First step in getting SASL/GSSAPI working (or any SASL mechanism) is to make sure it works first using Cyrus SASL sample test programs (as service "ldap" and daemon "slapd"). You apparently haven't done that yet...
At 12:08 PM 11/8/2006, Maxwell Bottiger wrote:
Hello all,
I've found lots of information about problems related to mine in theFAQ and around the net, but I don't have a solution yet. Here's my setup:
Open Ldap 2.2 MIT Kerberos SASL 2.1.20
I'm using ldap to provide directory services and user info to some linux workstations. This was working, but after upgrading a test machine to Fedora 6 I've started having some serious problems.
[sleepylight@minitop ~]$ ldapsearch -H ldap://ns.jive-turkey.net -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
I figure this is one of three possible problems. 1 - saslauthd isn't working right 2 - ldap isn't talking to sasl correctly 3 - I've done something wrong with my ldap quires.
Kerberos seems to work fine. I can get my credentials with kinit, and the GSSAPI credentials are working for ssh logins. Also, I can use testsaslauthd and get a success from the authd server.
[sleepylight@ns ~]$ /usr/sbin/testsaslauthd -r JIVE-TURKEY.NET -s ldap -u sleepylight -p ********* 0: OK "Success."
So I think my problem is #2 or #3. I'm not sure which, so if anyone has some feedback I'm happy to try it out. I'll include some possibly relevant material at the end of this email. Thanks for reading!
Some stuff from slapd.conf:
sasl-host ns.jive-turkey.net
sasl-secprops noanonymous,noplain,noactive
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=jive-turkey,dc=net
# Default read access for everything else access to * by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by * read
Messages from slapd after an attempted login
slapd startup: initiated. backend_startup: starting "dc=jive-turkey,dc=net" bdb_db_open: dbenv_open(/var/lib/ldap) slapd starting connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 12 contents: ber_get_next ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: version=3 dn="" method=128 send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 10 do_bind: v3 anonymous bind connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 201 contents: ber_get_next ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <dc=jive-tukey,dc=net>
ldap_err2string <= ldap_bv2dn(dc=jive-tukey,dc=net)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(dc=jive-tukey,dc=net)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(dc=jive-tukey,dc=net)=0 Success <<< dnPrettyNormal: <dc=jive-tukey,dc=net>, <dc=jive-tukey,dc=net> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=32 ber_flush: 14 bytes to sd 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 201 contents: ber_get_next do_search