You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Amila Jayasekara <am...@wso2.com> on 2010/08/25 13:22:13 UTC
Error when using ldapsearch with GSSAPI mechanism
Hi All,
I am trying to implement Kerberos authentication using ApacheDS
1.5.5. I went through several web resources and found [1] as most
appropriate for 1.5.5.
[1] https://cwiki.apache.org/DIRxSRVx11/543-kerberos-in-apacheds-155.html
I configured directory server according to [1] and i was able to
successfully retrieve TGTs using "kinit". But the problem comes when i
try to access directory using GSSAPI mechanism. The complete error is as
follows,
aj@aj-laptop:~/development/Tools/LDAP$ ldapsearch -H
ldap://localhost:10389 -b "dc=example,dc=com" "(uid=hnelson)" -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
I adjust ApacheDS logging parameters to log INFO messages and got to
know that none of the messages are printed when executing above command.
(But there were messages printed when i access Directory Server using
some anonymous mechanism. Also i was not able to configure server to
print DEBUG messages as it crashes at startup.). But I analyze messages
through WireShark and got to know that some number of messages are
exchanged between server and client when executing above command.
From web resources i found usual cause for above error is not having
the ticket. But i am certain, that i was able to retrieve ticket using
kinit. The klist output is as follows,
aj@aj-laptop:~/development/Tools/LDAP$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: hnelson@EXAMPLE.COM
Valid starting Expires Service principal
08/25/10 15:48:27 08/26/10 15:48:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Also my ApacheDS server supports GSSAPI authentication. See below.
aj@aj-laptop:~/development/Tools/LDAP$ ldapsearch -H
ldap://localhost:10389 -s base -LLL supportedSASLMechanisms -x
dn:
supportedSASLMechanisms: SIMPLE
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: GSS-SPNEGO
Also i have installed all relevant sasl client libraries.
aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
Plugin "gssapiv2" [loaded], API version: 4
SASL mechanism: GSSAPI, best SSF: 56
So now i couldnt fathom a possible reason for above error.
I have been stuck with this for about 2 days. I am really grateful if
one of you can help me.
I am attaching server.xml with this email. My /etc/krb5.conf is as follows,
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = localhost:60088
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[login]
krb4_convert = true
krb4_get_tickets = false
Thanks.
Regards,
Amila Jayasekara
Re: Error when using ldapsearch with GSSAPI mechanism
Posted by Amila Jayasekara <am...@wso2.com>.
Hi Stefan,
I am afraid, -O "maxssf=0" option didnt help. I am still getting
same error.
i.e.
aj@aj-laptop:~/development/Tools/LDAP/apacheds-1.5.5$ ldapsearch -H
ldap://localhost:10389 -b "dc=example,dc=com" "(uid=hnelson)" -Y
GSSAPI -O maxssf=0
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
Thanks
AmilaJ
Stefan Seelmann wrote:
> Hi Amila,
>
>
>> aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded], API version: 4
>> SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded], API version: 4
>> SASL mechanism: GSSAPI, best SSF: 56
>>
>
> Please try to set SSF to 0 when using ldapsearch:
> ldapsearch ... -Y GSSAPI -O "maxssf=0"
>
> Kind Regards,
> Stefan
>
>
Re: Error when using ldapsearch with GSSAPI mechanism
Posted by Amila Jayasekara <am...@wso2.com>.
Hi Stefan,
I am afraid, -O "maxssf=0" option didnt help. I am still getting
same error.
i.e.
aj@aj-laptop:~/development/Tools/LDAP/apacheds-1.5.5$ ldapsearch -H
ldap://localhost:10389 -b "dc=example,dc=com" "(uid=hnelson)" -Y
GSSAPI -O maxssf=0
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
Thanks
AmilaJ
Stefan Seelmann wrote:
> Hi Amila,
>
>
>> aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded], API version: 4
>> SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded], API version: 4
>> SASL mechanism: GSSAPI, best SSF: 56
>>
>
> Please try to set SSF to 0 when using ldapsearch:
> ldapsearch ... -Y GSSAPI -O "maxssf=0"
>
> Kind Regards,
> Stefan
>
>
Re: Error when using ldapsearch with GSSAPI mechanism
Posted by Quanah Gibson-Mount <qu...@zimbra.com>.
--On August 25, 2010 8:38:01 PM +0200 Stefan Seelmann <se...@apache.org>
wrote:
> Hi Amila,
>
>> aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded], API version: 4
>> SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
>> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
>> Plugin "gssapiv2" [loaded], API version: 4
>> SASL mechanism: GSSAPI, best SSF: 56
>
> Please try to set SSF to 0 when using ldapsearch:
> ldapsearch ... -Y GSSAPI -O "maxssf=0"
Why should that be required? Encrypting the GSSAPI connection is generally
desired much of the time...
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Re: Error when using ldapsearch with GSSAPI mechanism
Posted by Stefan Seelmann <se...@apache.org>.
Hi Amila,
> aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
> Plugin "gssapiv2" [loaded], API version: 4
> SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
> Plugin "gssapiv2" [loaded], API version: 4
> SASL mechanism: GSSAPI, best SSF: 56
Please try to set SSF to 0 when using ldapsearch:
ldapsearch ... -Y GSSAPI -O "maxssf=0"
Kind Regards,
Stefan
Re: Error when using ldapsearch with GSSAPI mechanism
Posted by Stefan Seelmann <se...@apache.org>.
Hi Amila,
> aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
> Plugin "gssapiv2" [loaded], API version: 4
> SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
> ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
> Plugin "gssapiv2" [loaded], API version: 4
> SASL mechanism: GSSAPI, best SSF: 56
Please try to set SSF to 0 when using ldapsearch:
ldapsearch ... -Y GSSAPI -O "maxssf=0"
Kind Regards,
Stefan