[jira] [Comment Edited] (DIRSERVER-2205) ldap tools don't work with gssapi sasl

Tue, 01 Aug 2017 01:10:55 -0700 

    [ 
https://issues.apache.org/jira/browse/DIRSERVER-2205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16108551#comment-16108551
 ] 

Alex Duzsardi edited comment on DIRSERVER-2205 at 8/1/17 8:09 AM:
------------------------------------------------------------------

Sure , here it is

{quote}[root@router log]# ldapsearch -d -1 -Y GSSAPI -H 
ldap://example.com:10389 -b "dc=security,dc=example,dc=com" "(uid=hnelson)"
ldap_url_parse_ext(ldap://example.com:10389)
ldap_create
ldap_url_parse_ext(ldap://example.com:10389/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP example.com:10389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.2.15:10389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_int_sasl_open: host=example.com
SASL/GSSAPI authentication started
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Message stream modified)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
  0000:  30 05 02 01 01 42 00                               0....B.
ldap_write: want=7, written=7
  0000:  30 05 02 01 01 42 00                               0....B.
ldap_free_connection: actually freed{quote}



was (Author: aduzsardi):
Sure , here it is

{{[root@router log]# ldapsearch -d -1 -Y GSSAPI -H ldap://example.com:10389 -b 
"dc=security,dc=example,dc=com" "(uid=hnelson)"
ldap_url_parse_ext(ldap://example.com:10389)
ldap_create
ldap_url_parse_ext(ldap://example.com:10389/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP example.com:10389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.2.15:10389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_int_sasl_open: host=example.com
SASL/GSSAPI authentication started
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Message stream modified)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
  0000:  30 05 02 01 01 42 00                               0....B.
ldap_write: want=7, written=7
  0000:  30 05 02 01 01 42 00                               0....B.
ldap_free_connection: actually freed
}}

> ldap tools don't work with gssapi sasl 
> ---------------------------------------
>
>                 Key: DIRSERVER-2205
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2205
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.0-M24
>         Environment: Linux Centos 7 x64
> ApacheDS 2.0.0-M4
> openJDK 
> krb5-workstation
> openlda-clients
>            Reporter: Alex Duzsardi
>
> Hi,
> I successfully installed ApacheDS , was able to start , configure the service 
> and set up kerberos authentication.
> It work without problem from ApacheDS Studio , i can login with GSSAPI , but 
> can't say the same from local ldap tools (openldap-clients)
> I can't get a tgt from the kerberos with kinit , i've exported the ldap 
> service principal using ktutil and saved it as /etc/krb5.keytab , configured 
> krb5.conf , configured ldap.conf . 
> hostnames are configured statically through /etc/hosts , actually only one 
> host as the server is also the client (LAN_IP example.com , 
> ldap/example....@example.com got exported with ktutil)
> [root@example ~]# cat /etc/krb5.conf
> [libdefaults]
>     default_realm = EXAMPLE.COM
> #    rdns = false
> [realms]
>     EXAMPLE.COM = {
>         kdc = example.com:60088
>         default_domain = EXAMPLE.COM
>     }
> [domain_realm]
>          example.com = EXAMPLE.COM
>         .example.com = EXAMPLE.COM
> ------------------------------------------------------------------------
> [root@example ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    1 ldap/example....@example.com
> [root@example ~]#
> --------------------------------------------------------------------------------
> [root@example ~]# kinit hnelson
> Password for hnel...@example.com:
> [root@example ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hnel...@example.com
> Valid starting       Expires              Service principal
> 07/31/2017 20:54:48  08/01/2017 20:54:38  krbtgt/example....@example.com
> [root@example ~]#
> {color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389 
> -b "dc=example,dc=com" "(uid=hnelson)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>         additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Message stream 
> modified)
> {color}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to