Hi,
There is something I can't explain concerning the interaction of
ldapadd & ldapsearch (from openldap) with FDS while using kerberos
Here is what i do :
1. kinit User.Name
...
2. Verification with klist -ok, i have the kerberos ticket
3. Verification with ldapsearch works without any problem, giving all the necessary infos:
ldapsearch -Y GSSAPI 'sn=toto*'
SASL/GSSAPI authentication started
SASL username: User.Name at KRB-FDS
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: sn=aic*
# requesting: userPassword
.... infos ...
4. The problem appears when i try to use ldapadd/ldapmodify with some
ldif files (apparently, these files should be larger than some
critical value to produce the error)
Her is an example of such an ldif
test.ldif:
dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com
givenName: Gilles
sn: Martin
telephoneNumber: 00 00
loginShell: /bin/bash
departmentNumber: LAB CMLS
physicalDeliveryOfficeName: 402:10-02
uidNumber: 3090
gidNumber: 3000
mail: gilles.martin at some-organization.domain.com
displayName: Gilles Martin (M.)
uid: Gilles.Martin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
cn: Gilles Martin
title: PERSONNEL DE RECHERCHE
homeDirectory: /home/CMLS/Gilles.Martin
userPassword: {clear}Gilles.Martin
When i try to add this entry using ldapadd or ldapmodify with kerberos :
[root at workstation ~]# ldapadd -Y GSSAPI -v -f test.ldif -H ldap://fds-example.domain.com
ldap_initialize( ldap://fds-example.domain.com )
SASL/GSSAPI authentication started
SASL username: User.Name at KRB-FDS
SASL SSF: 56
SASL installing layers
add givenName:
Gilles
add sn:
Martin
add telephoneNumber:
00 00
add loginShell:
/bin/bash
add departmentNumber:
LAB CMLS
add physicalDeliveryOfficeName:
402:10-02
add uidNumber:
3090
add gidNumber:
3000
add mail:
gilles.martin at some-organization.domain.com
add displayName:
Gilles Martin (M.)
add uid:
Gilles.Martin
add objectClass:
top
person
organizationalPerson
inetorgperson
posixAccount
add gecos:
Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
add cn:
Gilles Martin
add title:
PERSONNEL DE RECHERCHE
add homeDirectory:
/home/CMLS/Gilles.Martin
add userPassword:
{clear}Gilles.Martin
adding new entry " cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com"
modify complete
ldap_add: Protocol error (2)
additional info: decoding error
5. Adding the same entry using simple authentification (plain text or
SSL/TLS) is possible without any problem. The only way of using
kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" :
ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com
With this command line, the ldapadd adds the entry with success.
Can someone explain me why ldapsearch works without problem and
ldapadd needs an additional option (this option forbids the double
encryption kerberos+ssl if i understand correctly)?
Thank you!
Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55
Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France
