[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: sasl Kerberos authentication with subordinate
Hi,
Actually 'peter' is not the right user t test against because its password in the internal ldap server is defined as {SASL}peter@EXAMPLE.COM. It should be
{SASL}peter@SUB.EXAMPLE.COM.
I tested againt another user mark whose password is {SASL}mark@SUB.EXAMPLE.COM. Both the ldapsearch and ldapwhoami worked well if I use the internal ldap server. This is what I expected.
When I test againt the external server, using ldapwhoami -d -1 -x -H ldap://externalldapserver -D "uid=mark,ou=People,ou=sub,dc=example,dc=com" -w password
the ldap log shows this error message:
50e4f948 >>> dnPrettyNormal: <uid=mark,ou=People,ou=sub,dc=example,dc=com>
=> ldap_bv2dn(uid=mark,ou=People,ou=sub,dc=example,dc=com,0)
<= ldap_bv2dn(uid=mark,ou=People,ou=sub,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=mark,ou=People,ou=sub,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=mark,ou=people,ou=sub,dc=example,dc=com)=0
50e4f948 <<< dnPrettyNormal: <uid=mark,ou=People,ou=sub,dc=example,dc=com>, <uid=mark, ou=people,ou=sub,dc=example,dc=com>
50e4f948 conn=1034 op=0 BIND dn="uid=mark,ou=People,ou=sub,dc=example,dc=com" method=1 28
50e4f948 do_bind: version=3 dn="uid=mark,ou=People,ou=sub,dc=example,dc=com" method=12 8
50e4f948 ==> bdb_bind: dn: uid=mark,ou=People,ou=sub,dc=example,dc=com
50e4f948 bdb_dn2entry("uid=mark,ou=people,ou=sub,dc=example,dc=com")
50e4f948 => bdb_dn2id("ou=people,ou=sub,dc=example,dc=com")
50e4f948 <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-309 88)
50e4f948 send_ldap_result: conn=1034 op=0 p=3
50e4f948 send_ldap_result: err=49 matched="" text=""
50e4f948 send_ldap_response: msgid=1 tag=97 err=49
Similary message is also shown when I run the ldapsearch command.
James
-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Wednesday, January 02, 2013 7:18 PM
To: Wu, James C.
Cc: openldap-technical@openldap.org
Subject: Re: sasl Kerberos authentication with subordinate
On 12/31/12 11:19 -0800, Wu, James C. wrote:
>I have tested that the LDAP authentication through saslauthd using
>Kerberos works well on both the internal ldap and Kerberos pair and the
>external ldap Kerberos pair.
How did you verify authentication was working with your internal server?
>For example, when I used "su - peter" where peter is a user in the
>external ldap server and the password is
>{SASL}peter@EXAMPLE.COM<mailto:%7bSASL%7dpeter@EXAMPLE.COM>. The
>authentication works. However, when I use "su - James" where james is a
>user defined in the internal ldap server with password
>{SASL}james@SUB.EXAMPLE.COM<mailto:%7bSASL%7djames@SUB.EXAMPLE.COM>,
>then the authentication failed. I check the log file, the internal
>server did get the search request forwarded from the external ldap
>server and returned the correct information back. However, I did not
>see the saslauthd process on either the external or the internal ldap
>server get any inquiry for the authentication.
On 01/02/13 14:52 -0800, Wu, James C. wrote:
>When I add uid to the -D flag in the ldapwhoami, then it failed on both
>the external and internal ldap servers.
>
>ldapwhoami -x -H ldap://internalldap -D
>"uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password ldapwhoami
>-x -H ldap://externalldap -D
>"uid=peter,ou=People,ou=sub,dc=example,dc=com" -w password
How does this second command (against your internal server) differ from the above verification?
--
Dan White