Preauth error ldap heimdal kerberos

Discussion:

Μανόλης Βλαχάκης

2010-03-19 10:39:41 UTC

Hallo there everyone

i hope you can help me with my issue cause it really bothers me for a week

i set up an ldap on gentoo and after modifying heimdal kerberos and tls
i am stuck to that point:
i get these errors...

additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context

+

AS-REQ host/***@TEIPIR.GR <http://teipir.gr/> from
IPv4:10.0.0.12 for krbtgt/TEIPIR.GR
<http://teipir.gr/>@TEIPIR.GR<http://teipir.gr/>
2010-03-18T16:32:58 Client sent patypes: none
2010-03-18T16:32:58 Looking for ENC-TS pa-data -- host/proof.teipir.gr@
TEIPIR.GR <http://teipir.gr/>
2010-03-18T16:32:58 No preauth found, returning PREAUTH-REQUIRED -- host/
***@TEIPIR.GR <http://teipir.gr/>
2010-03-18T16:32:58 sending 268 bytes to IPv4:10.0.0.12

any ideas what files to check cause i am a bit lost...

Thank you very much

Dan White

2010-03-19 21:49:22 UTC

Permalink

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
Hallo there everyone
i hope you can help me with my issue cause it really bothers me for a week
i set up an ldap on gentoo and after modifying heimdal kerberos and tls
i get these errors...
gss_accept_sec_context
+
IPv4:10.0.0.12 for krbtgt/TEIPIR.GR
2010-03-18T16:32:58 Client sent patypes: none
TEIPIR.GR <http://teipir.gr/>
2010-03-18T16:32:58 No preauth found, returning PREAUTH-REQUIRED -- host/
2010-03-18T16:32:58 sending 268 bytes to IPv4:10.0.0.12

Is there one host involved or two, and do they both have valid credential
caches (klist)?

Does your openldap user have access to /etc/krb5.keytab? What does your
cyrus sasl config look like (if it exists)?

Assuming you're using an ldapsearch command from the client, what options
are you passing?

Do you have any custom SASL config items in your openldap config
(sasl-host, sasl-realm or sasl-secprops)?

--
Dan White

Μανόλης Βλαχάκης

2010-03-22 10:49:02 UTC

Permalink

Hallo there and thank you for your answer
i finally made it and moved on but now i face other problem.
My configs look like...
kerberos attributes on the ldap php side are:
**krb5KDCFlags*
**krb5KeyVersionNumber*
**krb5MaxLife*
**krb5MaxRenew*
**krb5PrincipalName*
*
*
*
objectClass
*krb5Principal
*krb5KDCEntry
*

sasl configs:
*
*
*log_level: -1*
*pwcheck_method:auxprop saslauthd*
*mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5*
*auxprop_plugin: ldapdb*
*ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///*
*ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr*
*ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY*
*ldapdb_mech: GSSAPI EXTERNAL*
*ldapdb_starttls: try*

My access list is :
*access to * by * write*

but i also set up as i saw on the sasl-regexp config the mapping below
*sasl-regexp*
* uid=(.+),cn=(.+),cn=.+,cn=auth*
* ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2))*
*sasl-regexp*
* uid=(.+),cn=.+,cn=auth*
* ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$***@TEIPIR.GR
))*
*sasl-regexp*
* uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth*
* cn=***@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr*

+
*i have an idea of making work like the one below so as to give access to
all of the users registered*
*requiring them a password is that correct:*
*
*
*# This is needed so sasl-regexp/GSSAPI works correctly*
*access to attrs=krb5PrincipalName*
* by anonymous auth*
*
*
*# Kerberos attributes may only be accessible to root/ldapmaster*
*access to
attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
*
* by * none*
*
*
*# We will be using userPassword to provide simple BIND access, so we don't
want this to be user editable*
*access to attrs=userPassword*
* by anonymous auth*
* *
*
*
*# Anything else we may have forgotten is writable by admin, and viewable by
authenticated users*
*access to dn.subtree="dc=teipir,dc=gr"*
* by users read*

when i do like :
*ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*

and although i set up to require a password (on the sasl config )

and i get something like that:

*SASL/GSSAPI authentication started*
*ldap_sasl_interactive_bind_s: Insufficient access (50)*
* additional info: SASL(-14): authorization failure: not authorized*
*
*
or when i use any other command client side i have full access to the tree
with no password required

Post by Dan White

Is there one host involved or two, and do they both have valid credential
caches (klist)?
Does your openldap user have access to /etc/krb5.keytab? What does your
cyrus sasl config look like (if it exists)?
Assuming you're using an ldapsearch command from the client, what options
are you passing?
Do you have any custom SASL config items in your openldap config
(sasl-host, sasl-realm or sasl-secprops)?
--
Dan White

--
Manolis Vlachakis

Nelly's Family Hotel
Visit : www.nellys-hotel.gr
www.nellys.gr
Skype : manolis.vlachakis

Μανόλης Βλαχάκης

2010-03-22 11:33:47 UTC

Permalink

I forgot to mention another problem that occurred today
when i try to do
ldapsearch -X "dn: cn=spiros,ou=Managers,dc=teipir,dc=gr" -b
"ou=Managers,dc=teipir,dc=gr" -w 1234

i get

2010-03-22T13:30:17 Failed to open database: Wrong database version
2010-03-22T13:30:17 UNKNOWN -- host/***@TEIPIR.GR: No such entry
in the database

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
Hallo there and thank you for your answer
i finally made it and moved on but now i face other problem.
My configs look like...
**krb5KDCFlags*
**krb5KeyVersionNumber*
**krb5MaxLife*
**krb5MaxRenew*
**krb5PrincipalName*
*
*
*
objectClass
*krb5Principal
*krb5KDCEntry
*
*
*
*log_level: -1*
*pwcheck_method:auxprop saslauthd*
*mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5*
*auxprop_plugin: ldapdb*
*ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///*
*ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr*
*ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY*
*ldapdb_mech: GSSAPI EXTERNAL*
*ldapdb_starttls: try*
*access to * by * write*
but i also set up as i saw on the sasl-regexp config the mapping below
*sasl-regexp*
* uid=(.+),cn=(.+),cn=.+,cn=auth*
*sasl-regexp*
* uid=(.+),cn=.+,cn=auth*
* ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$
*sasl-regexp*
* uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth*
+
*i have an idea of making work like the one below so as to give access to
all of the users registered*
*requiring them a password is that correct:*
*
*
*# This is needed so sasl-regexp/GSSAPI works correctly*
*access to attrs=krb5PrincipalName*
* by anonymous auth*
*
*
*# Kerberos attributes may only be accessible to root/ldapmaster*
*access to
attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
*
* by * none*
*
*
*# We will be using userPassword to provide simple BIND access, so we
don't want this to be user editable*
*access to attrs=userPassword*
* by anonymous auth*
* *
*
*
*# Anything else we may have forgotten is writable by admin, and viewable
by authenticated users*
*access to dn.subtree="dc=teipir,dc=gr"*
* by users read*
*ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*
and although i set up to require a password (on the sasl config )
*SASL/GSSAPI authentication started*
*ldap_sasl_interactive_bind_s: Insufficient access (50)*
* additional info: SASL(-14): authorization failure: not authorized
*
*
*
or when i use any other command client side i have full access to the tree
with no password required

Post by Dan White

Is there one host involved or two, and do they both have valid credential
caches (klist)?
Does your openldap user have access to /etc/krb5.keytab? What does your
cyrus sasl config look like (if it exists)?
Assuming you're using an ldapsearch command from the client, what options
are you passing?
Do you have any custom SASL config items in your openldap config
(sasl-host, sasl-realm or sasl-secprops)?
--
Dan White

--
Manolis Vlachakis
Nelly's Family Hotel
Visit : www.nellys-hotel.gr
www.nellys.gr
Skype : manolis.vlachakis

--
Manolis Vlachakis

Nelly's Family Hotel
Visit : www.nellys-hotel.gr
www.nellys.gr
Skype : manolis.vlachakis

Dan White

2010-03-22 14:19:04 UTC

Permalink

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
I forgot to mention another problem that occurred today
when i try to do
ldapsearch -X "dn: cn=spiros,ou=Managers,dc=teipir,dc=gr" -b
"ou=Managers,dc=teipir,dc=gr" -w 1234
i get
2010-03-22T13:30:17 Failed to open database: Wrong database version
in the database

That may be due to a mismatch between your /var/lib/heimdal (or where ever
your m-key is located) and the data stored in your openldap database.

You may need to re-init heimdal, but that will require that you regenerate
all your krb5Keys, so be careful before doing so.

--
Dan White

Μανόλης Βλαχάκης

2010-03-22 11:34:42 UTC

Permalink

Hallo there and thank you for your answer

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
i finally made it and moved on but now i face other problem.
My configs look like...
**krb5KDCFlags*
**krb5KeyVersionNumber*
**krb5MaxLife*
**krb5MaxRenew*
**krb5PrincipalName*
*
*
*
objectClass
*krb5Principal
*krb5KDCEntry
*
*
*
*log_level: -1*
*pwcheck_method:auxprop saslauthd*
*mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5*
*auxprop_plugin: ldapdb*
*ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///*
*ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr*
*ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY*
*ldapdb_mech: GSSAPI EXTERNAL*
*ldapdb_starttls: try*
*access to * by * write*
but i also set up as i saw on the sasl-regexp config the mapping below
*sasl-regexp*
* uid=(.+),cn=(.+),cn=.+,cn=auth*
*sasl-regexp*
* uid=(.+),cn=.+,cn=auth*
* ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$
*sasl-regexp*
* uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth*
+
*i have an idea of making work like the one below so as to give access to
all of the users registered*
*requiring them a password is that correct:*
*
*
*# This is needed so sasl-regexp/GSSAPI works correctly*
*access to attrs=krb5PrincipalName*
* by anonymous auth*
*
*
*# Kerberos attributes may only be accessible to root/ldapmaster*
*access to
attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
*
* by * none*
*
*
*# We will be using userPassword to provide simple BIND access, so we
don't want this to be user editable*
*access to attrs=userPassword*
* by anonymous auth*
* *
*
*
*# Anything else we may have forgotten is writable by admin, and viewable
by authenticated users*
*access to dn.subtree="dc=teipir,dc=gr"*
* by users read*
*ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*
and although i set up to require a password (on the sasl config )
*SASL/GSSAPI authentication started*
*ldap_sasl_interactive_bind_s: Insufficient access (50)*
* additional info: SASL(-14): authorization failure: not authorized
*
*
*
or when i use any other command client side i have full access to the tree
with no password required

Post by Dan White

Is there one host involved or two, and do they both have valid credential
caches (klist)?
Does your openldap user have access to /etc/krb5.keytab? What does your
cyrus sasl config look like (if it exists)?
Assuming you're using an ldapsearch command from the client, what options
are you passing?
Do you have any custom SASL config items in your openldap config
(sasl-host, sasl-realm or sasl-secprops)?
--
Dan White

Dan White

2010-03-22 14:09:38 UTC

Permalink

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
Hallo there and thank you for your answer
i finally made it and moved on but now i face other problem.
My configs look like...
*
*
*log_level: -1*
*pwcheck_method:auxprop saslauthd*
*mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5*
*auxprop_plugin: ldapdb*
*ldapdb_uri: ldaps://10.0.0.12:636/ ldapi:///*
*ldapdb_id: cn=ldapmaster,ou=kerberos,dc=teipir,dc=gr*
*ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY*
*ldapdb_mech: GSSAPI EXTERNAL*
*ldapdb_starttls: try*

Is this your slapd.conf sasl config? If so, you should be using the
internal 'slapd' auxprop plugin rather that ldapdb:

auxprop_plugin: slapd

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
*access to * by * write*
but i also set up as i saw on the sasl-regexp config the mapping below
*sasl-regexp*
* uid=(.+),cn=(.+),cn=.+,cn=auth*
*sasl-regexp*
* uid=(.+),cn=.+,cn=auth*
))*
*sasl-regexp*
* uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth*
+
*i have an idea of making work like the one below so as to give access to
all of the users registered*
*requiring them a password is that correct:*
*
*
*# This is needed so sasl-regexp/GSSAPI works correctly*
*access to attrs=krb5PrincipalName*
* by anonymous auth*
*
*
*# Kerberos attributes may only be accessible to root/ldapmaster*
*access to
attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
*
* by * none*
*
*
*# We will be using userPassword to provide simple BIND access, so we don't
want this to be user editable*
*access to attrs=userPassword*
* by anonymous auth*
* *

I use

access to attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key,cmusaslsecretOTP
by anonymous auth
by self write
by * none

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
*ldapsearch -X "dn:cn=spiros,ou=Managers,dc=teipir,dc=gr" -w 1234 -d 255*
and although i set up to require a password (on the sasl config )
*SASL/GSSAPI authentication started*
*ldap_sasl_interactive_bind_s: Insufficient access (50)*
* additional info: SASL(-14): authorization failure: not authorized*
*

--
Dan White

Μανόλης Βλαχάκης

2010-03-22 14:29:28 UTC

Permalink

hallo there
and thank you for your quick reply...

1)is this the only access list you have used and works fine?
cause as i told you i want to add the attributes below,you think they'll
work?

# Remember that rootdn has always write access
# posixAccount/posixGroup attributes may only be accessible to
root/ldapmaster (write) and pamproxy (read)
access to
attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid
by dn="cn=***@circuitcat.com,ou=kerberos,dc=circuitcat,dc=com" read

# This is needed so sasl-regexp/GSSAPI works correctly
access to attrs=krb5PrincipalName
by anonymous auth

# Kerberos attributes may only be accessible to root/ldapmaster
access to
attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb5PasswordEnd,krb5ValidEnd,krb5ValidStart,krb5RealmNam
by * none

# We will be using userPassword to provide simple BIND access, so we don't
want this to be user editable
access to attrs=userPassword
by anonymous auth

# Write access to common attributes for users
access to dn.subtree="ou=people,dc=circuitcat,dc=com"
attrs=telephoneNumber,facsimileTelephoneNumber,jpegPhoto,homePhone,homePostalAddress
by self write
by users read

# Anything else we may have forgotten is writable by admin, and viewable by
authenticated users
access to dn.subtree="dc=circuitcat,dc=com"
by users read

2)i have already re-init heimdal so i think is not the problem...+i had
some issues before that got solved by doing the heimdal re-init

Μανόλης Βλαχάκης

2010-03-22 14:36:08 UTC

Permalink

And i forgot to mention another problem i face
but i dont think it is related to the one i mentioned before...

on the ldap i get only that on the log

*Mar 22 16:35:18 proof slapd: auxpropfunc error no mechanism available
Mar 22 16:35:18 proof slapd: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: sql

Μανόλης Βλαχάκης

2010-03-22 14:39:15 UTC

Permalink

sorry i forgot again another one...

by using the commant below i get :

*pluginviewer -a
*Mar 22 16:37:32 proof pluginviewer: auxpropfunc error invalid parameter
supplied
Mar 22 16:37:32 proof pluginviewer: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: ldapdb
Mar 22 16:37:32 proof pluginviewer: sql_select option missing
Mar 22 16:37:32 proof pluginviewer: auxpropfunc error no mechanism available
Mar 22 16:37:32 proof pluginviewer: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: sql

Dan White

2010-03-22 14:55:42 UTC

Permalink

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
And i forgot to mention another problem i face
but i dont think it is related to the one i mentioned before...
on the ldap i get only that on the log
*Mar 22 16:35:18 proof slapd: auxpropfunc error no mechanism available
Mar 22 16:35:18 proof slapd: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: sql

By default, the Cyrus SASL library will attempt to initialize all available
auxprop plugins. You have a sql auxprop plugin installed, but you have not
specified required sql parameters to initialize the plugin.

You can explicitly specify which auxprop plugins you want to use
In /usr/lib/sasl2/slapd.conf (or the appropriate location on your system):

auxprop_plugin: slapd

or you can just remove the sql shared library so cyrus doesn't attempt to
initialize it.

--
Dan White

Μανόλης Βλαχάκης

2010-03-22 16:09:51 UTC

Permalink

finally ldap log works fine...but from the log i get is that none of the
requests are being responded
with data...:(for example the first one ...)
* acl_mask: access to entry
"krb5PrincipalName=kadmin/***@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr",
attr "uid" requested

but i still have the problem :

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: not authorized

thanks for the help so far...:)

Dan White

2010-03-22 16:20:31 UTC

Permalink

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
finally ldap log works fine...but from the log i get is that none of the
requests are being responded
with data...:(for example the first one ...)
* acl_mask: access to entry
attr "uid" requested

I don't know.

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: not authorized

I would guess that there is a problem with your proxy authorization
configuration.

Does 'ldapwhoami' return a string which your authz-regexp is matching?

--
Dan White

Μανόλης Βλαχάκης

2010-03-22 16:29:00 UTC

Permalink

when we apply the mapping setting as shown below :
(sasl regexp)
*
*
*log_level: -1*
*pwcheck_method:auxprop saslauthd*
*mech_list: GSSAPI EXTERNAL LOGIN PLAIN NTLM DIGEST-MD5 CRAM-MD5*
*auxprop_plugin: slapd*
*ldapdb_uri:ldaps://10.0.0.12:636/ ldapi:///*
*ldapdb_id: cn=***@nSpi,,dc=teipir,dc=gr*
*ldapdb_pw: {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY*
*ldapdb_mech: GSSAPI EXTERNAL*
*ldapdb_starttls: try*

on the ldapwhoami command i get:

*SASL/GSSAPI authentication started*
*SASL username: kadmin/***@TEIPIR.GR*
*SASL SSF: 56*
*SASL data security layer installed.*
*dn:krb5PrincipalName=kadmin/***@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr*
*
*
*
*
on the other hand without mapping we get :

SASL/GSSAPI authentication started
SASL username: kadmin/***@TEIPIR.GR
SASL SSF: 56
SASL data security layer installed.
dn:uid=kadmin/admin,cn=gssapi,cn=auth

+

with the ACL set :
*access to * by * write*
* by * read*
* by * auth*
*
*
1)i get all the time the value
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
2)and the uid value remains empty....

*1)*
*acl_get: [1] attr krb5KeyVersionNumber*
*Mar 22 18:25:03 proof slapd[23892]: => acl_mask: access to entry
"krb5PrincipalName=krbtgt/***@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr",
attr "krb5KeyVersionNumber" requested*
*Mar 22 18:25:03 proof slapd[23892]: => acl_mask: to value by
"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)*

2)
*=> access_allowed: auth access to "krb5PrincipalName=kadmin/
***@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr" "uid" requested*
*Mar 22 18:27:18 proof slapd[23983]: => acl_get: [1] attr uid*
*Mar 22 18:27:18 proof slapd[23983]: => acl_mask: access to entry
"krb5PrincipalName=kadmin/***@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr", attr
"uid" requested*
*Mar 22 18:27:18 proof slapd[23983]: => acl_mask: to value by "", (=0)*
*Mar 22 18:27:18 proof slapd[23983]: <= check a_dn_pat: **
*Mar 22 18:27:18 proof slapd[23983]: <= acl_mask: [1] applying
write(=wrscxd) (stop)*

Dan White

2010-03-22 17:02:05 UTC

Permalink

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
*SASL/GSSAPI authentication started*
*SASL SSF: 56*
*SASL data security layer installed.*
*
*
*
*
SASL/GSSAPI authentication started
SASL SSF: 56
SASL data security layer installed.
dn:uid=kadmin/admin,cn=gssapi,cn=auth

Looks good.

Do you have an authz-policy set?

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
+
*access to * by * write*
* by * read*
* by * auth*
*
*
1)i get all the time the value
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
2)and the uid value remains empty....

That looks like UNIX domain socket via an ldapi connection, by the root
user (or a user with UID of 0).

You should probably have a mapping for it as well. I map root to the admin
user on my system.

--
Dan White

Μανόλης Βλαχάκης

2010-03-22 17:07:40 UTC

Permalink

no i havent set an authz-policy..
how should be done?

i didnt understand exactly what you said here...
can you give a code sample please
*
*
*That looks like UNIX domain socket via an ldapi connection, by the root
user (or a user with UID of 0).

You should probably have a mapping for it as well. I map root to the admin
user on my system.*
*
*
*
*
*
*
*i* have to tell you that you give a big help thank you again for everything

Dan White

2010-03-22 17:35:23 UTC

Permalink

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
no i havent set an authz-policy..
how should be done?

See the openldap administrator's guide, section 15.3.

I use 'authz-policy to'. It requires that I specify an authzTo attribute in
each identity I want to give proxy authentication privileges to.

I assume that is what you are wanting to do, given the error earlier, but
it may not be.

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
i didnt understand exactly what you said here...
can you give a code sample please
*
*
*That looks like UNIX domain socket via an ldapi connection, by the root
user (or a user with UID of 0).
You should probably have a mapping for it as well. I map root to the admin
user on my system.*

From my config:

rootdn "cn=admin,dc=olp,dc=net"

authz-regexp
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
cn=admin,dc=olp,dc=net

It gives me full rights to the server when connecting as the root user.

--
Dan White

Μανόλης Βλαχάκης

2010-03-23 10:18:57 UTC

Permalink

after reading the openldap admin guide you mentioned
i understud that by using -X on the ldapsearch command
i should use the authzTo attribus as you said

but even we the changes i made on the file no diffrences was spoted...

i curtenly use the ACL above( it was my initial and best for my case i think
):

*access to **
* by dn="cn=***@nSpi,dc=teipir,dc=gr" write*
* by dn="cn=Vlachakis Emmanouil,ou=Managers,dc=teipir,dc=gr" manage*
* by dn="cn=Oikonomakis Spyridwn,ou=Managers,dc=teipir,dc=gr" manage*
* by users read*
* by * write*

thnak you

Μανόλης Βλαχάκης

2010-03-23 10:33:35 UTC

Permalink

after trying several think i found out that in the slap configuration file
if i add on the rootdn the user i created on the heimdal kerberos with the
kadmin -l
add ldapmaster, command without the rootpw
the search works fine with any user i do it....

so is not working as i want it to ,
which is to require a password every time i try to search through the ldap
server

thank you

Μανόλης Βλαχάκης

2010-03-23 12:24:53 UTC

Permalink

basically i forgot to mention that all my steps are being done
according to the how to i found more help full on the net

http://www.openinput.com/auth-howto/ar01s06.html

Buchan Milne

2010-03-24 09:17:57 UTC

Permalink

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
after reading the openldap admin guide you mentioned
i understud that by using -X on the ldapsearch command
i should use the authzTo attribus as you said

But, you haven't explained if or why you need to authorize to different users.
IMHO, it looks plainly as if you have been using the -X flag by mistake ...

The document you referred to doesn't use -X anywhere, only -x in the case of
simple binds.

Regards,
Buchan

Μανόλης Βλαχάκης

2010-03-24 10:04:57 UTC

Permalink

Post by Buchan Milne

But, you haven't explained if or why you need to authorize to different users.
IMHO, it looks plainly as if you have been using the -X flag by mistake ...
The document you referred to doesn't use -X anywhere, only -x in the case of
simple binds.
I want to do sasl bind not simple bind that's why i use the -X flag! Am i

wrong?
what are you suggesting to do with the users? I believe that there is not
need to have
all users authoirized but only two for example only these who i have in
kerberos
ldapmaste and kadmin/admin! am i right? Take a look to my slapd.conf!
My problem, is that i want to do sasl bind with password and not only with
dn because now i do sasl bind only with one of the authorized dn!

--
Manolis Vlachakis

Nelly's Family Hotel
Visit : www.nellys-hotel.gr
www.nellys.gr
Skype : manolis.vlachakis

Dieter Kluenter

2010-03-24 13:29:05 UTC

Permalink

Am Wed, 24 Mar 2010 12:04:57 +0200

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï

Post by Buchan Milne

But, you haven't explained if or why you need to authorize to different users.
IMHO, it looks plainly as if you have been using the -X flag by mistake ...
The document you referred to doesn't use -X anywhere, only -x in the case of
simple binds.
I want to do sasl bind not simple bind that's why i use the -X flag! Am i

wrong?
what are you suggesting to do with the users? I believe that there is
not need to have
all users authoirized but only two for example only these who i have
in kerberos
ldapmaste and kadmin/admin! am i right? Take a look to my slapd.conf!
My problem, is that i want to do sasl bind with password and not
only with dn because now i do sasl bind only with one of the
authorized dn!

Did you create a ldap service and host principal? If so, just use the
GSSAPI mechanism, something like 'ldapsearch -Y GSSAPI -H
ldap://some.host' and you may write an appropriate authz-regexp in oder
to match the sasl authentication string to a DN.

-Dieter

--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E

Buchan Milne

2010-03-24 11:38:22 UTC

Permalink

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï

Post by Buchan Milne

But, you haven't explained if or why you need to authorize to different users.
IMHO, it looks plainly as if you have been using the -X flag by mistake ...
The document you referred to doesn't use -X anywhere, only -x in the case of
simple binds.
I want to do sasl bind not simple bind that's why i use the -X flag! Am i

wrong?

Yes. -x is for simple binds. Without -x, you get SASL binds (it is the
default, if your software is compiled with SASL support). -X is not for
forcing SASL, but for something a bit more obscure than what I think you want
...

Here are some examples from a working OpenLDAP/Heimdal setup:

As a unix user:

Simple bind:

[***@tiger ~]$ ldapwhoami -x -D
uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com -W
Enter LDAP Password:
dn:uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com

[***@tiger ~]$ kinit
***@RANGER.DNSALIAS.COM's Password:
[***@tiger ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_501
Principal: ***@RANGER.DNSALIAS.COM

Issued Expires Principal
Mar 24 12:30:43 Mar 24 19:10:43
krbtgt/***@RANGER.DNSALIAS.COM

SASL/GSSAPI:

[***@tiger ~]$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: ***@RANGER.DNSALIAS.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com
[***@tiger ~]$ klist
Credentials cache: FILE:/tmp/krb5cc_501
Principal: ***@RANGER.DNSALIAS.COM

Issued Expires Principal
Mar 24 12:30:43 Mar 24 19:10:43
krbtgt/***@RANGER.DNSALIAS.COM
Mar 24 12:30:50 Mar 24 19:10:43
ldap/***@RANGER.DNSALIAS.COM

Simple, anonymous:

[***@tiger ~]$ ldapwhoami -x
anonymous

SASL/EXTERNAL on ldapi

[***@tiger ~]$ ldapwhoami -x -H ldapi:/// -Y EXTERNAL
ldapwhoami: incompatible with authentication choice
[***@tiger ~]$ ldapwhoami -H ldapi:/// -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=501+uidNumber=501,cn=peercred,cn=external,cn=auth
SASL SSF: 0
anonymous

As root:

For KDC's access to LDAP:

[***@tiger ~]# cat .ldaprc
SASL_MECH EXTERNAL
URI ldapi:///
[***@tiger ~]# ldapwhoami
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:uid=account admin,ou=system accounts,dc=ranger,dc=dnsalias,dc=com

For nss_ldap etc. to enumerate users (e.g., would be identical on client-only
hosts), so that proxy users are not required, and access is host-specific with
no clear-text credentials on clients:

[***@tiger ~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: host/***@RANGER.DNSALIAS.COM

Issued Expires Principal
Mar 24 12:22:01 Mar 24 19:02:01
krbtgt/***@RANGER.DNSALIAS.COM
Mar 24 12:33:51 Mar 24 19:02:01
ldap/***@RANGER.DNSALIAS.COM

[***@tiger ~]# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: host/***@RANGER.DNSALIAS.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=host/tiger.ranger.dnsalias.com,ou=people,dc=ranger,dc=dnsalias,dc=com

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
what are you suggesting to do with the users? I believe that there is not
need to have
all users authoirized but only two for example only these who i have in
kerberos
ldapmaste and kadmin/admin! am i right?

I don't know what you are trying to achieve.

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
Take a look to my slapd.conf!

It's pointless without knowing what you are trying to achieve.

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
My problem, is that i want to do sasl bind with password and not only with
dn because now i do sasl bind only with one of the authorized dn!

If you have Kerberos, why do you want to provide a password? You should
instead be happy with a SASL GSSAPI bind, which is authenticated (but, not by
password transfer in clear text to slapd).

Regards,
Buchan

Μανόλης Βλαχάκης

2010-03-24 12:24:37 UTC

Permalink

To begin with than you very much for your mail
is really helpful so as to understand whether we are on the right way or
not..
after testing anything you said everything seems great apart from the one
below

I didnt really get what i can find out with the commands shown here

Post by Buchan Milne
SASL_MECH EXTERNAL
URI ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:uid=account admin,ou=system accounts,dc=ranger,dc=dnsalias,dc=com
For nss_ldap etc. to enumerate users (e.g., would be identical on client-only
hosts), so that proxy users are not required, and access is host-specific with
I don't know what you are trying to achieve.
It's pointless without knowing what you are trying to achieve.
now about my project i have a gentoo server where i set the ldap

database...there i will update and also retrieve some users attributes(with
a search on the ldap tree) from this database with a php application
before i reach to that point i would like to have the maximum security level
available

So do you think that if i use ldap_bind on the php side forces the hole
session to go on the secure way even if i dont use sasl_bind ...

Post by Buchan Milne
If you have Kerberos, why do you want to provide a password? You should
instead be happy with a SASL GSSAPI bind, which is authenticated (but, not by
password transfer in clear text to slapd).

this password i am talking about is the one the users have on the ldap
database as an attribute that is why i think it should be better to be
required on the search being done

--
Manolis Vlachakis

Nelly's Family Hotel
Visit : www.nellys-hotel.gr
www.nellys.gr
Skype : manolis.vlachakis

Μανόλης Βλαχάκης

2010-03-24 14:26:01 UTC

Permalink

Another thing i would like to ask so as to be more sufficient on what i have
accomplished
can you tell me please looking on my logs after using the commands:

1)ldapsearch -Y GSSAPI -D "cn=***@nSpi,dc=teipir,dc=gr" -b "cn=bla bla
bla...,ou=Managers,dc=teipir,dc=gr" -W -d 5

and i face a problem with the uid attribute as you can see on the log seems
to be empty...

hope is not cause i havent added the

rootdn "cn=admin,dc=olp,dc=net"

authz-regexp

"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
cn=admin,dc=olp,dc=net

as Dan mentioned (so as not to have the error: No preauth found,
returning PREAUTH-REQUIRED )

2)and this is the one i get when i login via php

Thank you!!

Dan White

2010-03-22 14:43:22 UTC

Permalink

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
hallo there
and thank you for your quick reply...
1)is this the only access list you have used and works fine?
cause as i told you i want to add the attributes below,you think they'll
work?

I have several other rules, but these are the ones that I believe are
relevant. These might not match recommended practice but they work for me:

access to attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key,cmusaslsecretOTP
by anonymous auth
by self write
by * none

access to attrs=authzTo
by anonymous auth
by self read
by * none

access to attrs=objectClass
by self read
by anonymous auth
by * none

--
Dan White
BTC Broadband
Ph 918.366.0248 (direct) main: (918)366-8000
Fax 918.366.6610 email: ***@olp.net
http://www.btcbroadband.com

Buchan Milne

2010-03-23 10:10:49 UTC

Permalink

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
Hallo there and thank you for your answer
i finally made it

Made what?

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
and moved on but now i face other problem.

Are you sure? It look like the same problem, but the error message is different
because you made different mistakes in testing.

A SASL/GSSAPI bind is attempted, but you haven't yet shown whether you have a
Kerberos TGT, or valid service tickets. Please show the output of 'klist'

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
or when i use any other command client side i have full access to the tree
with no password required

Which problem are we trying to solve? The GSSAPI bind, or the access lists? If
you want GSSAPI bind, maybe you should concentrate on it first, as your access
lists may be different for the case where you have GSSAPI working vs not.

(please consider replying in-line, with your replies in the right section of
the mail, and drop any irrelevant portions).

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï

Post by Dan White

Post by ÎÎ±Î½ÏÎ»Î·Ï ÎÎ»Î±ÏÎ¬ÎºÎ·Ï
Hallo there everyone
i hope you can help me with my issue cause it really bothers me for a week
i set up an ldap on gentoo and after modifying heimdal kerberos and tls
i get these errors...
gss_accept_sec_context
+
IPv4:10.0.0.12 for krbtgt/TEIPIR.GR
2010-03-18T16:32:58 Client sent patypes: none
TEIPIR.GR <http://teipir.gr/>
2010-03-18T16:32:58 No preauth found, returning PREAUTH-REQUIRED --
2010-03-18T16:32:58 sending 268 bytes to IPv4:10.0.0.12

Is there one host involved or two, and do they both have valid credential
caches (klist)?
Does your openldap user have access to /etc/krb5.keytab? What does your
cyrus sasl config look like (if it exists)?
Assuming you're using an ldapsearch command from the client, what options
are you passing?
Do you have any custom SASL config items in your openldap config
(sasl-host, sasl-realm or sasl-secprops)?

Regards,
Buchan

Μανόλης Βλαχάκης

2010-03-23 16:03:32 UTC

Permalink

Post by Buchan Milne
Made what?

i solved the SQL error showing on the log...i deleted the libs..

Post by Buchan Milne
A SASL/GSSAPI bind is attempted, but you haven't yet shown whether you have a
Kerberos TGT, or valid service tickets. Please show the output of 'klist'

*klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ***@TEIPIR.GR

Issued Expires Principal

Post by Buchan Milne
Which problem are we trying to solve? The GSSAPI bind, or the access lists? If
you want GSSAPI bind, maybe you should concentrate on it first, as your access
lists may be different for the case where you have GSSAPI working vs not.

the problems i face today are

1)when i try to search
the authorizes users i created as read at the(
http://www.openinput.com/auth-howto/ar01s06.html#d0e781 which followed in
every step i did)i get no message asking a password and continues at ones
the search

+
a general question ..
my project is retrieving data form an ldap tree through a PHP application
with the most secure way possible

should i only authorize the admins or all the sub entries of a "leaf" on our
ldap tree(user names,pass...e.t.c. of the users )

P.S.:i attach you my slap.conf so as to get the full idea of my settings,(i
gan paste you my sasl configs too)

Thank you very much!!