Date: Fri, 18 Sep 2009 11:21:19 +0300 From: George Mamalakis <mamalos@eng.auth.gr> To: freebsd-stable <freebsd-stable@freebsd.org> Subject: SASL problems with spnego, heimdal, AND openldap on 8.0-BETA4 Message-ID: <4AB342FF.8020103@eng.auth.gr>
next in thread | raw e-mail | index | archive | help
Dear all,
I changed the subject of my email, due to today's results on my
configurations, regarding SASL authentication on
openldap-sasl-server-2.4.18_1, with cyrus-sasl-2.1.23, and fbsd's
8-BETA4 heimdal. When I try to ldapsearch from another machine to the
openldap server, slapd hangs!
The client goes like that:
(
client-host$ ldapsearch -d 255 -H ldap://ldap.example.com -b
'dc=example,dc=com'
ldap_url_parse_ext(ldap://ldap.example.com)
ldap_create
ldap_url_parse_ext(ldap://ldap.example.com:389/??base)
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=ldap.example.com
SASL/GSSAPI authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x34142000 ptr=0x34142000 end=0x341422b4 len=692
0000: 30 82 02 b0 02 01 01 60 82 02 a9 02 01 03 04 00
0......`........
0010: a3 82 02 a0 04 06 47 53 53 41 50 49 04 82 02 94
......GSSAPI....
0020: 60 82 02 90 06 09 2a 86 48 86 f7 12 01 02 02 01
`.....*.H.......
0030: 00 6e 82 02 7f 30 82 02 7b a0 03 02 01 05 a1 03
.n...0..{.......
..... packet infrormation.....
ber_scanf fmt ({i) ber:
ber_dump: buf=0x34142000 ptr=0x34142007 end=0x341422b4 len=685
0000: 60 82 02 a9 02 01 03 04 00 a3 82 02 a0 04 06 47
`..............G
0010: 53 53 41 50 49 04 82 02 94 60 82 02 90 06 09 2a
SSAPI....`.....*
0020: 86 48 86 f7 12 01 02 02 01 00 6e 82 02 7f 30 82
.H........n...0.
..... more packet infrormation.....
ber_flush2: 692 bytes to sd 3
0000: 30 82 02 b0 02 01 01 60 82 02 a9 02 01 03 04 00
0......`........
0010: a3 82 02 a0 04 06 47 53 53 41 50 49 04 82 02 94
......GSSAPI....
0020: 60 82 02 90 06 09 2a 86 48 86 f7 12 01 02 02 01
`.....*.H.......
..... even more packet infrormation.....
ldap_write: want=692, written=692
0000: 30 82 02 b0 02 01 01 60 82 02 a9 02 01 03 04 00
0......`........
0010: a3 82 02 a0 04 06 47 53 53 41 50 49 04 82 02 94
......GSSAPI....
..... even even more packet infrormation
ldap_result ld 0x34124040 msgid 1
wait4msg ld 0x34124040 msgid 1 (infinite timeout)
wait4msg continue ld 0x34124040 msgid 1 all 1
** ld 0x34124040 Connections:
* host: ldap.example.com port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Sep 18 11:02:10 2009
** ld 0x34124040 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x34124040 request count 1 (abandoned 0)
** ld 0x34124040 Response Queue:
Empty
ld 0x34124040 response count 0
ldap_chkResponseList ld 0x34124040 msgid 1 all 1
ldap_chkResponseList returns ld 0x34124040 NULL
ldap_int_select
read1msg: ld 0x34124040 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=0
ber_get_next failed.
ldap_free_connection 1 0
ldap_free_connection: actually freed
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
)
And this is where it loses connection. From the server's point of view,
the only thing I get from the logs (loglevel args config stats) is:
Sep 18 11:02:08 ldap slapd[2257]: conn=1 fd=13 ACCEPT from
IP=1.2.3.5:50345 (IP=0.0.0.0:389)
Sep 18 11:02:08 ldap slapd[2257]: connection_get(13)
Sep 18 11:02:08 ldap slapd[2257]: conn=1 op=0 BIND dn="" method=163
Sep 18 11:02:08 ldap slapd[2257]: ==> sasl_bind: dn="" mech=GSSAPI
datalen=660
And after that the server is down..
I don't know what to do, I'll try to update heimdal to version 1.2.1, as
John Marshall advised me in his last email..
If anyone knows anything more, I would be delighted if he could share it
on this list.
Thanx again for reading.
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AB342FF.8020103>