>>> slap_listener(ldap:///)
daemon: listen=7, new connection on 18
daemon: added 18r (active) listener=(nil)
conn=35 fd=18 ACCEPT from IP=127.0.1.1:51089 (IP=0.0.0.0:389)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 18r
daemon: read active on 18
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=35
connection_read(18): checking for input on id=35
ber_get_next
ldap_read: want=8, got=8
  0000:  30 53 02 01 01 60 4e 02                            0S...`N.
ldap_read: want=77, got=77
  0000:  01 03 04 41 6b 72 62 50  72 69 6e 63 69 70 61 6c   ...AkrbPrincipal
  0010:  4e 61 6d 65 3d 64 69 65  67 6f 2e 6c 69 6d 61 40   Name=diego.lima@
  0020:  55 53 45 52 53 2c 63 6e  3d 55 53 45 52 53 2c 64   USERS,cn=USERS,d
  0030:  63 3d 34 6c 69 6e 75 78  2c 64 63 3d 63 6f 6d 2c   c=domain,dc=com,
  0040:  64 63 3d 62 72 80 06 31  32 33 34 35 36            dc=br..123456
ber_get_next: tag 0x30 len 83 contents:
ber_dump: buf=0x1cc73d0 ptr=0x1cc73d0 end=0x1cc7423 len=83
  0000:  02 01 01 60 4e 02 01 03  04 41 6b 72 62 50 72 69   ...`N....AkrbPri
  0010:  6e 63 69 70 61 6c 4e 61  6d 65 3d 64 69 65 67 6f   ncipalName=diego
  0020:  2e 6c 69 6d 61 40 55 53  45 52 53 2c 63 6e 3d 55   .lima@USERS,cn=U
  0030:  53 45 52 53 2c 64 63 3d  34 6c 69 6e 75 78 2c 64   SERS,dc=domain,d
  0040:  63 3d 63 6f 6d 2c 64 63  3d 62 72 80 06 31 32 33   c=com,dc=br..123
  0050:  34 35 36                                           456
op tag 0x60, time 1277298275
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=35 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x1cc73d0 ptr=0x1cc73d3 end=0x1cc7423 len=80
  0000:  60 4e 02 01 03 04 41 6b  72 62 50 72 69 6e 63 69   `N....AkrbPrinci
  0010:  70 61 6c 4e 61 6d 65 3d  64 69 65 67 6f 2e 6c 69   palName=diego.li
  0020:  6d 61 40 55 53 45 52 53  2c 63 6e 3d 55 53 45 52   ma@USERS,cn=USER
  0030:  53 2c 64 63 3d 34 6c 69  6e 75 78 2c 64 63 3d 63   S,dc=domain,dc=c
  0040:  6f 6d 2c 64 63 3d 62 72  80 06 31 32 33 34 35 36   om,dc=br..123456
ber_scanf fmt (m}) ber:
ber_dump: buf=0x1cc73d0 ptr=0x1cc741b end=0x1cc7423 len=8
  0000:  00 06 31 32 33 34 35 36                            ..123456
>>> dnPrettyNormal: <krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>
=> ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br,0)
<= ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br)=0
<<< dnPrettyNormal:
<krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>,
<krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br>
conn=35 op=0 BIND
dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
method=128
do_bind: version=3
dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
method=128
==> hdb_bind: dn:
krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br
bdb_dn2entry("krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br")
=> access_allowed: auth access to
"krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
"userPassword" requested
=> acl_get: [1] attr userPassword
=> slap_access_allowed: result not in cache (userPassword)
=> acl_mask: access to entry
"krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br",
attr "userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=admin,dc=domain,dc=com,dc=br
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> slap_access_allowed: auth access granted by auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
SASL Canonicalize [conn=35]: authcid="diego.lima@USERS"
SASL Canonicalize [conn=35]: authcid="diego.lima@USERS"
send_ldap_result: conn=35 op=0 p=3
send_ldap_result: err=49 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 18
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
conn=35 op=0 RESULT tag=97 err=49 text=
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 18r
daemon: read active on 18
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=35
connection_read(18): checking for input on id=35
ber_get_next
ldap_read: want=8, got=0

ber_get_next on fd 18 failed errno=0 (Success)
connection_read(18): input error=-2 id=35, closing.
connection_closing: readying conn=35 sd=18 for close
connection_close: conn=35 sd=18
daemon: removing 18
conn=35 fd=18 closed (connection lost)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero


I see nothing on the saslauthd output when I try to log in. Did I miss
anything? Please note that I'm trying to use the same kerberos
principal as my user, and this is intended. I did try adding another
user (account and posixAccount objectClasses) with a separate kerberos
principal and that did not work either.


Lastly, here is my slapd.conf:

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include		/etc/ldap/schema/kerberos.schema

pidfile         /var/run/slapd/slapd.pid

argsfile        /var/run/slapd/slapd.args

loglevel        none

modulepath	/usr/lib/ldap
moduleload	back_hdb

sizelimit 500

tool-threads 1

backend		hdb

database        hdb
suffix          "dc=domain,dc=com,dc=br"
rootdn          "cn=admin,dc=domain,dc=com,dc=br"
directory       "/var/lib/ldap"

dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index           objectClass eq

lastmod         on
checkpoint      512 30

access to attrs=userPassword,shadowLastChange,krbPrincipalKey,krbLastPwdChange
        by dn="cn=admin,dc=domain,dc=com,dc=br" write
        by anonymous auth
        by self write
        by * none
access to dn.base="" by * read
access to *
        by dn="cn=admin,dc=domain,dc=com,dc=br" write
        by * read


Thanks for the help!

-- 
Diego Lima