We have a Rails app that uses OpenLDAP in the local development environment on Mac OS X to authenticate and authorize users (we use Active Directory in production and staging). Up until now all development has been done on Macs running Mountain Lion, and OpenLDAP has worked fine. Recently a new developer joined our team who is using a Mac running Mavericks, however OpenLDAP is behaving differently on his Mac. On Mavericks, OpenLDAP is trying to do something with Kerberos, which is failing. We see the following in the slapd.log on Mavericks:
5319fc2c >>> dnPrettyNormal: <cn=jdoe,ou=people,dc=bluewaterbrand,dc=com>
5319fc2c <<< dnPrettyNormal: <cn=jdoe,ou=people,dc=bluewaterbrand,dc=com>, <cn=jdoe,ou=people,dc=bluewaterbrand,dc=com>
5319fc2c do_bind: version=3 dn="cn=jdoe,ou=people,dc=bluewaterbrand,dc=com" method=128
5319fc2c bdb_dn2entry("cn=jdoe,ou=people,dc=bluewaterbrand,dc=com")
5319fc2c => bdb_search
5319fc2c bdb_dn2entry("cn=kerberoskdc,cn=config,dc=bluewaterbrand,dc=com")
5319fc2c => bdb_dn2id("cn=config,dc=bluewaterbrand,dc=com")
5319fc2c <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
5319fc2c entry_decode: "dc=bluewaterbrand,dc=com"
5319fc2c <= entry_decode(dc=bluewaterbrand,dc=com)
5319fc2c send_ldap_result: conn=-1 op=0 p=0
5319fc2c Entry *odusers_copy_entry(Operation *): Unable to locate cn=kerberoskdc,cn=config,dc=bluewaterbrand,dc=com (32)
5319fc2c odusers_copy_krbrealm: No entry associated with KerberosKDC cn=kerberoskdc,cn=config,dc=bluewaterbrand,dc=com
5319fc2c odusers_krb_auth: could not retrieve krb realm while authing jdoe
5319fc2c int odusers_increment_failedlogin(struct berval *): Unable to retrieve description of loginFailedAttempts attribute5319fc2c bdb_bind: Error to increment failed login count for cn=jdoe,ou=people,dc=bluewaterbrand,dc=com5319fc2c send_ldap_result: conn=1003 op=0 p=3
Here's the same section of slapd.log from a Mac running Mountain Lion, which is working correctly:
531e25c9 >>> dnPrettyNormal: <cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com>
531e25c9 <<< dnPrettyNormal: <cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com>, <cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com>
531e25c9 do_bind: version=3 dn="cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com" method=128
531e25c9 bdb_dn2entry("cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com")
531e25c9 do_bind: v3 bind: "cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com" to "cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com"
531e25c9 send_ldap_result: conn=1003 op=0 p=3
531e25c9 send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 14
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
531e25c9 connection_get(14): got connid=1003
531e25c9 connection_read(14): checking for input on id=1003
ber_get_next
ldap_read: want=8, got=0
We've spent a copule of days looking into this, and can't find any noticeable differences in the ldap.conf and slapd.conf files between Mavericks and Mountain Lion that would explain why Mavericks is doing a search on "cn=kerberoskdc,cn=config,dc=bluewaterbrand,dc=com".
Does anyone know why OpenLDAP on Mavericks is behaving the way that it is, and more importantly, what would be the correct way to resolve this issue? Our Rails app is using the devise and devise_ldap_authenticatable
gems to handle user authentication, so it would seem that we don't want OpenLDAP to do anything with Kerberos at all. Can this be controlled via configuration, or is this an issue with how the OpenLDAP shipped with Mavericks was built?
Thanks,
Denis