[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL auth not working
Hello all,
I'm trying to set up openldap to authenticate using my kerberos
service, but I'm not having success so far. I've already set up MIT
Kerberos V and I can successfully get tickets from it:
root@filesystem:~# kinit diego.lima
Password for diego.lima@USERS:
root@filesystem:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: diego.lima@USERS
Valid starting Expires Service principal
06/23/10 09:44:49 06/23/10 19:44:49 krbtgt/USERS@USERS
renew until 06/24/10 09:44:46
I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:
root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456
0: OK "Success."
The saslauthd output looks like this:
saslauthd[28383] :rel_accept_lock : released accept lock
saslauthd[28385] :get_accept_lock : acquired accept lock
saslauthd[28383] :do_auth : auth success:
[user=diego.lima@USERS] [service=imap] [realm=] [mech=kerberos5]
saslauthd[28383] :do_request : response: OK
I've set up my user account on LDAP like this:
dn: krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br
krbPrincipalName: diego.lima@USERS
krbPrincipalKey:: (big key)
krbLastPwdChange: 20100622215607Z
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
objectClass: posixAccount
structuralObjectClass: krbPrincipal
entryUUID: b4d16a7a-1294-102f-8f9b-2759be64cd18
creatorsName: cn=admin,dc=domain,dc=com,dc=br
createTimestamp: 20100622215607Z
uid: diego.lima
uidNumber: 10001
gidNumber: 10001
cn: diego.lima
homeDirectory: /home/diego.lima
loginShell: /bin/bash
userPassword:: e1NBU0x9ZGllZ28ubGltYUBVU0VSUw==
krbLastSuccessfulAuth: 20100623124649Z
krbLoginFailedCount: 0
krbExtraData:: (data)
krbExtraData:: (data)
entryCSN: 20100623124649.354631Z#000000#000#000000
modifiersName: cn=admin,dc=domain,dc=com,dc=br
modifyTimestamp: 20100623124649Z
The userPassword value translates to {SASL}diego.lima@USERS
When I try to do an authenticated search on LDAP I see the following:
# ldapsearch -D
krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b
dc=domain,dc=com,dc=br '(objectClass=*)' -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
And on the slapd output:
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(7):
daemon: epoll: listen=7 busy
daemon: epoll: listen=8 active_threads=0 tvp=zero
>>> slap_listener(ldap:///)
daemon: listen=7, new connection on 18
daemon: added 18r (active) listener=(nil)
conn=35 fd=18 ACCEPT from IP=127.0.1.1:51089 (IP=0.0.0.0:389)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 18r
daemon: read active on 18
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=35
connection_read(18): checking for input on id=35
ber_get_next
ldap_read: want=8, got=8
0000: 30 53 02 01 01 60 4e 02 0S...`N.
ldap_read: want=77, got=77
0000: 01 03 04 41 6b 72 62 50 72 69 6e 63 69 70 61 6c ...AkrbPrincipal
0010: 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 6d 61 40 Name=diego.lima@
0020: 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 53 2c 64 USERS,cn=USERS,d
0030: 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 6f 6d 2c c=domain,dc=com,
0040: 64 63 3d 62 72 80 06 31 32 33 34 35 36 dc=br..123456
ber_get_next: tag 0x30 len 83 contents:
ber_dump: buf=0x1cc73d0 ptr=0x1cc73d0 end=0x1cc7423 len=83
0000: 02 01 01 60 4e 02 01 03 04 41 6b 72 62 50 72 69 ...`N....AkrbPri
0010: 6e 63 69 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f ncipalName=diego
0020: 2e 6c 69 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 .lima@USERS,cn=U
0030: 53 45 52 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 SERS,dc=domain,d
0040: 63 3d 63 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 c=com,dc=br..123
0050: 34 35 36 456
op tag 0x60, time 1277298275
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=35 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x1cc73d0 ptr=0x1cc73d3 end=0x1cc7423 len=80
0000: 60 4e 02 01 03 04 41 6b 72 62 50 72 69 6e 63 69 `N....AkrbPrinci
0010: 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 palName=diego.li
0020: 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 ma@USERS,cn=USER
0030: 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 S,dc=domain,dc=c
0040: 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 34 35 36 om,dc=br..123456
ber_scanf fmt (m}) ber:
ber_dump: buf=0x1cc73d0 ptr=0x1cc741b end=0x1cc7423 len=8
0000: 00 06 31 32 33 34 35 36 ..123456
>>> dnPrettyNormal: <krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>
=> ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br,0)
<= ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br)=0
<<< dnPrettyNormal:
<krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>,
<krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br>
conn=35 op=0 BIND
dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
method=128
do_bind: version=3
dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
method=128
==> hdb_bind: dn:
krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br
bdb_dn2entry("krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br")
=> access_allowed: auth access to
"krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
"userPassword" requested
=> acl_get: [1] attr userPassword
=> slap_access_allowed: result not in cache (userPassword)
=> acl_mask: access to entry
"krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br",
attr "userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=admin,dc=domain,dc=com,dc=br
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> slap_access_allowed: auth access granted by auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
SASL Canonicalize [conn=35]: authcid="diego.lima@USERS"
SASL Canonicalize [conn=35]: authcid="diego.lima@USERS"
send_ldap_result: conn=35 op=0 p=3
send_ldap_result: err=49 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 18
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
conn=35 op=0 RESULT tag=97 err=49 text=
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 18r
daemon: read active on 18
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=35
connection_read(18): checking for input on id=35
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 18 failed errno=0 (Success)
connection_read(18): input error=-2 id=35, closing.
connection_closing: readying conn=35 sd=18 for close
connection_close: conn=35 sd=18
daemon: removing 18
conn=35 fd=18 closed (connection lost)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
I see nothing on the saslauthd output when I try to log in. Did I miss
anything? Please note that I'm trying to use the same kerberos
principal as my user, and this is intended. I did try adding another
user (account and posixAccount objectClasses) with a separate kerberos
principal and that did not work either.
Lastly, here is my slapd.conf:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/kerberos.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
database hdb
suffix "dc=domain,dc=com,dc=br"
rootdn "cn=admin,dc=domain,dc=com,dc=br"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange,krbPrincipalKey,krbLastPwdChange
by dn="cn=admin,dc=domain,dc=com,dc=br" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=domain,dc=com,dc=br" write
by * read
Thanks for the help!
--
Diego Lima