On Sun, Jan 20, 2013 at 5:30 PM, mallapadi niranjan <niranjan.ashok@gmail.com> wrote:
Hi all,

I need some help in finding more about the below error:

Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=1 RESULT tag=97 err=14 text=SASL(0): successful result:
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 BIND dn="" method=163
Jan 20 05:34:58 ldap2 slapd[2561]: SASL [conn=1025] Failure: Inappropriate authentication
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure: Inappropriate authentication
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=3 UNBIND
Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 fd=31 closed


More information:

Openldap version:openldap-servers-2.4.23-26.el6_3.2.x86_64

What i am trying to do is i have configure bind (named) to store it's records in LDAP server using plugin provided by bind-dyndb-ldap-1.1.0-0.9.b1.el6.x86_64,  And i have configure named.conf to access ldap server only through GSSAPI.

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
       
        forward first;
        forwarders { };
        #dnssec-enable yes;
        #dnssec-validation yes;
        #dnssec-lookaside auto;
        allow-recursion { any; };
        /* Path to ISC DLV key */
        #bindkeys-file "/etc/named.iscdlv.key";
        #managed-keys-directory "/var/named/dynamic";
        tkey-gssapi-credential "dnsadmin@EXAMPLE.ORG";
        tkey-domain "EXAMPLE.ORG";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dynamic-db "openldap" {
        library "ldap.so";
        #arg "uri ldapi://%2fvar%2frun%2fldapi";
        arg "uri ldap://localhost";
        arg "base cn=dns,dc=example,dc=org";
        arg "fake_mname ldap2.example.org.";
        arg "auth_method sasl";
        arg "sasl_mech GSSAPI";
        arg "sasl_user dnsadmin@EXAMPLE.ORG";
        arg "zone_refresh 30";
};

As you can see named checks for dnsadmin@EXAMPLE.ORG as it sasl  authentication user,  dnsadmin@EXAMPLE.ORG is an user  who exists in ldap records

dn: cn=dnsadmin,ou=People,dc=example,dc=org
cn: dnsadmin
sn: user
objectClass: person
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
userPassword:: U2VjcmV0MTIz
krbPrincipalName: dnsadmin@EXAMPLE.ORG
krbLoginFailedCount: 0
krbPrincipalKey:: MIIByKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBsDCCAawwVKAHMAWgAwIBAKFJ
 MEegAwIBEqFABD4gACUNiDAaRqfI6BDKN9YZ/DhvIf6TfUZY8pdWQ5HvM1ZI/DOxdPnIoXfnbjRT+
 i7D7lMpkixzcxcFki3fFDBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAqBkEvL+gzUndM8TNS7ik+I
 1weyacnVPB3PaFjtteeQBLcmrqikUN9eCWTDgwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM0347z
 v8kK3gj0A9SYOzUDa7Hc89pG1dg4LOdJfam6QkNGamezP45ZnFLzGSQ/oTR76I3YwRKAHMAWgAwIB
 AKE5MDegAwIBF6EwBC4QAC3muW46EjvmxYXnvzA11/kiUrGwknrOL/dtcVVhx2ul81zChqkfuHYjU
 BbTMDygBzAFoAMCAQChMTAvoAMCAQihKAQmCADtDnWrNBUuisnbEstExWOiwQphTqqXyrzPi1XQ3U
 jvE0TpMZUwPKAHMAWgAwIBAKExMC+gAwIBA6EoBCYIAFNul3CO38n/hMzLT9lT31ma7ObzhJ9B1qn
 BIGSvn7wDSiH2dw==
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20130119232256Z
krbExtraData:: AALQKvtQcm9vdC9hZG1pbkBFWEFNUExFLk9SRwA=
krbExtraData:: AAgBAA==


named reads /etc/named.keytab file to get dnsadmin@EXAMPLE.ORG

[root@ldap2 master]# klist -k /etc/named.keytab

Keytab name: WRFILE:/etc/named.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 dnsadmin@EXAMPLE.ORG
   2 dnsadmin@EXAMPLE.ORG
   2 dnsadmin@EXAMPLE.ORG
   2 dnsadmin@EXAMPLE.ORG
   2 dnsadmin@EXAMPLE.ORG
   2 dnsadmin@EXAMPLE.ORG


what i am looking for is when bind tries to connect using "dnsadmin@EXAMPLE.ORG" to ldap server i am seeing below error

Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=0 RESULT tag=97 err=14 text=SASL(0): successful result:
Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring operation: binding
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 BIND dn="" method=163
Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring operation: binding
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 RESULT tag=97 err=14 text=SASL(0): successful result:
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 BIND dn="" method=163
Jan 20 05:47:43 ldap2 slapd[2561]: SASL [conn=1031] Failure: Inappropriate authentication
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=3 UNBIND
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 RESULT tag=97 err=50 text=SASL(-14): authorization failure: Inappropriate authentication
Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 fd=34 closed

Can any one help me on how to enable more debugging to get more info about the error=50 (Insufficient access error) , Below is my olcAuthRegexp configuration:

# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /opt/setup-openldap/sample-slapd.conf
olcConfigDir: /etc/openldap/slapd.d/
olcAllows: bind_v2
...
..
...
...
....
olcTLSCACertificateFile: /etc/pki/tls/certs/cacert.pem
olcTLSCertificateFile: /etc/pki/tls/certs/server.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/serverkey.pem
olcTLSVerifyClient: allow
olcToolThreads: 1
olcWriteTimeout: 0
olcAuthzRegexp: {0}uid=(.*),cn=EXAMPLE.ORG,cn=gssapi,cn=auth  uid=$1,ou=People
 ,dc=example,dc=org
olcLogLevel: stats


And the output of ldapwhoami

[root@ldap2 master]# ldapwhoami -Y GSSAPI -H ldapi:///
SASL/GSSAPI authentication started
SASL username: dnsadmin@EXAMPLE.ORG
SASL SSF: 56
SASL data security layer installed.
dn:uid=dnsadmin,cn=example.org,cn=gssapi,cn=auth

I just want to find out why named when trying to sasl bind with openldap it fails,  

Thanks
Niranjan

Hi all,

Is there any specific error log level which can help me get more information other than err=50, I did try err=4,  but it did not give me any clue.

Thanks
Niranjan