Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Sep 2009 11:21:19 +0300
From:      George Mamalakis <mamalos@eng.auth.gr>
To:        freebsd-stable <freebsd-stable@freebsd.org>
Subject:   SASL problems with spnego, heimdal, AND openldap on 8.0-BETA4
Message-ID:  <4AB342FF.8020103@eng.auth.gr>

next in thread | raw e-mail | index | archive | help
Dear all,

I changed the subject of my email, due to today's results on my 
configurations, regarding SASL authentication on 
openldap-sasl-server-2.4.18_1, with cyrus-sasl-2.1.23, and fbsd's 
8-BETA4 heimdal. When I try to ldapsearch from another machine to the 
openldap server, slapd hangs!

The client goes like that:
(
client-host$ ldapsearch -d 255 -H ldap://ldap.example.com -b 
'dc=example,dc=com'

ldap_url_parse_ext(ldap://ldap.example.com)
ldap_create
ldap_url_parse_ext(ldap://ldap.example.com:389/??base)
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=ldap.example.com
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x34142000 ptr=0x34142000 end=0x341422b4 len=692
  0000:  30 82 02 b0 02 01 01 60  82 02 a9 02 01 03 04 00   
0......`........ 
  0010:  a3 82 02 a0 04 06 47 53  53 41 50 49 04 82 02 94   
......GSSAPI.... 
  0020:  60 82 02 90 06 09 2a 86  48 86 f7 12 01 02 02 01   
`.....*.H....... 
  0030:  00 6e 82 02 7f 30 82 02  7b a0 03 02 01 05 a1 03   
.n...0..{....... 
..... packet infrormation.....

ber_scanf fmt ({i) ber:
ber_dump: buf=0x34142000 ptr=0x34142007 end=0x341422b4 len=685
 0000:  60 82 02 a9 02 01 03 04  00 a3 82 02 a0 04 06 47   
`..............G 
  0010:  53 53 41 50 49 04 82 02  94 60 82 02 90 06 09 2a   
SSAPI....`.....* 
  0020:  86 48 86 f7 12 01 02 02  01 00 6e 82 02 7f 30 82   
.H........n...0. 
..... more packet infrormation.....

ber_flush2: 692 bytes to sd 3
  0000:  30 82 02 b0 02 01 01 60  82 02 a9 02 01 03 04 00   
0......`........ 
  0010:  a3 82 02 a0 04 06 47 53  53 41 50 49 04 82 02 94   
......GSSAPI.... 
  0020:  60 82 02 90 06 09 2a 86  48 86 f7 12 01 02 02 01   
`.....*.H....... 
..... even more packet infrormation.....

ldap_write: want=692, written=692
  0000:  30 82 02 b0 02 01 01 60  82 02 a9 02 01 03 04 00   
0......`........ 
  0010:  a3 82 02 a0 04 06 47 53  53 41 50 49 04 82 02 94   
......GSSAPI.... 
..... even even more packet infrormation

ldap_result ld 0x34124040 msgid 1
wait4msg ld 0x34124040 msgid 1 (infinite timeout)
wait4msg continue ld 0x34124040 msgid 1 all 1
** ld 0x34124040 Connections:
* host: ldap.example.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Sep 18 11:02:10 2009


** ld 0x34124040 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x34124040 request count 1 (abandoned 0)
** ld 0x34124040 Response Queue:
   Empty
  ld 0x34124040 response count 0
ldap_chkResponseList ld 0x34124040 msgid 1 all 1
ldap_chkResponseList returns ld 0x34124040 NULL
ldap_int_select
read1msg: ld 0x34124040 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=0

ber_get_next failed.
ldap_free_connection 1 0
ldap_free_connection: actually freed
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

)

And this is where it loses connection. From the server's point of view, 
the only thing I get from the logs (loglevel args config stats) is:

Sep 18 11:02:08 ldap slapd[2257]: conn=1 fd=13 ACCEPT from 
IP=1.2.3.5:50345 (IP=0.0.0.0:389)
Sep 18 11:02:08 ldap slapd[2257]: connection_get(13)
Sep 18 11:02:08 ldap slapd[2257]: conn=1 op=0 BIND dn="" method=163
Sep 18 11:02:08 ldap slapd[2257]: ==> sasl_bind: dn="" mech=GSSAPI 
datalen=660

And after that the server is down..

I don't know what to do, I'll try to update heimdal to version 1.2.1, as 
John Marshall advised me in his last email..

If anyone knows anything more, I would be delighted if he could share it 
on this list.

Thanx again for  reading.

-- 
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AB342FF.8020103>