Hi everybody! At the moment we're trying to set up a Kerberos/OpenLDAP/SASL solution for our department. The kerberos-part works so far. So does the main OpenLDAP-server (with SASL/GSSAPI) but when it comes to the replication-server of OpenLDAP we are stuck. The versions of heimdal, openldap and cyrus-sasl we're using on our slave-server are: emerge -pv heimdal openldap cyrus-sasl These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] app-crypt/heimdal-1.0.1-r1 USE="berkdb ipv6 ldap ssl -X" 0 kB [1] [ebuild R ] net-nds/openldap-2.3.39-r1 USE="berkdb crypt ipv6 kerberos perl readline sasl ssl tcpd -debug -gdbm -minimal -odbc -overlays -samba (-selinux) -slp -smbkrb5passwd" 0 kB [ebuild R ] dev-libs/cyrus-sasl-2.1.22-r2 USE="berkdb crypt java kerberos ldap pam ssl -authdaemond -gdbm -mysql -ntlm_unsupported_patch -postgres -sample -srp -urandom" 0 kB The versions used on the master-server are: emerge -pv heimdal openldap cyrus-sasl These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] app-crypt/heimdal-0.7.2-r3 USE="berkdb ipv6 ldap ssl -X (-krb4%)" 0 kB [ebuild U ] net-nds/openldap-2.3.38 [2.3.35-r1] USE="berkdb crypt ipv6 kerberos readline samba sasl smbkrb5passwd ssl tcpd -debug -gdbm -minimal -odbc -overlays -perl* (-selinux) -slp" 3,714 kB [ebuild R ] dev-libs/cyrus-sasl-2.1.22-r2 USE="authdaemond berkdb crypt kerberos ldap mysql pam ssl -gdbm -java -ntlm_unsupported_patch -postgres -sample -srp -urandom" 0 kB This is the slapd.conf of our replica-server: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # # Created: 2007-01-16 by rhopfer # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/krb5-kdc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/qmail.schema include /etc/openldap/schema/samba.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Set to -1 for full logging loglevel -1 # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind #security ssf=1 update_ssf=256 simple_bind=128 # TODO: hoehere sicherheit, zur zeit fehler beim schreiben #security simple_bind=128 update_ssf=56 #sasl-secprops noanonymous,noplain,minssf=128 #disallow bind_simple_unprotected # Mapping of SASL authentication identities to LDAP entries # # uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth # Since 2.3 sasl-regexp -> authz-regexp #authz-regexp # uid=nssproxy,cn=(.*),cn=gssapi,cn=auth # ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??one?(cn=nssproxy) #authz-regexp # uid=(.+),cn=.+,cn=.+,cn=auth # ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??sub?(|(uid=$1)(krb5PrincipalName=$1@xxxxxxxxxxxxxxxxxx)) # uid=<username>,cn=<mechanism>,cn=auth #authz-regexp # uid=(.+)/.+\.gup.uni-linz.ac.at,cn=.+,cn=auth # ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??sub?uid=$1 authz-regexp uid=(.+),cn=.+,cn=auth ldap:///dc=gup,dc=uni-linz,dc=ac,dc=at??sub?(|(uid=$1)(krb5PrincipalName=$1@xxxxxxxxxxxxxxxxxx)) # map root from ldapi:// to ldapmaster authz-regexp gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=ldapmaster,dc=gup,dc=uni-linz,dc=ac,dc=at #authz-policy any # # ACLs # # TODO: ACLs in eigene Datei auslagern # Make sure we do reverse lookups, needed for ACL's. #reverse-lookup on #access to * by * read #access to attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,memberUid # by dn="uid=nssproxy,ou=kerberos,dc=gup,dc=uni-linz,dc=ac,dc=at" read # by self read # Kerberos attributes may only be accessible to root/ldapmaster access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5K by sockurl.regex="^ldapi://" write # We will be using userPassword to provide simple BIND access, so we don't want # krb5PrincipalName is needed so sasl-regexp/GSSAPI works correctly access to attrs=userPassword,krb5PrincipalName by dn="uid=nssproxy,ou=kerberos,dc=gup,dc=uni-linz,dc=ac,dc=at" read by anonymous auth access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to dn.subtree="dc=gup,dc=uni-linz,dc=ac,dc=at" by self write by dn="uid=nssproxy,ou=kerberos,dc=gup,dc=uni-linz,dc=ac,dc=at" read by sockurl.regex="^ldapi://" write by users read by anonymous auth by * none # SSL/TLS configuration TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3 TLSCACertificateFile /etc/openldap/certs/server.pem #TLSCACertificateFile /etc/openldap/certs/cacert.pem TLSCertificateFile /etc/openldap/certs/server.pem #TLSCertificateFile /etc/openldap/certs/slapd_cert.pem TLSCertificateKeyFile /etc/openldap/certs/server.pem #TLSCertificateKeyFile /etc/openldap/certs/slapd_key.pem #TLSVerifyClient allow #TLSVerifyClient try # TODO: TLS ueberpruefung einschalten # Misc. options # Maximum number of entries to return from a search operation. Useful # # to prevent trolling of directory by spammers, etc. sizelimit 100 # # Maximum size of the primary thread pool. threads 8 # Allows acceptance of LDAPv2 bind requests (required for mozilla) allow bind_v2 # Require strong authentication #require strong ####################################################################### # BDB database definitions ####################################################################### database bdb #checkpoint 32 30 # <kbyte> <min> suffix "dc=gup,dc=uni-linz,dc=ac,dc=at" #rootdn "cn=manager,dc=gup,dc=uni-linz,dc=ac,dc=at" rootdn "cn=ldapmaster,dc=gup,dc=uni-linz,dc=ac,dc=at" #rootpw {MD5}wbG9YnECJLUSvWGc6KtSrw== # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/openldap-data # Indices to maintain index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index krb5PrincipalName eq,pres index ipHostNumber eq,pres index macAddress eq,pres #index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index entryCSN eq # Required for simple bind password-hash {CLEARTEXT} # SASL configuration sasl-host slave.gup.uni-linz.ac.at sasl-realm GUP.UNI-LINZ.AC.AT # Replication #replogfile /var/lib/openldap-slurp/master-slapd.replog #replica uri=ldap://pluto.gup.uni-linz.ac.at:389 # bindmethod=sasl saslmech=gssapi # authcId=replicator@xxxxxxxxxxxxxxxxxx updatedn uid=replicator,cn=gup.uni-linz.ac.at,cn=gssapi,cn=auth updateref ldap://hera.gup.uni-linz.ac.at:389 For your information this is more or less the same configuration as the main slapd with the few changes necessary for the replica-server... testsaslauthd works but when i try to connect to the replica-server with ldapsearch i get the following ldapsearch -H ldap://slave.gup.uni-linz.ac.at cn=erebos SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context the log on slave looks like this (i just post the interesting part): ... Dec 7 10:55:01 slave slapd[5314]: do_bind Dec 7 10:55:01 slave slapd[5314]: >>> dnPrettyNormal: <> Dec 7 10:55:01 slave slapd[5314]: <<< dnPrettyNormal: <>, <> Dec 7 10:55:01 slave slapd[5314]: do_sasl_bind: dn () mech GSSAPI Dec 7 10:55:01 slave slapd[5314]: conn=2 op=1 BIND dn="" method=163 Dec 7 10:55:01 slave slapd[5314]: ==> sasl_bind: dn="" mech=GSSAPI datalen=631 Dec 7 10:55:01 slave slapd[5314]: SASL [conn=2] Failure: GSSAPI Error: An unsupported mechanism was requested (unknown mech-code 0 for mech unknown) Dec 7 10:55:01 slave slapd[5314]: send_ldap_result: conn=2 op=1 p=3 Dec 7 10:55:01 slave slapd[5314]: send_ldap_result: err=49 matched="" text="SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context" Dec 7 10:55:01 slave slapd[5314]: send_ldap_response: msgid=2 tag=97 err=49 Dec 7 10:55:01 slave slapd[5314]: conn=2 op=1 RESULT tag=97 err=49 text=SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context Dec 7 10:55:01 slave slapd[5314]: <== slap_sasl_bind: rc=49 Dec 7 10:55:01 slave slapd[5314]: daemon: activity on 1 descriptor Dec 7 10:55:01 slave slapd[5314]: daemon: activity on: Dec 7 10:55:01 slave slapd[5314]: 11r ... when i use simple bind (and uncomment the line access to * by * read) everything works as expected too, so something must be wrong with sasl... when i send the same search-query to the master-server (using the same host as before) i get the desired results so on the client side everything seems to be okay. The supported mechs on slave and master are: slave: ldapsearch -h slave -p 389 -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 master: ldapsearch -h master -p 389 -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 So the mechs-necessary seem to be installed but still i get the error message above. Does anybody have an idea what the problem could be? I'm out of ideas so i would appreciate any help i could get! Regards, Christoph Spielmann
