Re: sasl/gssapi issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is an issue with the LDAP search command which is part of the openldap project not 389 server.
That said I think it ignores the -X if you only have one cached credential and are using it in combination with the -Y GSSAPI option further more if you want it to prompt you for a password you need to add a -W



-- Sent from my HP Pre3

On Mar 6, 2014 17:28, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

On 03/06/2014 03:13 PM, Robert Viduya wrote:
We're trying to get GSSAPI authentication working with 389 and following the doc page on the website, I think I've gotten it working a little too well.

We're using the stock ldapsearch command that comes with RHN, I believe it's from openldap.  Here's a command log

$ kinit usera@xxxxxxxxxxxxxxxx
Password for usera@xxxxxxxxxxxxxxxx
$ klist
Ticket cache: FILE:/tmp/krb5cc_651342_Bepfv28166
Default principal: usera@xxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
03/06/14 16:55:07  03/07/14 16:55:07  krbtgt/PRISM.GATECH.EDU@xxxxxxxxxxxxxxxx
$ ldapsearch -Y GSSAPI -H ldap://servera.iem.gatech.edu -LLL -b '' -s base 'objectclass=*' > /dev/null
SASL/GSSAPI authentication started
SASL username: usera@xxxxxxxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
$ ldapsearch -X userb@xxxxxxxxxxxxxxxx -Y GSSAPI -H ldap://servera.iem.gatech.edu -LLL -b '' -s base 'objectclass=*' > /dev/null
SASL/GSSAPI authentication started
SASL username: userb@xxxxxxxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.


and here's the relevant access log entries:

[06/Mar/2014:16:55:18 -0500] conn=1387 fd=64 slot=64 connection from 192.168.232.4 to 192.168.232.4
[06/Mar/2014:16:55:18 -0500] conn=1387 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Mar/2014:16:55:18 -0500] conn=1387 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[06/Mar/2014:16:55:18 -0500] conn=1387 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Mar/2014:16:55:18 -0500] conn=1387 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[06/Mar/2014:16:55:18 -0500] conn=1387 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Mar/2014:16:55:18 -0500] conn=1387 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=usera,ou=accounts,ou=gtaccounts,ou=departments,dc=gted,dc=gatech,dc=edu"
[06/Mar/2014:16:55:18 -0500] conn=1387 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL
[06/Mar/2014:16:55:18 -0500] conn=1387 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[06/Mar/2014:16:55:18 -0500] conn=1387 op=4 UNBIND
[06/Mar/2014:16:55:18 -0500] conn=1387 op=4 fd=64 closed - U1
[06/Mar/2014:16:55:25 -0500] conn=1388 fd=64 slot=64 connection from 192.168.232.4 to 192.168.232.4
[06/Mar/2014:16:55:25 -0500] conn=1388 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Mar/2014:16:55:25 -0500] conn=1388 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[06/Mar/2014:16:55:25 -0500] conn=1388 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Mar/2014:16:55:25 -0500] conn=1388 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[06/Mar/2014:16:55:25 -0500] conn=1388 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Mar/2014:16:55:25 -0500] conn=1388 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=userb,ou=accounts,ou=gtaccounts,ou=departments,dc=gted,dc=gatech,dc=edu"
[06/Mar/2014:16:55:25 -0500] conn=1388 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL
[06/Mar/2014:16:55:25 -0500] conn=1388 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[06/Mar/2014:16:55:25 -0500] conn=1388 op=4 UNBIND
[06/Mar/2014:16:55:25 -0500] conn=1388 op=4 fd=64 closed - U1


The issue is that if we do the ldapsearch without specifying an authzid (the "-X" option to ldapsearch), the bind correctly binds to DN that maps to the Kerberos principal name.  However, if we specify an authzid that's different than what we kinitted to, the directory server binds to the DN that maps to that authzid even though we don't have the credentials for that user.  It uses usera's credentials to bind to userb's DN.

My question is, is there a configuration setting somewhere that would make the directory server ignore any passed in authzid when using GSSAPI and just use what's in the credential cache?

Not sure, but if there is, it should be on (ignore authzid) by default.  Please file a ticket.



--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux