directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amila Jayasekara <ami...@wso2.com>
Subject Error when using ldapsearch with GSSAPI mechanism
Date Wed, 25 Aug 2010 11:22:13 GMT
Hi All,
   I am trying to implement Kerberos authentication using ApacheDS 
1.5.5. I went through several web resources and found [1] as most 
appropriate for 1.5.5.

[1] https://cwiki.apache.org/DIRxSRVx11/543-kerberos-in-apacheds-155.html

I configured directory server according to [1] and i was able to 
successfully retrieve TGTs using "kinit". But the problem comes when i 
try to access directory using GSSAPI mechanism. The complete error is as 
follows,

aj@aj-laptop:~/development/Tools/LDAP$ ldapsearch -H 
ldap://localhost:10389 -b "dc=example,dc=com" "(uid=hnelson)" -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)

I adjust ApacheDS logging parameters to log INFO messages and got to 
know that none of the messages are printed when executing above command. 
(But there were messages printed when i access Directory Server using 
some anonymous mechanism. Also i was not able to configure server to 
print DEBUG messages as it crashes at startup.). But I analyze messages 
through WireShark and got to know that some number of messages are 
exchanged between server and client when executing above command.

 From web resources i found usual cause for above error is not having 
the ticket. But i am certain, that i was able to retrieve ticket using 
kinit. The klist output is as follows,

aj@aj-laptop:~/development/Tools/LDAP$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
08/25/10 15:48:27  08/26/10 15:48:23  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Also my ApacheDS server supports GSSAPI authentication. See below.

aj@aj-laptop:~/development/Tools/LDAP$ ldapsearch -H 
ldap://localhost:10389 -s base -LLL supportedSASLMechanisms -x
dn:
supportedSASLMechanisms: SIMPLE
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: GSS-SPNEGO


Also i have installed all relevant sasl client libraries.

aj@aj-laptop:~/development/Tools/LDAP$ saslpluginviewer | grep -i gssapi
ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
Plugin "gssapiv2" [loaded],     API version: 4
   SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
ANONYMOUS LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI PLAIN NTLM EXTERNAL
Plugin "gssapiv2" [loaded],     API version: 4
   SASL mechanism: GSSAPI, best SSF: 56

So now i couldnt fathom a possible reason for above error.
I have been stuck with this for about 2 days. I am really grateful if 
one of you can help me.

I am attaching server.xml with this email. My /etc/krb5.conf is as follows,

[libdefaults]
       default_realm = EXAMPLE.COM

[realms]
       EXAMPLE.COM = {
               kdc = localhost:60088
       }

[domain_realm]
       .example.com = EXAMPLE.COM
       example.com = EXAMPLE.COM

[login]
       krb4_convert = true
       krb4_get_tickets = false



Thanks.
Regards,
Amila Jayasekara

Mime
View raw message