ldapadd with Kerberos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>> 5. Adding the same entry using simple authentification (plain text or
>> SSL/TLS) is possible without any problem. The only way of using
>> kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" :
>>
>> ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com
>>
>> With this command line, the ldapadd adds the entry with success.
>>
>>
>>
>>
>>
>> Can someone explain me why ldapsearch works without problem and
>> ldapadd needs an additional option (this option forbids the double
>> encryption kerberos+ssl if i understand correctly)?
>>   
RM> I'm not sure.  Could you post some relevant excerpts from your directory
RM> server access and error logs?  Be sure to remove any sensitive data from
RM> them first.
The logs do not reveal anything special - it's the same error (2 -
protocol error). FDS1.0.2. ldapadd/ldapmodify are the
rpm versions from FC2, FC3, FC4 (i've tested both)

ldapadd -Y GSSAPI -v -f test.ldif -H ldap://fds-example.domain.com

Access logs :

[29/Jun/2006:20:38:47 +0200] conn=225 fd=64 slot=64 connection from xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy
[29/Jun/2006:20:38:48 +0200] conn=225 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[29/Jun/2006:20:38:48 +0200] conn=225 op=0 RESULT err=14 tag=97 nentries=0 etime=0.013000, SASL bind in progress
[29/Jun/2006:20:38:48 +0200] conn=225 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[29/Jun/2006:20:38:48 +0200] conn=225 op=1 RESULT err=14 tag=97 nentries=0 etime=0.000000, SASL bind in progress
[29/Jun/2006:20:38:48 +0200] conn=225 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="dc=fds-example,dc=domain,dc=com" scope=2 filter="(&(uid=User.Name))" attrs=ALL
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0.001000
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="o=NetscapeRoot" scope=2 filter="(&(uid=User.Name))" attrs=ALL
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 etime=0.000000
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="cn=user name,ou=cmap,ou=laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0.000000
[29/Jun/2006:20:38:48 +0200] conn=225 op=2 RESULT err=0 tag=97 nentries=0 etime=0.002000 dn="cn=user name,ou=cmap,ou=laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com"
[29/Jun/2006:20:38:48 +0200] conn=225 op=3 ADD dn="cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com", decoding error
[29/Jun/2006:20:38:48 +0200] conn=225 op=3 RESULT err=2 tag=105 nentries=0 etime=0.000000
[29/Jun/2006:20:38:48 +0200] conn=225 op=4 UNBIND
[29/Jun/2006:20:38:48 +0200] conn=225 op=4 fd=64 closed - U1


And there is nothing in error logs....



What may be important - it's the size of the ldif file. The error pops up for this file :

dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com
givenName: Gilles
sn: Martin
telephoneNumber: 00 00
loginShell: /bin/bash
departmentNumber: LAB CMLS
physicalDeliveryOfficeName: 402:10-02
uidNumber: 3090
gidNumber: 3000
mail: gilles.martin at some-organization.domain.com
displayName: Gilles Martin (M.)
uid: Gilles.Martin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
cn: Gilles Martin
title: PERSONNEL DE RECHERCHE
homeDirectory: /home/CMLS/Gilles.Martin
userPassword: {clear}Gilles.Martin


But everything goes smooth for this one :

dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com
givenName: Gilles
sn: Martin
#telephoneNumber: 00 00
loginShell: /bin/bash
#departmentNumber: LAB CMLS
#physicalDeliveryOfficeName: 402:10-02
uidNumber: 3090
gidNumber: 3000
#mail: gilles.martin at some-organization.domain.com
#displayName: Gilles Martin (M.)
uid: Gilles.Martin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
#gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
cn: Gilles Martin
#title: PERSONNEL DE RECHERCHE
homeDirectory: /home/CMLS/Gilles.Martin
userPassword: {clear}Gilles.Martin



Both files are correctly imported with ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com




Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55

Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux