On 01/20/13 17:30 +0530, mallapadi niranjan wrote:
Hi all,
I need some help in finding more about the below error:
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 BIND dn="" method=163 Jan 20 05:34:58 ldap2 slapd[2561]: SASL [conn=1025] Failure: Inappropriate authentication Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure: Inappropriate authentication Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=3 UNBIND Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 fd=31 closed
More information:
Openldap version:openldap-servers-2.4.23-26.el6_3.2.x86_64
What i am trying to do is i have configure bind (named) to store it's records in LDAP server using plugin provided by bind-dyndb-ldap-1.1.0-0.9.b1.el6.x86_64, And i have configure named.conf to access ldap server only through GSSAPI.
options { listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt";
forward first; forwarders { }; #dnssec-enable yes; #dnssec-validation yes; #dnssec-lookaside auto; allow-recursion { any; }; /* Path to ISC DLV key */ #bindkeys-file "/etc/named.iscdlv.key"; #managed-keys-directory "/var/named/dynamic"; tkey-gssapi-credential "dnsadmin@EXAMPLE.ORG"; tkey-domain "EXAMPLE.ORG";}; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; dynamic-db "openldap" { library "ldap.so"; #arg "uri ldapi://%2fvar%2frun%2fldapi"; arg "uri ldap://localhost"; arg "base cn=dns,dc=example,dc=org"; arg "fake_mname ldap2.example.org."; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user dnsadmin@EXAMPLE.ORG"; arg "zone_refresh 30"; };
You should not specify a username when using the GSSAPI. SASL and OpenLDAP will derive the username based on the kerberos ticket, and your sasl-regexp rules. It's possible that the username you're submitting is being interpreted as an authz identity, and is causing an authorization failure.
As you can see named checks for dnsadmin@EXAMPLE.ORG as it sasl authentication user, dnsadmin@EXAMPLE.ORG is an user who exists in ldap records
dn: cn=dnsadmin,ou=People,dc=example,dc=org cn: dnsadmin sn: user objectClass: person objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux userPassword:: U2VjcmV0MTIz krbPrincipalName: dnsadmin@EXAMPLE.ORG krbLoginFailedCount: 0 krbPrincipalKey:: MIIByKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBsDCCAawwVKAHMAWgAwIBAKFJ MEegAwIBEqFABD4gACUNiDAaRqfI6BDKN9YZ/DhvIf6TfUZY8pdWQ5HvM1ZI/DOxdPnIoXfnbjRT+ i7D7lMpkixzcxcFki3fFDBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAqBkEvL+gzUndM8TNS7ik+I 1weyacnVPB3PaFjtteeQBLcmrqikUN9eCWTDgwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM0347z v8kK3gj0A9SYOzUDa7Hc89pG1dg4LOdJfam6QkNGamezP45ZnFLzGSQ/oTR76I3YwRKAHMAWgAwIB AKE5MDegAwIBF6EwBC4QAC3muW46EjvmxYXnvzA11/kiUrGwknrOL/dtcVVhx2ul81zChqkfuHYjU BbTMDygBzAFoAMCAQChMTAvoAMCAQihKAQmCADtDnWrNBUuisnbEstExWOiwQphTqqXyrzPi1XQ3U jvE0TpMZUwPKAHMAWgAwIBAKExMC+gAwIBA6EoBCYIAFNul3CO38n/hMzLT9lT31ma7ObzhJ9B1qn BIGSvn7wDSiH2dw== krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20130119232256Z krbExtraData:: AALQKvtQcm9vdC9hZG1pbkBFWEFNUExFLk9SRwA= krbExtraData:: AAgBAA==
named reads /etc/named.keytab file to get dnsadmin@EXAMPLE.ORG
[root@ldap2 master]# klist -k /etc/named.keytab
Keytab name: WRFILE:/etc/named.keytab KVNO Principal
2 dnsadmin@EXAMPLE.ORG 2 dnsadmin@EXAMPLE.ORG 2 dnsadmin@EXAMPLE.ORG 2 dnsadmin@EXAMPLE.ORG 2 dnsadmin@EXAMPLE.ORG 2 dnsadmin@EXAMPLE.ORG
what i am looking for is when bind tries to connect using " dnsadmin@EXAMPLE.ORG" to ldap server i am seeing below error
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring operation: binding Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 BIND dn="" method=163 Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring operation: binding Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 BIND dn="" method=163 Jan 20 05:47:43 ldap2 slapd[2561]: SASL [conn=1031] Failure: Inappropriate authentication Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=3 UNBIND Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure: Inappropriate authentication Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 fd=34 closed
Can any one help me on how to enable more debugging to get more info about the error=50 (Insufficient access error) , Below is my olcAuthRegexp configuration:
# config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /opt/setup-openldap/sample-slapd.conf olcConfigDir: /etc/openldap/slapd.d/ olcAllows: bind_v2 ... .. ... ... .... olcTLSCACertificateFile: /etc/pki/tls/certs/cacert.pem olcTLSCertificateFile: /etc/pki/tls/certs/server.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/serverkey.pem olcTLSVerifyClient: allow olcToolThreads: 1 olcWriteTimeout: 0 olcAuthzRegexp: {0}uid=(.*),cn=EXAMPLE.ORG,cn=gssapi,cn=auth uid=$1,ou=People ,dc=example,dc=org olcLogLevel: stats
And the output of ldapwhoami
[root@ldap2 master]# ldapwhoami -Y GSSAPI -H ldapi:/// SASL/GSSAPI authentication started SASL username: dnsadmin@EXAMPLE.ORG SASL SSF: 56 SASL data security layer installed. dn:uid=dnsadmin,cn=example.org,cn=gssapi,cn=auth
I just want to find out why named when trying to sasl bind with openldap it fails,
Your olcAuthzRegexp rule is failing to trigger. Try specifying a lowercase 'cn=example.org'.