You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Amila Jayasekara <am...@wso2.com> on 2010/08/25 13:22:13 UTC

Error when using ldapsearch with GSSAPI mechanism

Hi All,
   I am trying to implement Kerberos authentication using ApacheDS 
1.5.5. I went through several web resources and found [1] as most 
appropriate for 1.5.5.

[1] https://cwiki.apache.org/DIRxSRVx11/543-kerberos-in-apacheds-155.html

I configured directory server according to [1] and i was able to 
successfully retrieve TGTs using "kinit". But the problem comes when i 
try to access directory using GSSAPI mechanism. The complete error is as 
follows,

aj@aj-laptop:~/development/Tools/LDAP$ ldapsearch -H 
ldap://localhost:10389 -b "dc=example,dc=com" "(uid=hnelson)" -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)

I adjust ApacheDS logging parameters to log INFO messages and got to 
know that none of the messages are printed when executing above command. 
(But there were messages printed when i access Directory Server using 
some anonymous mechanism. Also i was not able to configure server to 
print DEBUG messages as it crashes at startup.). But I analyze messages 
through WireShark and got to know that some number of messages are 
exchanged between server and client when executing above command.

 From web resources i found usual cause for above error is not having 
the ticket. But i am certain, that i was able to retrieve ticket using 
kinit. The klist output is as follows,

aj@aj-laptop:~/development/Tools/LDAP$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
08/25/10 15:48:27  08/26/10 15:48:23  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Also my ApacheDS server supports GSSAPI authentication. See below.

aj@aj-laptop:~/development/Tools/LDAP$ ldapsearch -H 
ldap://localhost:10389 -s base -LLL supportedSASLMechanisms -x
dn:
supportedSASLMechanisms: SIMPLE
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: GSS-SPNEGO


Also i have installed all relevant sasl client libraries.

aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
Plugin "gssapiv2" [loaded],     API version: 4
   SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
Plugin "gssapiv2" [loaded],     API version: 4
   SASL mechanism: GSSAPI, best SSF: 56

So now i couldnt fathom a possible reason for above error.
I have been stuck with this for about 2 days. I am really grateful if 
one of you can help me.

I am attaching server.xml with this email. My /etc/krb5.conf is as follows,

[libdefaults]
       default_realm = EXAMPLE.COM

[realms]
       EXAMPLE.COM = {
               kdc = localhost:60088
       }

[domain_realm]
       .example.com = EXAMPLE.COM
       example.com = EXAMPLE.COM

[login]
       krb4_convert = true
       krb4_get_tickets = false



Thanks.
Regards,
Amila Jayasekara

Re: Error when using ldapsearch with GSSAPI mechanism

Posted by Amila Jayasekara <am...@wso2.com>.

Hi Stefan,
    I am afraid, -O "maxssf=0" option didnt help. I am still getting 
same error.
i.e.
    aj@aj-laptop:~/development/Tools/LDAP/apacheds-1.5.5$ ldapsearch -H 
ldap://localhost:10389 -b "dc=example,dc=com"       "(uid=hnelson)" -Y 
GSSAPI -O maxssf=0
    SASL/GSSAPI authentication started
    ldap_sasl_interactive_bind_s: Local error (-2)

Thanks
AmilaJ

Stefan Seelmann wrote:
> Hi Amila,
>
>   
>> aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded],     API version: 4
>>  SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded],     API version: 4
>>  SASL mechanism: GSSAPI, best SSF: 56
>>     
>
> Please try to set SSF to 0 when using ldapsearch:
>   ldapsearch ... -Y GSSAPI -O "maxssf=0"
>
> Kind Regards,
> Stefan
>
>

Re: Error when using ldapsearch with GSSAPI mechanism

Posted by Amila Jayasekara <am...@wso2.com>.

Hi Stefan,
    I am afraid, -O "maxssf=0" option didnt help. I am still getting 
same error.
i.e.
    aj@aj-laptop:~/development/Tools/LDAP/apacheds-1.5.5$ ldapsearch -H 
ldap://localhost:10389 -b "dc=example,dc=com"       "(uid=hnelson)" -Y 
GSSAPI -O maxssf=0
    SASL/GSSAPI authentication started
    ldap_sasl_interactive_bind_s: Local error (-2)

Thanks
AmilaJ

Stefan Seelmann wrote:
> Hi Amila,
>
>   
>> aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded],     API version: 4
>>  SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded],     API version: 4
>>  SASL mechanism: GSSAPI, best SSF: 56
>>     
>
> Please try to set SSF to 0 when using ldapsearch:
>   ldapsearch ... -Y GSSAPI -O "maxssf=0"
>
> Kind Regards,
> Stefan
>
>

Re: Error when using ldapsearch with GSSAPI mechanism

Posted by Quanah Gibson-Mount <qu...@zimbra.com>.


--On August 25, 2010 8:38:01 PM +0200 Stefan Seelmann <se...@apache.org> 
wrote:

> Hi Amila,
>
>> aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded],     API version: 4
>>  SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded],     API version: 4
>>  SASL mechanism: GSSAPI, best SSF: 56
>
> Please try to set SSF to 0 when using ldapsearch:
>   ldapsearch ... -Y GSSAPI -O "maxssf=0"

Why should that be required?  Encrypting the GSSAPI connection is generally 
desired much of the time...

--Quanah

-- 
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Re: Error when using ldapsearch with GSSAPI mechanism

Posted by Stefan Seelmann <se...@apache.org>.

Hi Amila,

> aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
> Plugin "gssapiv2" [loaded],     API version: 4
>  SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
> Plugin "gssapiv2" [loaded],     API version: 4
>  SASL mechanism: GSSAPI, best SSF: 56

Please try to set SSF to 0 when using ldapsearch:
  ldapsearch ... -Y GSSAPI -O "maxssf=0"

Kind Regards,
Stefan

Re: Error when using ldapsearch with GSSAPI mechanism

Posted by Stefan Seelmann <se...@apache.org>.

Hi Amila,

> aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
> Plugin "gssapiv2" [loaded],     API version: 4
>  SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
> Plugin "gssapiv2" [loaded],     API version: 4
>  SASL mechanism: GSSAPI, best SSF: 56

Please try to set SSF to 0 when using ldapsearch:
  ldapsearch ... -Y GSSAPI -O "maxssf=0"

Kind Regards,
Stefan