Hallo there everyone
i hope you can help me with my issue cause it really bothers me for a week
i set up an ldap on gentoo and after modifying heimdal kerberos and tls i am stuck to that point: i get these errors...
additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context
+
AS-REQ host/proof.teipir.gr@TEIPIR.GR http://teipir.gr/ from IPv4:10.0.0.12 for krbtgt/TEIPIR.GR http://teipir.gr/@TEIPIR.GRhttp://teipir.gr/ 2010-03-18T16:32:58 Client sent patypes: none 2010-03-18T16:32:58 Looking for ENC-TS pa-data -- host/proof.teipir.gr@ TEIPIR.GR http://teipir.gr/ 2010-03-18T16:32:58 No preauth found, returning PREAUTH-REQUIRED -- host/ proof.teipir.gr@TEIPIR.GR http://teipir.gr/ 2010-03-18T16:32:58 sending 268 bytes to IPv4:10.0.0.12
any ideas what files to check cause i am a bit lost...
Thank you very much
On 19/03/10 12:39 +0200, Μανόλης Βλαχάκης wrote:
Is there one host involved or two, and do they both have valid credential caches (klist)?
Does your openldap user have access to /etc/krb5.keytab? What does your cyrus sasl config look like (if it exists)?
Assuming you're using an ldapsearch command from the client, what options are you passing?
Do you have any custom SASL config items in your openldap config (sasl-host, sasl-realm or sasl-secprops)?
Hallo there and thank you for your answer i finally made it and moved on but now i face other problem. My configs look like... kerberos attributes on the ldap php side are: **krb5KDCFlags* **krb5KeyVersionNumber* **krb5MaxLife* **krb5MaxRenew* **krb5PrincipalName* * * * objectClass *krb5Principal *krb5KDCEntry *
sasl configs: * * *log_level: -1* *pwcheck_method:auxprop saslauthd* *mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5* *auxprop_plugin: ldapdb* *ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///* *ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr* *ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY* *ldapdb_mech: GSSAPI EXTERNAL* *ldapdb_starttls: try*
My access list is : *access to * by * write*
but i also set up as i saw on the sasl-regexp config the mapping below *sasl-regexp* * uid=(.+),cn=(.+),cn=.+,cn=auth* * ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2))* *sasl-regexp* * uid=(.+),cn=.+,cn=auth* * ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$1@TEIPIR.GR ))* *sasl-regexp* * uidnumber=0\+gidnumber=0,cn=peercred,cn=external,cn=auth* * cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr*
+ *i have an idea of making work like the one below so as to give access to all of the users registered* *requiring them a password is that correct:* * * *# This is needed so sasl-regexp/GSSAPI works correctly* *access to attrs=krb5PrincipalName* * by anonymous auth* * * *# Kerberos attributes may only be accessible to root/ldapmaster* *access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam * * by * none* * * *# We will be using userPassword to provide simple BIND access, so we don't want this to be user editable* *access to attrs=userPassword* * by anonymous auth* * * * * *# Anything else we may have forgotten is writable by admin, and viewable by authenticated users* *access to dn.subtree="dc=teipir,dc=gr"* * by users read*
when i do like : *ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*
and although i set up to require a password (on the sasl config )
and i get something like that:
*SASL/GSSAPI authentication started* *ldap_sasl_interactive_bind_s: Insufficient access (50)* * additional info: SASL(-14): authorization failure: not authorized* * * or when i use any other command client side i have full access to the tree with no password required
2010/3/19 Dan White dwhite@olp.net
I forgot to mention another problem that occurred today when i try to do ldapsearch -X "dn: cn=spiros,ou=Managers,dc=teipir,dc=gr" -b "ou=Managers,dc=teipir,dc=gr" -w 1234
i get
2010-03-22T13:30:17 Failed to open database: Wrong database version 2010-03-22T13:30:17 UNKNOWN -- host/proof.teipir.gr@TEIPIR.GR: No such entry in the database
2010/3/22 Μανόλης Βλαχάκης manolisvl18@yahoo.gr
On 22/03/10 13:33 +0200, Μανόλης Βλαχάκης wrote:
That may be due to a mismatch between your /var/lib/heimdal (or where ever your m-key is located) and the data stored in your openldap database.
You may need to re-init heimdal, but that will require that you regenerate all your krb5Keys, so be careful before doing so.
On 22/03/10 12:49 +0200, Μανόλης Βλαχάκης wrote:
Is this your slapd.conf sasl config? If so, you should be using the internal 'slapd' auxprop plugin rather that ldapdb:
auxprop_plugin: slapd
I use
access to attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key,cmusaslsecretOTP by anonymous auth by self write by * none
hallo there and thank you for your quick reply...
1)is this the only access list you have used and works fine? cause as i told you i want to add the attributes below,you think they'll work?
# Remember that rootdn has always write access # posixAccount/posixGroup attributes may only be accessible to root/ldapmaster (write) and pamproxy (read) access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid by dn="cn=pamproxy@circuitcat.com,ou=kerberos,dc=circuitcat,dc=com" read
# This is needed so sasl-regexp/GSSAPI works correctly access to attrs=krb5PrincipalName by anonymous auth
# Kerberos attributes may only be accessible to root/ldapmaster access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam by * none
# We will be using userPassword to provide simple BIND access, so we don't want this to be user editable access to attrs=userPassword by anonymous auth
# Write access to common attributes for users access to dn.subtree="ou=people,dc=circuitcat,dc=com" attrs=telephoneNumber,facsimileTelephoneNumber,jpegPhoto,homePhone,homePostalAddress by self write by users read
# Anything else we may have forgotten is writable by admin, and viewable by authenticated users access to dn.subtree="dc=circuitcat,dc=com" by users read
2)i have already re-init heimdal so i think is not the problem...+i had some issues before that got solved by doing the heimdal re-init
And i forgot to mention another problem i face but i dont think it is related to the one i mentioned before...
on the ldap i get only that on the log
*Mar 22 16:35:18 proof slapd: auxpropfunc error no mechanism available Mar 22 16:35:18 proof slapd: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
sorry i forgot again another one...
by using the commant below i get :
*pluginviewer -a *Mar 22 16:37:32 proof pluginviewer: auxpropfunc error invalid parameter supplied Mar 22 16:37:32 proof pluginviewer: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb Mar 22 16:37:32 proof pluginviewer: sql_select option missing Mar 22 16:37:32 proof pluginviewer: auxpropfunc error no mechanism available Mar 22 16:37:32 proof pluginviewer: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
On 22/03/10 16:36 +0200, Μανόλης Βλαχάκης wrote:
By default, the Cyrus SASL library will attempt to initialize all available auxprop plugins. You have a sql auxprop plugin installed, but you have not specified required sql parameters to initialize the plugin.
You can explicitly specify which auxprop plugins you want to use In /usr/lib/sasl2/slapd.conf (or the appropriate location on your system):
auxprop_plugin: slapd
or you can just remove the sql shared library so cyrus doesn't attempt to initialize it.
finally ldap log works fine...but from the log i get is that none of the requests are being responded with data...:(for example the first one ...) * acl_mask: access to entry "krb5PrincipalName=kadmin/admin@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr", attr "uid" requested
but i still have the problem :
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Insufficient access (50) additional info: SASL(-14): authorization failure: not authorized
thanks for the help so far...:)
when we apply the mapping setting as shown below : (sasl regexp) * * *log_level: -1* *pwcheck_method:auxprop saslauthd* *mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5* *auxprop_plugin: slapd* *ldapdb_uri:ldaps://10.0.0.12:636/ ldapi:///* *ldapdb_id: cn=M@nSpi,,dc=teipir,dc=gr* *ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY* *ldapdb_mech: GSSAPI EXTERNAL* *ldapdb_starttls: try*
on the ldapwhoami command i get:
*SASL/GSSAPI authentication started* *SASL username: kadmin/admin@TEIPIR.GR* *SASL SSF: 56* *SASL data security layer installed.* *dn:krb5PrincipalName=kadmin/admin@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr* * * * * on the other hand without mapping we get :
SASL/GSSAPI authentication started SASL username: kadmin/admin@TEIPIR.GR SASL SSF: 56 SASL data security layer installed. dn:uid=kadmin/admin,cn=gssapi,cn=auth
+
with the ACL set : *access to * by * write* * by * read* * by * auth* * * 1)i get all the time the value gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2)and the uid value remains empty....
*1)* *acl_get: [1] attr krb5KeyVersionNumber* *Mar 22 18:25:03 proof slapd[23892]: => acl_mask: access to entry "krb5PrincipalName=krbtgt/TEIPIR.GR@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr", attr "krb5KeyVersionNumber" requested* *Mar 22 18:25:03 proof slapd[23892]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)*
2) *=> access_allowed: auth access to "krb5PrincipalName=kadmin/ admin@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr" "uid" requested* *Mar 22 18:27:18 proof slapd[23983]: => acl_get: [1] attr uid* *Mar 22 18:27:18 proof slapd[23983]: => acl_mask: access to entry "krb5PrincipalName=kadmin/admin@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr", attr "uid" requested* *Mar 22 18:27:18 proof slapd[23983]: => acl_mask: to value by "", (=0)* *Mar 22 18:27:18 proof slapd[23983]: <= check a_dn_pat: ** *Mar 22 18:27:18 proof slapd[23983]: <= acl_mask: [1] applying write(=wrscxd) (stop)*
On 22/03/10 18:29 +0200, Μανόλης Βλαχάκης wrote:
Looks good.
Do you have an authz-policy set?
That looks like UNIX domain socket via an ldapi connection, by the root user (or a user with UID of 0).
You should probably have a mapping for it as well. I map root to the admin user on my system.
no i havent set an authz-policy.. how should be done?
i didnt understand exactly what you said here... can you give a code sample please * * *That looks like UNIX domain socket via an ldapi connection, by the root user (or a user with UID of 0).
You should probably have a mapping for it as well. I map root to the admin user on my system.* * * * * * * *i* have to tell you that you give a big help thank you again for everything
On 22/03/10 19:07 +0200, Μανόλης Βλαχάκης wrote:
no i havent set an authz-policy.. how should be done?
See the openldap administrator's guide, section 15.3.
I use 'authz-policy to'. It requires that I specify an authzTo attribute in each identity I want to give proxy authentication privileges to.
I assume that is what you are wanting to do, given the error earlier, but it may not be.
From my config:
rootdn "cn=admin,dc=olp,dc=net"
authz-regexp "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" cn=admin,dc=olp,dc=net
It gives me full rights to the server when connecting as the root user.
after reading the openldap admin guide you mentioned i understud that by using -X on the ldapsearch command i should use the authzTo attribus as you said
but even we the changes i made on the file no diffrences was spoted...
i curtenly use the ACL above( it was my initial and best for my case i think ):
*access to ** * by dn="cn=M@nSpi,dc=teipir,dc=gr" write* * by dn="cn=Vlachakis Emmanouil,ou=Managers,dc=teipir,dc=gr" manage* * by dn="cn=Oikonomakis Spyridwn,ou=Managers,dc=teipir,dc=gr" manage* * by users read* * by * write*
thnak you
after trying several think i found out that in the slap configuration file if i add on the rootdn the user i created on the heimdal kerberos with the kadmin -l add ldapmaster, command without the rootpw the search works fine with any user i do it....
so is not working as i want it to , which is to require a password every time i try to search through the ldap server
thank you
basically i forgot to mention that all my steps are being done according to the how to i found more help full on the net
On Tuesday, 23 March 2010 11:18:57 Μανόλης Βλαχάκης wrote:
But, you haven't explained if or why you need to authorize to different users. IMHO, it looks plainly as if you have been using the -X flag by mistake ...
The document you referred to doesn't use -X anywhere, only -x in the case of simple binds.
Regards, Buchan
2010/3/24 Buchan Milne bgmilne@staff.telkomsa.net
wrong? what are you suggesting to do with the users? I believe that there is not need to have all users authoirized but only two for example only these who i have in kerberos ldapmaste and kadmin/admin! am i right? Take a look to my slapd.conf! My problem, is that i want to do sasl bind with password and not only with dn because now i do sasl bind only with one of the authorized dn!
On Wednesday, 24 March 2010 11:04:57 Μανόλης Βλαχάκης wrote:
Yes. -x is for simple binds. Without -x, you get SASL binds (it is the default, if your software is compiled with SASL support). -X is not for forcing SASL, but for something a bit more obscure than what I think you want ...
Here are some examples from a working OpenLDAP/Heimdal setup:
As a unix user:
Simple bind:
[bgmilne@tiger ~]$ ldapwhoami -x -D uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com -W Enter LDAP Password: dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
[bgmilne@tiger ~]$ kinit bgmilne@RANGER.DNSALIAS.COM's Password: [bgmilne@tiger ~]$ klist Credentials cache: FILE:/tmp/krb5cc_501 Principal: bgmilne@RANGER.DNSALIAS.COM
Issued Expires Principal Mar 24 12:30:43 Mar 24 19:10:43 krbtgt/RANGER.DNSALIAS.COM@RANGER.DNSALIAS.COM
SASL/GSSAPI:
[bgmilne@tiger ~]$ ldapwhoami SASL/GSSAPI authentication started SASL username: bgmilne@RANGER.DNSALIAS.COM SASL SSF: 56 SASL data security layer installed. dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com [bgmilne@tiger ~]$ klist Credentials cache: FILE:/tmp/krb5cc_501 Principal: bgmilne@RANGER.DNSALIAS.COM
Issued Expires Principal Mar 24 12:30:43 Mar 24 19:10:43 krbtgt/RANGER.DNSALIAS.COM@RANGER.DNSALIAS.COM Mar 24 12:30:50 Mar 24 19:10:43 ldap/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM
Simple, anonymous:
[bgmilne@tiger ~]$ ldapwhoami -x anonymous
SASL/EXTERNAL on ldapi
[bgmilne@tiger ~]$ ldapwhoami -x -H ldapi:/// -Y EXTERNAL ldapwhoami: incompatible with authentication choice [bgmilne@tiger ~]$ ldapwhoami -H ldapi:/// -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: gidNumber=501+uidNumber=501,cn=peercred,cn=external,cn=auth SASL SSF: 0 anonymous
As root:
For KDC's access to LDAP:
[root@tiger ~]# cat .ldaprc SASL_MECH EXTERNAL URI ldapi:/// [root@tiger ~]# ldapwhoami SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:uid=account admin,ou=system accounts,dc=ranger,dc=dnsalias,dc=com
For nss_ldap etc. to enumerate users (e.g., would be identical on client-only hosts), so that proxy users are not required, and access is host-specific with no clear-text credentials on clients:
[root@tiger ~]# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: host/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM
Issued Expires Principal Mar 24 12:22:01 Mar 24 19:02:01 krbtgt/RANGER.DNSALIAS.COM@RANGER.DNSALIAS.COM Mar 24 12:33:51 Mar 24 19:02:01 ldap/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM
[root@tiger ~]# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: host/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM SASL SSF: 56 SASL data security layer installed. dn:uid=host/tiger.ranger.dnsalias.com,ou=people,dc=ranger,dc=dnsalias,dc=com
I don't know what you are trying to achieve.
Take a look to my slapd.conf!
It's pointless without knowing what you are trying to achieve.
My problem, is that i want to do sasl bind with password and not only with dn because now i do sasl bind only with one of the authorized dn!
If you have Kerberos, why do you want to provide a password? You should instead be happy with a SASL GSSAPI bind, which is authenticated (but, not by password transfer in clear text to slapd).
Regards, Buchan
To begin with than you very much for your mail is really helpful so as to understand whether we are on the right way or not.. after testing anything you said everything seems great apart from the one below
I didnt really get what i can find out with the commands shown here
As root:
database...there i will update and also retrieve some users attributes(with a search on the ldap tree) from this database with a php application before i reach to that point i would like to have the maximum security level available
So do you think that if i use ldap_bind on the php side forces the hole session to go on the secure way even if i dont use sasl_bind ...
this password i am talking about is the one the users have on the ldap database as an attribute that is why i think it should be better to be required on the search being done
Another thing i would like to ask so as to be more sufficient on what i have accomplished can you tell me please looking on my logs after using the commands:
1)ldapsearch -Y GSSAPI -D "cn=M@nSpi,dc=teipir,dc=gr" -b "cn=bla bla bla...,ou=Managers,dc=teipir,dc=gr" -W -d 5
and i face a problem with the uid attribute as you can see on the log seems to be empty...
hope is not cause i havent added the
rootdn "cn=admin,dc=olp,dc=net"
authz-regexp
"gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" cn=admin,dc=olp,dc=net
as Dan mentioned (so as not to have the error: No preauth found, returning PREAUTH-REQUIRED )
2)and this is the one i get when i login via php
Thank you!!
Am Wed, 24 Mar 2010 12:04:57 +0200 schrieb Μανόλης Βλαχάκης manolisvl18@yahoo.gr:
Did you create a ldap service and host principal? If so, just use the GSSAPI mechanism, something like 'ldapsearch -Y GSSAPI -H ldap://some.host' and you may write an appropriate authz-regexp in oder to match the sasl authentication string to a DN.
-Dieter
On 22/03/10 16:29 +0200, Μανόλης Βλαχάκης wrote:
I have several other rules, but these are the ones that I believe are relevant. These might not match recommended practice but they work for me:
access to attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key,cmusaslsecretOTP by anonymous auth by self write by * none
access to attrs=authzTo by anonymous auth by self read by * none
access to attrs=objectClass by self read by anonymous auth by * none
On Monday, 22 March 2010 11:49:02 Μανόλης Βλαχάκης wrote:
Hallo there and thank you for your answer i finally made it
Made what?
and moved on but now i face other problem.
Are you sure? It look like the same problem, but the error message is different because you made different mistakes in testing.
A SASL/GSSAPI bind is attempted, but you haven't yet shown whether you have a Kerberos TGT, or valid service tickets. Please show the output of 'klist'
or when i use any other command client side i have full access to the tree with no password required
Which problem are we trying to solve? The GSSAPI bind, or the access lists? If you want GSSAPI bind, maybe you should concentrate on it first, as your access lists may be different for the case where you have GSSAPI working vs not.
(please consider replying in-line, with your replies in the right section of the mail, and drop any irrelevant portions).
Regards, Buchan
Made what?
i solved the SQL error showing on the log...i deleted the libs..
*klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: ldapmaster@TEIPIR.GR
Issued Expires Principal Mar 23 17:35:52 Mar 24 03:35:52 krbtgt/TEIPIR.GR@TEIPIR.GR Mar 23 17:36:20 Mar 24 03:35:52 ldap/proof.teipir.gr@TEIPIR.GR
the problems i face today are
1)when i try to search the authorizes users i created as read at the( http://www.openinput.com/auth-howto/ar01s06.html#d0e781 which followed in every step i did)i get no message asking a password and continues at ones the search
+ a general question .. my project is retrieving data form an ldap tree through a PHP application with the most secure way possible
should i only authorize the admins or all the sub entries of a "leaf" on our ldap tree(user names,pass...e.t.c. of the users )
P.S.:i attach you my slap.conf so as to get the full idea of my settings,(i gan paste you my sasl configs too)
Thank you very much!!
openldap-software@openldap.org
-
Buchan Milne -
Dan White -
Dieter Kluenter -
Μανόλης Βλαχάκης