Greetings,
i am new to this list. I have a computer with these:- cpu: amd64 2 cores os linux 64bit distro=cblfs kernel-3.2.1, gcc-4.5.2 auth progs: MIT-kerberos-1.10, sasl-2.1.25. openldap-2.4.29
( I have an inhouse CA and generated a signed Certicate/Key pair on this machine running openssl-0.9.8 I transferred these and the cacert.pem file securely to the machine above and these are included in the slapd.conf file )
I verified ldap is running without sasl with the ldapsearch command like so:- ldapsearch -xWLLL "ou=people" -H ldaps://tester.example.com
When I tried the same command for a sasl bind:- ldappsearch -LLL "ou=people" -H ldaps://tester.example.com
I get this ################################################### SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context ###################################################
(For debugging ) I did the same with the -d -1 switch ldappsearch -LLL -d -1 "ou=people" -H ldaps://tester.example.com
and excerpts from the output are below:- ###################################################### ldap_url_parse_ext(ldaps://tester.example.com) ldap_create ldap_url_parse_ext(ldaps://tester.example.com:636/??base) ldap_sasl_interactive_bind: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP tester.example.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.10.10.10:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization tls_write: want=211, written=211 0000: 16 03 01 00 ce 01 00 00 ca 03 01 4f 52 8f 3c 49 ...........OR.<I 0010: ca 19 83 08 c8 85 c3 00 94 20 0b 48 32 1a c1 40 ......... .H2..@
-------------- TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 -------------
-------------- TLS trace: SSL_connect:SSLv3 read server hello A tls_read: want=5, got=5 0000: 16 03 01 06 5b --------------
-------------- TLS trace: SSL_connect:SSLv3 read server certificate A tls_read: want=5, got=5 0000: 16 03 01 00 8d ..... tls_read: want=141, got=141
-------------- TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A tls_write: want=210, written=210
-------------- TLS trace: SSL_connect:SSLv3 flush data tls_read: want=5, got=5 0000: 16 03 01 00 ba ..... tls_read: want=186, got=186 ------------------
-------------- TLS trace: SSL_connect:SSLv3 read server session ticket A tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 01 00 30 ....0 tls_read: want=48, got=48
-------------- TLS trace: SSL_connect:SSLv3 read finished A ldap_int_sasl_open: host=tester.example.com SASL/GSSAPI authentication started ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x20ebed0 ptr=0x20ebed0 end=0x20ec16a len=666
-------------- ldap_msgfree ldap_result ld 0x2018010 msgid 1 wait4msg ld 0x2018010 msgid 1 (infinite timeout) wait4msg continue ld 0x2018010 msgid 1 all 1 ** ld 0x2018010 Connections: * host: tester.example.com port: 636 (default) refcnt: 2 status: Connected last used: Sat Mar 3 21:38:04 2012
** ld 0x2018010 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x2018010 request count 1 (abandoned 0) ** ld 0x2018010 Response Queue: Empty ld 0x2018010 response count 0 ldap_chkResponseList ld 0x2018010 msgid 1 all 1 ldap_chkResponseList returns ld 0x2018010 NULL ldap_int_select read1msg: ld 0x2018010 msgid 1 all 1 ber_get_next tls_read: want=5, got=5 0000: 17 03 01 00 20 .... tls_read: want=32, got=32
-------------- tls_read: want=5, got=5 0000: 17 03 01 00 70 ....p tls_read: want=112, got=112
-------------- ldap_read: want=79, got=79 0000: 01 31 04 00 04 49 53 41 53 4c 28 2d 31 33 29 3a .1...ISASL(-13): 0010: 20 61 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 authentication 0020: 66 61 69 6c 75 72 65 3a 20 47 53 53 41 50 49 20 failure: GSSAPI 0030: 46 61 69 6c 75 72 65 3a 20 67 73 73 5f 61 63 63 Failure: gss_acc 0040: 65 70 74 5f 73 65 63 5f 63 6f 6e 74 65 78 74 ept_sec_context ber_get_next: tag 0x30 len 85 contents:
-------------- read1msg: ld 0x2018010 0 new referrals read1msg: mark request completed, ld 0x2018010 msgid 1 request done: ld 0x2018010 msgid 1 res_errno: 49, res_error: <SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_int_sasl_bind: <null> ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x20eb750 ptr=0x20eb753 end=0x20eb7a5 len=82 -------------- #########################################################################
advice would be appreciated
sincerely lux-integ
Either disable gssapi or install and configure it.
suomi
On 03/04/2012 04:04 PM, luxInteg wrote:
Greetings,
i am new to this list. I have a computer with these:- cpu: amd64 2 cores os linux 64bit distro=cblfs kernel-3.2.1, gcc-4.5.2 auth progs: MIT-kerberos-1.10, sasl-2.1.25. openldap-2.4.29
( I have an inhouse CA and generated a signed Certicate/Key pair on this machine running openssl-0.9.8 I transferred these and the cacert.pem file securely to the machine above and these are included in the slapd.conf file )
I verified ldap is running without sasl with the ldapsearch command like so:- ldapsearch -xWLLL "ou=people" -H ldaps://tester.example.com
When I tried the same command for a sasl bind:- ldappsearch -LLL "ou=people" -H ldaps://tester.example.com
I get this ################################################### SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context ###################################################
(For debugging ) I did the same with the -d -1 switch ldappsearch -LLL -d -1 "ou=people" -H ldaps://tester.example.com
and excerpts from the output are below:- ###################################################### ldap_url_parse_ext(ldaps://tester.example.com) ldap_create ldap_url_parse_ext(ldaps://tester.example.com:636/??base) ldap_sasl_interactive_bind: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP tester.example.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.10.10.10:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization tls_write: want=211, written=211 0000: 16 03 01 00 ce 01 00 00 ca 03 01 4f 52 8f 3c 49 ...........OR.<I 0010: ca 19 83 08 c8 85 c3 00 94 20 0b 48 32 1a c1 40 ......... .H2..@
TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7
TLS trace: SSL_connect:SSLv3 read server hello A tls_read: want=5, got=5 0000: 16 03 01 06 5b
TLS trace: SSL_connect:SSLv3 read server certificate A tls_read: want=5, got=5 0000: 16 03 01 00 8d ..... tls_read: want=141, got=141
TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A tls_write: want=210, written=210
TLS trace: SSL_connect:SSLv3 flush data tls_read: want=5, got=5 0000: 16 03 01 00 ba ..... tls_read: want=186, got=186
TLS trace: SSL_connect:SSLv3 read server session ticket A tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 01 00 30 ....0 tls_read: want=48, got=48
TLS trace: SSL_connect:SSLv3 read finished A ldap_int_sasl_open: host=tester.example.com SASL/GSSAPI authentication started ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x20ebed0 ptr=0x20ebed0 end=0x20ec16a len=666
ldap_msgfree ldap_result ld 0x2018010 msgid 1 wait4msg ld 0x2018010 msgid 1 (infinite timeout) wait4msg continue ld 0x2018010 msgid 1 all 1 ** ld 0x2018010 Connections:
- host: tester.example.com port: 636 (default) refcnt: 2 status: Connected last used: Sat Mar 3 21:38:04 2012
** ld 0x2018010 Outstanding Requests:
- msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0
ld 0x2018010 request count 1 (abandoned 0) ** ld 0x2018010 Response Queue: Empty ld 0x2018010 response count 0 ldap_chkResponseList ld 0x2018010 msgid 1 all 1 ldap_chkResponseList returns ld 0x2018010 NULL ldap_int_select read1msg: ld 0x2018010 msgid 1 all 1 ber_get_next tls_read: want=5, got=5 0000: 17 03 01 00 20 .... tls_read: want=32, got=32
tls_read: want=5, got=5 0000: 17 03 01 00 70 ....p tls_read: want=112, got=112
ldap_read: want=79, got=79 0000: 01 31 04 00 04 49 53 41 53 4c 28 2d 31 33 29 3a .1...ISASL(-13): 0010: 20 61 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 authentication 0020: 66 61 69 6c 75 72 65 3a 20 47 53 53 41 50 49 20 failure: GSSAPI 0030: 46 61 69 6c 75 72 65 3a 20 67 73 73 5f 61 63 63 Failure: gss_acc 0040: 65 70 74 5f 73 65 63 5f 63 6f 6e 74 65 78 74 ept_sec_context ber_get_next: tag 0x30 len 85 contents:
read1msg: ld 0x2018010 0 new referrals read1msg: mark request completed, ld 0x2018010 msgid 1 request done: ld 0x2018010 msgid 1 res_errno: 49, res_error:<SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context>, res_matched:<> ldap_free_request (origid 1, msgid 1) ldap_int_sasl_bind:<null> ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x20eb750 ptr=0x20eb753 end=0x20eb7a5 len=82
#########################################################################
advice would be appreciated
sincerely lux-integ
On Sunday 04 March 2012 17:43:29 anax wrote:
Either disable gssapi or install and configure it.
could you be more specific please?
AS I have krb5-1.10 installed and configured and I am able to start kdc and kadmin and get tickets etc. I have a keytab with ldap/tester.example.com@EXAMPLE.COM and I have it with these permissions:- chmod 660 /path/to/keytab chown root:openldap /path/to/keytab
and I started slapd with -g openldap (the group with the ldap users)
If you or others could tell me what I am doing wrong I would be most grateful.
sincerely lux-integ
On 03/04/12 15:04 +0000, luxInteg wrote:
Greetings,
i am new to this list. I have a computer with these:- cpu: amd64 2 cores os linux 64bit distro=cblfs kernel-3.2.1, gcc-4.5.2 auth progs: MIT-kerberos-1.10, sasl-2.1.25. openldap-2.4.29
( I have an inhouse CA and generated a signed Certicate/Key pair on this machine running openssl-0.9.8 I transferred these and the cacert.pem file securely to the machine above and these are included in the slapd.conf file )
I verified ldap is running without sasl with the ldapsearch command like so:- ldapsearch -xWLLL "ou=people" -H ldaps://tester.example.com
When I tried the same command for a sasl bind:- ldappsearch -LLL "ou=people" -H ldaps://tester.example.com
I get this ################################################### SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context ###################################################
Check your kdc logs. Research what 'gss_accept_sec_context' and 'res_matched' mean, since those appear to be errors returned from your krb5 library.
Make sure you are not hitting this bug in cyrus sasl:
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
One way to determine if you are, is to perform your gssapi bind without ldaps or starttls-over-ldap.
read1msg: ld 0x2018010 0 new referrals read1msg: mark request completed, ld 0x2018010 msgid 1 request done: ld 0x2018010 msgid 1 res_errno: 49, res_error: <SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_int_sasl_bind: <null> ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x20eb750 ptr=0x20eb753 end=0x20eb7a5 len=82
On Tuesday 06 March 2012 14:40:17 Dan White wrote:
Make sure you are not hitting this bug in cyrus sasl:
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
One way to determine if you are, is to perform your gssapi bind without ldaps or starttls-over-ldap.
I did the test as you suggested. I get the same result whether ldap:// or ldaps:// (i.e whether or not I use tls). Unfortunately I cannot make head nor tail of the link if there is a gssppi-sasl patch or indeed which file in sasl-2.1.25 I need to modify for a fix. I also did a wander on the internet search engines but found nowt of consequence.
Advice would be much appreciated.
sincerely
lux-integ
openldap-technical@openldap.org