[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: client server connection to LDAP/Kerberos



I did, but still haven't get a response.
I just want to confirm something here from the debug logs of apache and ldap/kerb servers that it is davical fault nothing more!
As now I am trying to do the authentication using apache


From apache while trying to login, got that:

[Tue Feb 05 02:58:29 2013] [debug] src/mod_auth_kerb.c(994): [client 203.28.249.33] Using HTTP/calendar.domain.com@ as server principal for password verification
[Tue Feb 05 02:58:29 2013] [debug] src/mod_auth_kerb.c(698): [client 203.28.249.33] Trying to get TGT for user aahmed@DOMAIN.COM
[Tue Feb 05 02:58:29 2013] [debug] src/mod_auth_kerb.c(609): [client 203.28.249.33] Trying to verify authenticity of KDC using principal HTTP/calendar.domain.com@
[Tue Feb 05 02:58:29 2013] [debug] src/mod_auth_kerb.c(1073): [client 203.28.249.33] kerb_authenticate_user_krb5pwd ret=0 user=aahmed@DOMAIN.COM authtype=Basic
[Tue Feb 05 02:58:29 2013] [debug] src/mod_auth_kerb.c(1534): [client 203.28.249.33] kerb_authenticate_a_name_to_local_name aahmed@DOMAIN.COM -> aahmed
[Tue Feb 05 02:58:29 2013] [error] [client 203.28.249.33] davical: ***: ERROR:drivers_ldap : Unable to find the user with filter (&(objectClass=*)(uid=aahmed))



And can see the request also goes in my ldap/kerb server. I don't understand why having multiple entries here, but I can see clearly that some of them are successful and return an entry! 

Feb  5 02:56:32 ldap slapd[1059]: conn=1459 op=4111 SRCH base="cn=DOMAIN.COM,ou=krb5,dc=domain,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=aahmed@DOMAIN.COM))"
Feb  5 02:56:32 ldap slapd[1059]: conn=1459 op=4111 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbExtraData krbObjectReferences krbAllowedToDelegateTo
Feb  5 02:56:32 ldap slapd[1059]: conn=1459 op=4111 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb  5 02:56:32 ldap slapd[1059]: conn=1459 op=4113 SRCH base="cn=DOMAIN.COM,ou=krb5,dc=domain,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=aahmed/SNK4@DOMAIN.COM))"
Feb  5 02:56:32 ldap slapd[1059]: conn=1459 op=4113 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbExtraData krbObjectReferences krbAllowedToDelegateTo
Feb  5 02:56:32 ldap slapd[1059]: conn=1459 op=4113 SEARCH RESULT tag=101 err=0 nentries=0 text=
-
-
Feb  5 02:56:32 ldap slapd[1059]: conn=1507 fd=43 ACCEPT from IP=203.28.247.193:38068 (IP=0.0.0.0:389)
Feb  5 02:56:32 ldap slapd[1059]: conn=1507 op=0 BIND dn="" method=128
Feb  5 02:56:32 ldap slapd[1059]: conn=1507 op=0 RESULT tag=97 err=0 text=
Feb  5 02:56:32 ldap slapd[1059]: conn=1507 op=1 SRCH base="ou=People,dc=domain,dc=com" scope=2 deref=0 filter="(&(objectClass=*)(uid=aahmed))"
Feb  5 02:56:32 ldap slapd[1059]: conn=1507 op=1 SRCH attr=uid cn mail modifyTimestamp
Feb  5 02:56:32 ldap slapd[1059]: conn=1507 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=




> Date: Sun, 3 Feb 2013 17:11:09 -0600
> From: dwhite@olp.net
> To: asabatgirl@hotmail.com
> Subject: Re: client server connection to LDAP/Kerberos
> CC: openldap-technical@openldap.org
>
> That would suggest you have a problem is with your Davical configuration. Try
> consulting their mailing list/support contact.
>
> On 02/02/13 12:05 +1100, Asmaa Ahmed wrote:
> >
> >No, don't have any problem while running these commands from there!I can retrieve my data successfully.
> >
> >Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND dn="" method=163Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND authcid="aahmed@DOMAIN.COM" authzid="aahmed@DOMAIN.COM"Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND dn="uid=aahmed,ou=people,dc=domain,dc=com" mech=GSSAPI sasl_ssf=56 ssf=56Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 RESULT tag=97 err=0 text=Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=3 SRCH base="dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)"Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=3 SEARCH RESULT tag=101 err=0 nentries=11 text=Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=4 UNBIND
> >Thanks.
> >> Date: Fri, 1 Feb 2013 13:53:29 -0600
> >> From: dwhite@olp.net
> >> To: asabatgirl@hotmail.com
> >> CC: openldap-technical@openldap.org
> >> Subject: Re: client server connection to LDAP/Kerberos
> >>
> >> On 02/01/13 10:08 +1100, Asmaa Ahmed wrote:
> >> >Hello,
> >> >
> >> >I recently added Kerberos authentication to my LDAP server, and I am trying
> >> >to connect the other servers to it.
> >> >I have a server running Davical shared calendar, and I hope to get it
> >> >working with my LDAP server again after Kerberos integration.
> >> >
>
> >> Can you reproduce this problem with ldapsearch and/or ldapwhoami (-Y
> >> GSSAPI) on the server which is running davical?
>
> --
> Dan White
>