Re: unable to sasl bind to openldap .

Sun, 20 Jan 2013 04:14:27 -0800 

On Sun, Jan 20, 2013 at 5:30 PM, mallapadi niranjan <
[email protected]> wrote:

> Hi all,
>
> I need some help in finding more about the below error:
>
> Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=1 RESULT tag=97 err=14
> text=SASL(0): successful result:
> Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 BIND dn="" method=163
> Jan 20 05:34:58 ldap2 slapd[2561]: SASL [conn=1025] Failure: Inappropriate
> authentication
> Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=2 RESULT tag=97 err=50
> text=SASL(-14): authorization failure: Inappropriate authentication
> Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 op=3 UNBIND
> Jan 20 05:34:58 ldap2 slapd[2561]: conn=1025 fd=31 closed
>
>
> More information:
>
> Openldap version:openldap-servers-2.4.23-26.el6_3.2.x86_64
>
> What i am trying to do is i have configure bind (named) to store it's
> records in LDAP server using plugin provided by
> bind-dyndb-ldap-1.1.0-0.9.b1.el6.x86_64,  And i have configure named.conf
> to access ldap server only through GSSAPI.
>
> options {
>         listen-on port 53 { 127.0.0.1; };
>         listen-on-v6 port 53 { ::1; };
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>
>         forward first;
>         forwarders { };
>         #dnssec-enable yes;
>         #dnssec-validation yes;
>         #dnssec-lookaside auto;
>         allow-recursion { any; };
>         /* Path to ISC DLV key */
>         #bindkeys-file "/etc/named.iscdlv.key";
>         #managed-keys-directory "/var/named/dynamic";
>         tkey-gssapi-credential "[email protected]";
>         tkey-domain "EXAMPLE.ORG";
> };
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
> zone "." IN {
>         type hint;
>         file "named.ca";
> };
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> dynamic-db "openldap" {
>         library "ldap.so";
>         #arg "uri ldapi://%2fvar%2frun%2fldapi";
>         arg "uri ldap://localhost";;
>         arg "base cn=dns,dc=example,dc=org";
>         arg "fake_mname ldap2.example.org.";
>         arg "auth_method sasl";
>         arg "sasl_mech GSSAPI";
>         arg "sasl_user [email protected]";
>         arg "zone_refresh 30";
> };
>
> As you can see named checks for [email protected] as it sasl
> authentication user,  [email protected] is an user  who exists in ldap
> records
>
> dn: cn=dnsadmin,ou=People,dc=example,dc=org
> cn: dnsadmin
> sn: user
> objectClass: person
> objectClass: krbPrincipalAux
> objectClass: krbTicketPolicyAux
> userPassword:: U2VjcmV0MTIz
> krbPrincipalName: [email protected]
> krbLoginFailedCount: 0
> krbPrincipalKey::
> MIIByKADAgEBoQMCAQGiAwIBAqMDAgEBpIIBsDCCAawwVKAHMAWgAwIBAKFJ
>
>  MEegAwIBEqFABD4gACUNiDAaRqfI6BDKN9YZ/DhvIf6TfUZY8pdWQ5HvM1ZI/DOxdPnIoXfnbjRT+
>
>  i7D7lMpkixzcxcFki3fFDBEoAcwBaADAgEAoTkwN6ADAgERoTAELhAAqBkEvL+gzUndM8TNS7ik+I
>
>  1weyacnVPB3PaFjtteeQBLcmrqikUN9eCWTDgwTKAHMAWgAwIBAKFBMD+gAwIBEKE4BDYYAM0347z
>
>  v8kK3gj0A9SYOzUDa7Hc89pG1dg4LOdJfam6QkNGamezP45ZnFLzGSQ/oTR76I3YwRKAHMAWgAwIB
>
>  AKE5MDegAwIBF6EwBC4QAC3muW46EjvmxYXnvzA11/kiUrGwknrOL/dtcVVhx2ul81zChqkfuHYjU
>
>  BbTMDygBzAFoAMCAQChMTAvoAMCAQihKAQmCADtDnWrNBUuisnbEstExWOiwQphTqqXyrzPi1XQ3U
>
>  jvE0TpMZUwPKAHMAWgAwIBAKExMC+gAwIBA6EoBCYIAFNul3CO38n/hMzLT9lT31ma7ObzhJ9B1qn
>  BIGSvn7wDSiH2dw==
> krbPasswordExpiration: 19700101000000Z
> krbLastPwdChange: 20130119232256Z
> krbExtraData:: AALQKvtQcm9vdC9hZG1pbkBFWEFNUExFLk9SRwA=
> krbExtraData:: AAgBAA==
>
>
> named reads /etc/named.keytab file to get [email protected]
>
> [root@ldap2 master]# klist -k /etc/named.keytab
>
> Keytab name: WRFILE:/etc/named.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    2 [email protected]
>    2 [email protected]
>    2 [email protected]
>    2 [email protected]
>    2 [email protected]
>    2 [email protected]
>
>
> what i am looking for is when bind tries to connect using "
> [email protected]" to ldap server i am seeing below error
>
> Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=0 RESULT tag=97 err=14
> text=SASL(0): successful result:
> Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring
> operation: binding
> Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 BIND dn="" method=163
> Jan 20 05:47:43 ldap2 slapd[2561]: connection_input: conn=1031 deferring
> operation: binding
> Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=1 RESULT tag=97 err=14
> text=SASL(0): successful result:
> Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 BIND dn="" method=163
> Jan 20 05:47:43 ldap2 slapd[2561]: SASL [conn=1031] Failure: Inappropriate
> authentication
> Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=3 UNBIND
> Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 op=2 RESULT tag=97 err=50
> text=SASL(-14): authorization failure: Inappropriate authentication
> Jan 20 05:47:43 ldap2 slapd[2561]: conn=1031 fd=34 closed
>
> Can any one help me on how to enable more debugging to get more info about
> the error=50 (Insufficient access error) , Below is my olcAuthRegexp
> configuration:
>
> # config
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcConfigFile: /opt/setup-openldap/sample-slapd.conf
> olcConfigDir: /etc/openldap/slapd.d/
> olcAllows: bind_v2
> ...
> ..
> ...
> ...
> ....
> olcTLSCACertificateFile: /etc/pki/tls/certs/cacert.pem
> olcTLSCertificateFile: /etc/pki/tls/certs/server.pem
> olcTLSCertificateKeyFile: /etc/pki/tls/certs/serverkey.pem
> olcTLSVerifyClient: allow
> olcToolThreads: 1
> olcWriteTimeout: 0
> olcAuthzRegexp: {0}uid=(.*),cn=EXAMPLE.ORG,cn=gssapi,cn=auth
> uid=$1,ou=People
>  ,dc=example,dc=org
> olcLogLevel: stats
>
>
> And the output of ldapwhoami
>
> [root@ldap2 master]# ldapwhoami -Y GSSAPI -H ldapi:///
> SASL/GSSAPI authentication started
> SASL username: [email protected]
> SASL SSF: 56
> SASL data security layer installed.
> dn:uid=dnsadmin,cn=example.org,cn=gssapi,cn=auth
>
> I just want to find out why named when trying to sasl bind with openldap
> it fails,
>
> Thanks
> Niranjan
>

Hi all,

Is there any specific error log level which can help me get more
information other than err=50, I did try err=4,  but it did not give me any
clue.

Thanks
Niranjan

Reply via email to