On Sun, Jan 20, 2013 at 5:30 PM, mallapadi niranjan < niranjan.ashok@gmail.com> wrote:
Hi all,
I need some help in finding more about the below error:
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 BIND dn="" method=163 Jan 20 05:34:58 ldap2 slapd[2561]: SASL [conn=1025] Failure: Inappropriate authentication Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure: Inappropriate authentication Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=3 UNBIND Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 fd=31 closed
More information:
Openldap version:openldap-servers-2.4.23-26.el6_3.2.x86_64
What i am trying to do is i have configure bind (named) to store it's records in LDAP server using plugin provided by bind-dyndb-ldap-1.1.0-0.9.b1.el6.x86_64, And i have configure named.conf to access ldap server only through GSSAPI.
options { listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt";
forward first; forwarders { }; #dnssec-enable yes; #dnssec-validation yes; #dnssec-lookaside auto; allow-recursion { any; }; /* Path to ISC DLV key */ #bindkeys-file "/etc/named.iscdlv.key"; #managed-keys-directory "/var/named/dynamic"; tkey-gssapi-credential "dnsadmin@EXAMPLE.ORG"; tkey-domain "EXAMPLE.ORG";}; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; dynamic-db "openldap" { library "ldap.so"; #arg "uri ldapi://%2fvar%2frun%2fldapi"; arg "uri ldap://localhost"; arg "base cn=dns,dc=example,dc=org"; arg "fake_mname ldap2.example.org."; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user dnsadmin@EXAMPLE.ORG"; arg "zone_refresh 30"; };
As you can see named checks for dnsadmin@EXAMPLE.ORG as it sasl authentication user, dnsadmin@EXAMPLE.ORG is an user who exists in ldap records
dn: cn=dnsadmin,ou=People,dc=example,dc=org cn: dnsadmin sn: user objectClass: person objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux userPassword:: U2VjcmV0MTIz krbPrincipalName: dnsadmin@EXAMPLE.ORG krbLoginFailedCount: 0 krbPrincipalKey:: MIIByKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBsDCCAawwVKAHMAWgAwIBAKFJ
MEegAwIBEqFABD4gACUNiDAaRqfI6BDKN9YZ/DhvIf6TfUZY8pdWQ5HvM1ZI/DOxdPnIoXfnbjRT+
i7D7lMpkixzcxcFki3fFDBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAqBkEvL+gzUndM8TNS7ik+I
1weyacnVPB3PaFjtteeQBLcmrqikUN9eCWTDgwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM0347z
v8kK3gj0A9SYOzUDa7Hc89pG1dg4LOdJfam6QkNGamezP45ZnFLzGSQ/oTR76I3YwRKAHMAWgAwIB
AKE5MDegAwIBF6EwBC4QAC3muW46EjvmxYXnvzA11/kiUrGwknrOL/dtcVVhx2ul81zChqkfuHYjU
BbTMDygBzAFoAMCAQChMTAvoAMCAQihKAQmCADtDnWrNBUuisnbEstExWOiwQphTqqXyrzPi1XQ3U
jvE0TpMZUwPKAHMAWgAwIBAKExMC+gAwIBA6EoBCYIAFNul3CO38n/hMzLT9lT31ma7ObzhJ9B1qn BIGSvn7wDSiH2dw== krbPasswordExpiration: 19700101000000Z krbLastPwdChange: 20130119232256Z krbExtraData:: AALQKvtQcm9vdC9hZG1pbkBFWEFNUExFLk9SRwA= krbExtraData:: AAgBAA==
named reads /etc/named.keytab file to get dnsadmin@EXAMPLE.ORG
[root@ldap2 master]# klist -k /etc/named.keytab
Keytab name: WRFILE:/etc/named.keytab KVNO Principal
2 dnsadmin@EXAMPLE.ORG 2 dnsadmin@EXAMPLE.ORG 2 dnsadmin@EXAMPLE.ORG 2 dnsadmin@EXAMPLE.ORG 2 dnsadmin@EXAMPLE.ORG 2 dnsadmin@EXAMPLE.ORG
what i am looking for is when bind tries to connect using " dnsadmin@EXAMPLE.ORG" to ldap server i am seeing below error
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring operation: binding Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 BIND dn="" method=163 Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring operation: binding Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 BIND dn="" method=163 Jan 20 05:47:43 ldap2 slapd[2561]: SASL [conn=1031] Failure: Inappropriate authentication Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=3 UNBIND Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure: Inappropriate authentication Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 fd=34 closed
Can any one help me on how to enable more debugging to get more info about the error=50 (Insufficient access error) , Below is my olcAuthRegexp configuration:
# config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /opt/setup-openldap/sample-slapd.conf olcConfigDir: /etc/openldap/slapd.d/ olcAllows: bind_v2 ... .. ... ... .... olcTLSCACertificateFile: /etc/pki/tls/certs/cacert.pem olcTLSCertificateFile: /etc/pki/tls/certs/server.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/serverkey.pem olcTLSVerifyClient: allow olcToolThreads: 1 olcWriteTimeout: 0 olcAuthzRegexp: {0}uid=(.*),cn=EXAMPLE.ORG,cn=gssapi,cn=auth uid=$1,ou=People ,dc=example,dc=org olcLogLevel: stats
And the output of ldapwhoami
[root@ldap2 master]# ldapwhoami -Y GSSAPI -H ldapi:/// SASL/GSSAPI authentication started SASL username: dnsadmin@EXAMPLE.ORG SASL SSF: 56 SASL data security layer installed. dn:uid=dnsadmin,cn=example.org,cn=gssapi,cn=auth
I just want to find out why named when trying to sasl bind with openldap it fails,
Thanks Niranjan
Hi all,
Is there any specific error log level which can help me get more information other than err=50, I did try err=4, but it did not give me any clue.
Thanks Niranjan