NTLM and OpenLDAP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I'm working with a very legacy deployment that needs to use NTLM.  I'm trying to validate some assumptions (or find out they're not correct).  What i need to be able to do is have a client use SASL with NTLM to my OpenLDAP server, which will authenticate the user against they're domain controller, and then use openldap's ldap backend to talk to another directory using a service account identity.  I have the last part working (searching a remote LDAP with a service account), but authentication fails.  Here's my slapd configuration:

authz-regexp
  uid=([^,]*),cn=ntlm,cn=auth
  ldap:///DC=domain1,DC=domain2,DC=com??sub?(samAccountName=$1)


#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database ldap
suffix "DC=domain1,DC=domain2,DC=com"
uri    ldap://192.168.2.190:10983/
acl-bind bindmethod=simple binddn=cn=ou_svc_account,ou=Users,DC=domain1,DC=domain2,DC=com credentials=start123

When the NTLM request comes in, it finds the right entry, but then fails:

621f91e2.1376779f 0x7fd803655700 slap_listener_activate(7):
621f91e2.13774701 0x7fd802e54700 >>> slap_listener(ldap://*:50983)
621f91e2.1385a26d 0x7fd802e54700 connection_get(9): got connid=1001
621f91e2.1385cda1 0x7fd802e54700 connection_read(9): checking for input on id=1001
621f91e2.1385df4a 0x7fd802e54700 ber_get_next
621f91e2.13860c8d 0x7fd802e54700 ber_get_next: tag 0x30 len 52 contents:
621f91e2.138620c2 0x7fd802e54700 op tag 0x60, time 1646236130
621f91e2.138632b9 0x7fd802e54700 ber_get_next
621f91e2.13866174 0x7fd802e54700 conn=1001 op=0 do_bind
621f91e2.138670ed 0x7fd802e54700 ber_scanf fmt ({imt) ber:
621f91e2.13867d98 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e2.13868c6f 0x7fd802e54700 ber_scanf fmt (m) ber:
621f91e2.1386968d 0x7fd802e54700 ber_scanf fmt (}}) ber:
621f91e2.1386a636 0x7fd802e54700 >>> dnPrettyNormal: <>
621f91e2.1386b2b0 0x7fd802e54700 <<< dnPrettyNormal: <>, <>
621f91e2.13870126 0x7fd802e54700 do_bind: dn () SASL mech NTLM
621f91e2.1387c451 0x7fd802e54700 send_ldap_sasl: err=14 len=102
621f91e2.1387d973 0x7fd802e54700 send_ldap_response: msgid=1 tag=97 err=14
621f91e2.1387f1e7 0x7fd802e54700 ber_flush2: 148 bytes to sd 9
621f91e2.138a0ecd 0x7fd802e54700 <== slap_sasl_bind: rc=14
621f91e8.29882eb9 0x7fd802e54700 connection_get(9): got connid=1001
621f91e8.29888530 0x7fd802e54700 connection_read(9): checking for input on id=1001
621f91e8.298896a6 0x7fd802e54700 ber_get_next
621f91e8.2988d46f 0x7fd802e54700 ber_get_next: tag 0x30 len 193 contents:
621f91e8.2988e8ef 0x7fd802e54700 op tag 0x60, time 1646236136
621f91e8.2988fdc7 0x7fd802e54700 ber_get_next
621f91e8.2989357e 0x7fd802e54700 conn=1001 op=1 do_bind
621f91e8.29894452 0x7fd802e54700 ber_scanf fmt ({imt) ber:
621f91e8.298950ea 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e8.29895be9 0x7fd802e54700 ber_scanf fmt (m) ber:
621f91e8.29896533 0x7fd802e54700 ber_scanf fmt (}}) ber:
621f91e8.298971be 0x7fd802e54700 >>> dnPrettyNormal: <>
621f91e8.29897eaf 0x7fd802e54700 <<< dnPrettyNormal: <>, <>
621f91e8.298a0cdf 0x7fd802e54700 do_bind: dn () SASL mech NTLM
621f91e8.298b0c1a 0x7fd802e54700 slap_sasl_getdn: u:id converted to uid=ou_svc_account,cn=NTLM,cn=auth
621f91e8.298b55a5 0x7fd802e54700 >>> dnNormalize: <uid=ou_svc_account,cn=NTLM,cn=auth>
621f91e8.298b85e6 0x7fd802e54700 <<< dnNormalize: <uid=ou_svc_account,cn=ntlm,cn=auth>
621f91e8.298b90f6 0x7fd802e54700 ==>slap_sasl2dn: converting SASL name uid=ou_svc_account,cn=ntlm,cn=auth to a DN
621f91e8.298ba4f7 0x7fd802e54700 ==> rewrite_context_apply [depth=1] string='uid=ou_svc_account,cn=ntlm,cn=auth'
621f91e8.298bb2ea 0x7fd802e54700 ==> rewrite_rule_apply rule='uid=([^,]*),cn=ntlm,cn=auth' string='uid=ou_svc_account,cn=ntlm,cn=auth' [1 pass(es)]
621f91e8.298c0d30 0x7fd802e54700 ==> rewrite_context_apply [depth=1] res={0,'ldap:///DC=domain1,DC=domain2,DC=com??sub?(samAccountName=ou_svc_account)'}
621f91e8.298c1d4f 0x7fd802e54700 slap_parseURI: parsing ldap:///DC=domain1,DC=domain2,DC=com??sub?(samAccountName=ou_svc_account)
621f91e8.298c30f8 0x7fd802e54700 ldap_url_parse_ext(ldap:///DC=domain1,DC=domain2,DC=com??sub?(samAccountName=ou_svc_account))
621f91e8.298c4a46 0x7fd802e54700 put_filter: "(samAccountName=ou_svc_account)"
621f91e8.298c5a64 0x7fd802e54700 put_filter: simple
621f91e8.298c96a7 0x7fd802e54700 put_simple_filter: "samAccountName=ou_svc_account"
621f91e8.298cc7af 0x7fd802e54700 ber_scanf fmt ({mm}) ber:
621f91e8.298d0025 0x7fd802e54700 >>> dnNormalize: <DC=domain1,DC=domain2,DC=com>
621f91e8.298d279b 0x7fd802e54700 <<< dnNormalize: <dc=domain1,dc=domain2,dc=com>
621f91e8.298d4109 0x7fd802e54700 slap_sasl2dn: performing internal search (base=dc=domain1,dc=domain2,dc=com, scope=2)
621f91e8.298d61dd 0x7fd802e54700 =>ldap_back_getconn: conn 0x7fd7f4110050 fetched refcnt=1.
621f91e8.298d7a72 0x7fd802e54700 ldap_search_ext
621f91e8.298da1d9 0x7fd802e54700 put_filter: "(samAccountName=ou_svc_account)"
621f91e8.298dbb11 0x7fd802e54700 put_filter: simple
621f91e8.298dcaa0 0x7fd802e54700 put_simple_filter: "samAccountName=ou_svc_account"
621f91e8.298de36a 0x7fd802e54700 ldap_send_initial_request
621f91e8.298df4cc 0x7fd802e54700 ldap_send_server_request
621f91e8.298e08d2 0x7fd802e54700 ber_scanf fmt ({it) ber:
621f91e8.298e1854 0x7fd802e54700 ber_scanf fmt ({) ber:
621f91e8.298e2b05 0x7fd802e54700 ber_flush2: 89 bytes to sd 10
621f91e8.29a4267d 0x7fd802e54700 ldap_result ld 0x7fd7f41100e0 msgid 4
621f91e8.29a47391 0x7fd802e54700 wait4msg ld 0x7fd7f41100e0 msgid 4 (timeout 100000 usec)
621f91e8.29a48a0f 0x7fd802e54700 wait4msg continue ld 0x7fd7f41100e0 msgid 4 all 0
621f91e8.29a49c6f 0x7fd802e54700 ** ld 0x7fd7f41100e0 Connections:
621f91e8.29a4cb98 0x7fd802e54700 * host: 192.168.2.190  port: 10983  (default)
621f91e8.29a4f372 0x7fd802e54700 * from: IP=192.168.2.110:36190
621f91e8.29a504f5 0x7fd802e54700   refcnt: 2  status: Connected
621f91e8.29a523e3 0x7fd802e54700   last used: Wed Mar  2 10:48:56 2022

621f91e8.29a5349a 0x7fd802e54700
621f91e8.29a547a0 0x7fd802e54700 ** ld 0x7fd7f41100e0 Outstanding Requests:
621f91e8.29a55ac4 0x7fd802e54700  * msgid 4,  origid 4, status InProgress
621f91e8.29a56b69 0x7fd802e54700    outstanding referrals 0, parent count 0
621f91e8.29a57c9f 0x7fd802e54700   ld 0x7fd7f41100e0 request count 1 (abandoned 0)
621f91e8.29a58c8a 0x7fd802e54700 ** ld 0x7fd7f41100e0 Response Queue:
621f91e8.29a59c17 0x7fd802e54700    Empty
621f91e8.29a5abed 0x7fd802e54700   ld 0x7fd7f41100e0 response count 0
621f91e8.29a5bc6d 0x7fd802e54700 ldap_chkResponseList ld 0x7fd7f41100e0 msgid 4 all 0
621f91e8.29a5cd11 0x7fd802e54700 ldap_chkResponseList returns ld 0x7fd7f41100e0 NULL
621f91e8.29a5e252 0x7fd802e54700 ldap_int_select
621f91e8.29e6fc71 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 4 all 0
621f91e8.29e73e82 0x7fd802e54700 ber_get_next
621f91e8.29e76970 0x7fd802e54700 ber_get_next: tag 0x30 len 60 contents:
621f91e8.29e77e5c 0x7fd802e54700 ldap_find_request_by_msgid: msgid 4, lr 0x7fd7f4103610 lr->lr_refcnt = 1
621f91e8.29e78bc6 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 4 message type search-entry
621f91e8.29e79982 0x7fd802e54700 ldap_return_request: lrx 0x7fd7f4103610, lr 0x7fd7f4103610
621f91e8.29e7a5da 0x7fd802e54700 ldap_return_request: lrx->lr_msgid 4, lrx->lr_refcnt is now 0, lr is still present
621f91e8.29e7b93b 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e8.29e7c89b 0x7fd802e54700 >>> dnPrettyNormal: <cn=ou_svc_account,ou=Users,DC=domain1,DC=domain2,DC=com>
621f91e8.29e81713 0x7fd802e54700 <<< dnPrettyNormal: <cn=ou_svc_account,ou=Users,dc=domain1,dc=domain2,dc=com>, <cn=ou_svc_account,ou=users,dc=domain1,dc=domain2,dc=com>
621f91e8.29e82585 0x7fd802e54700 ber_scanf fmt ({xx) ber:
621f91e8.29e84539 0x7fd802e54700 ldap_msgfree
621f91e8.29e8528b 0x7fd802e54700 ldap_result ld 0x7fd7f41100e0 msgid 4
621f91e8.29e85e7a 0x7fd802e54700 wait4msg ld 0x7fd7f41100e0 msgid 4 (timeout 100000 usec)
621f91e8.29e86a24 0x7fd802e54700 wait4msg continue ld 0x7fd7f41100e0 msgid 4 all 0
621f91e8.29e876aa 0x7fd802e54700 ** ld 0x7fd7f41100e0 Connections:
621f91e8.29e883f2 0x7fd802e54700 * host: 192.168.2.190  port: 10983  (default)
621f91e8.29e89a93 0x7fd802e54700 * from: IP=192.168.2.110:36190
621f91e8.29e8a5f0 0x7fd802e54700   refcnt: 2  status: Connected
621f91e8.29e8beaa 0x7fd802e54700   last used: Wed Mar  2 10:48:56 2022

621f91e8.29e8ca4f 0x7fd802e54700
621f91e8.29e8d489 0x7fd802e54700 ** ld 0x7fd7f41100e0 Outstanding Requests:
621f91e8.29e8e1d8 0x7fd802e54700  * msgid 4,  origid 4, status InProgress
621f91e8.29e8ed1f 0x7fd802e54700    outstanding referrals 0, parent count 0
621f91e8.29e8fe8c 0x7fd802e54700   ld 0x7fd7f41100e0 request count 1 (abandoned 0)
621f91e8.29e90e8e 0x7fd802e54700 ** ld 0x7fd7f41100e0 Response Queue:
621f91e8.29e91d76 0x7fd802e54700    Empty
621f91e8.29e92d2b 0x7fd802e54700   ld 0x7fd7f41100e0 response count 0
621f91e8.29e93ab4 0x7fd802e54700 ldap_chkResponseList ld 0x7fd7f41100e0 msgid 4 all 0
621f91e8.29e944ed 0x7fd802e54700 ldap_chkResponseList returns ld 0x7fd7f41100e0 NULL
621f91e8.29e95274 0x7fd802e54700 ldap_int_select
621f91e8.29f173c4 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 4 all 0
621f91e8.29f19e87 0x7fd802e54700 ber_get_next
621f91e8.29f635f0 0x7fd802e54700 ber_get_next: tag 0x30 len 12 contents:
621f91e8.29f65c13 0x7fd802e54700 ldap_find_request_by_msgid: msgid 4, lr 0x7fd7f4103610 lr->lr_refcnt = 1
621f91e8.29f669d9 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 4 message type search-result
621f91e8.29f6756a 0x7fd802e54700 ber_scanf fmt ({eAA) ber:
621f91e8.29f683b8 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 0 new referrals
621f91e8.29f68f2e 0x7fd802e54700 read1msg:  mark request completed, ld 0x7fd7f41100e0 msgid 4
621f91e8.29f69b7d 0x7fd802e54700 request done: ld 0x7fd7f41100e0 msgid 4
621f91e8.29f6a6b2 0x7fd802e54700 res_errno: 0, res_error: <>, res_matched: <>
621f91e8.29f6b13d 0x7fd802e54700 ldap_return_request: lrx 0x7fd7f4103610, lr 0x7fd7f4103610
621f91e8.29f6bc87 0x7fd802e54700 ldap_return_request: lrx->lr_msgid 4, lrx->lr_refcnt is now 0, lr is still present
621f91e8.29f6c7ef 0x7fd802e54700 ldap_free_request (origid 4, msgid 4)
621f91e8.29f6d625 0x7fd802e54700 ldap_free_request_int: lr 0x7fd7f4103610 msgid 4 removed
621f91e8.29f6e1e1 0x7fd802e54700 ldap_do_free_request: asked to free lr 0x7fd7f4103610 msgid 4 refcnt 0
621f91e8.29f6f589 0x7fd802e54700 ldap_parse_result
621f91e8.29f7017a 0x7fd802e54700 ber_scanf fmt ({iAA) ber:
621f91e8.29f70d44 0x7fd802e54700 ber_scanf fmt (}) ber:
621f91e8.29f718e5 0x7fd802e54700 ldap_msgfree
621f91e8.29f728a8 0x7fd802e54700 send_ldap_result: conn=1001 op=1 p=3
621f91e8.29f7408a 0x7fd802e54700 <==slap_sasl2dn: Converted SASL name to cn=ou_svc_account,ou=users,dc=domain1,dc=domain2,dc=com
621f91e8.29f74e4a 0x7fd802e54700 slap_sasl_getdn: dn:id converted to cn=ou_svc_account,ou=users,dc=domain1,dc=domain2,dc=com
621f91e8.29f78990 0x7fd802e54700 =>ldap_back_getconn: conn 0x7fd7f4110050 fetched refcnt=1.
621f91e8.29f79a7a 0x7fd802e54700 ldap_search_ext
621f91e8.29f7b4d5 0x7fd802e54700 put_filter: "(objectclass=*)"
621f91e8.29f7c023 0x7fd802e54700 put_filter: simple
621f91e8.29f7ca43 0x7fd802e54700 put_simple_filter: "objectclass=*"
621f91e8.29f7da8e 0x7fd802e54700 ldap_send_initial_request
621f91e8.29f7e539 0x7fd802e54700 ldap_send_server_request
621f91e8.29f7f223 0x7fd802e54700 ber_scanf fmt ({it) ber:
621f91e8.29f7fcac 0x7fd802e54700 ber_scanf fmt ({) ber:
621f91e8.29f808ee 0x7fd802e54700 ber_flush2: 90 bytes to sd 10
621f91e8.29fcac04 0x7fd802e54700 ldap_result ld 0x7fd7f41100e0 msgid 5
621f91e8.29fcff6a 0x7fd802e54700 wait4msg ld 0x7fd7f41100e0 msgid 5 (timeout 100000 usec)
621f91e8.29fd1367 0x7fd802e54700 wait4msg continue ld 0x7fd7f41100e0 msgid 5 all 0
621f91e8.29fd250b 0x7fd802e54700 ** ld 0x7fd7f41100e0 Connections:
621f91e8.29fd3765 0x7fd802e54700 * host: 192.168.2.190  port: 10983  (default)
621f91e8.29fd594b 0x7fd802e54700 * from: IP=192.168.2.110:36190
621f91e8.29fd6950 0x7fd802e54700   refcnt: 2  status: Connected
621f91e8.29fd8874 0x7fd802e54700   last used: Wed Mar  2 10:48:56 2022

621f91e8.29fd9a2e 0x7fd802e54700
621f91e8.29fda9a8 0x7fd802e54700 ** ld 0x7fd7f41100e0 Outstanding Requests:
621f91e8.29fdb5b3 0x7fd802e54700  * msgid 5,  origid 5, status InProgress
621f91e8.29fdc02f 0x7fd802e54700    outstanding referrals 0, parent count 0
621f91e8.29fdcb72 0x7fd802e54700   ld 0x7fd7f41100e0 request count 1 (abandoned 0)
621f91e8.29fdd5d5 0x7fd802e54700 ** ld 0x7fd7f41100e0 Response Queue:
621f91e8.29fddfff 0x7fd802e54700    Empty
621f91e8.29fdea2a 0x7fd802e54700   ld 0x7fd7f41100e0 response count 0
621f91e8.29fdf4f4 0x7fd802e54700 ldap_chkResponseList ld 0x7fd7f41100e0 msgid 5 all 0
621f91e8.29fdff05 0x7fd802e54700 ldap_chkResponseList returns ld 0x7fd7f41100e0 NULL
621f91e8.29fe0b3a 0x7fd802e54700 ldap_int_select
621f91e8.2a431353 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 5 all 0
621f91e8.2a43566c 0x7fd802e54700 ber_get_next
621f91e8.2a4387d3 0x7fd802e54700 ber_get_next: tag 0x30 len 356 contents:
621f91e8.2a43bd94 0x7fd802e54700 ldap_find_request_by_msgid: msgid 5, lr 0x7fd7f4118dd0 lr->lr_refcnt = 1
621f91e8.2a43d9dd 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 5 message type search-entry
621f91e8.2a43ec66 0x7fd802e54700 ldap_return_request: lrx 0x7fd7f4118dd0, lr 0x7fd7f4118dd0
621f91e8.2a43fef2 0x7fd802e54700 ldap_return_request: lrx->lr_msgid 5, lrx->lr_refcnt is now 0, lr is still present
621f91e8.2a44181d 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e8.2a4429d4 0x7fd802e54700 >>> dnPrettyNormal: <cn=ou_svc_account,ou=users,DC=domain1,DC=domain2,DC=com>
621f91e8.2a4483b0 0x7fd802e54700 <<< dnPrettyNormal: <cn=ou_svc_account,ou=users,dc=domain1,dc=domain2,dc=com>, <cn=ou_svc_account,ou=users,dc=domain1,dc=domain2,dc=com>
621f91e8.2a4497bc 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e8.2a44b575 0x7fd802e54700 ber_scanf fmt ([W]) ber:
621f91e8.2a44ceeb 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e8.2a44efb7 0x7fd802e54700 ber_scanf fmt ([W]) ber:
621f91e8.2a4505e9 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e8.2a4519ab 0x7fd802e54700 ber_scanf fmt ([W]) ber:
621f91e8.2a452f01 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e8.2a453e63 0x7fd802e54700 ber_scanf fmt ([W]) ber:
621f91e8.2a454f85 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e8.2a456f7f 0x7fd802e54700 ber_scanf fmt ([W]) ber:
621f91e8.2a457fb1 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e8.2a4592f8 0x7fd802e54700 ber_scanf fmt ([W]) ber:
621f91e8.2a45bd6c 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e8.2a45db2e 0x7fd802e54700 ber_scanf fmt ([W]) ber:
621f91e8.2a45ed71 0x7fd802e54700 ber_scanf fmt ({m) ber:
621f91e8.2a4600fb 0x7fd802e54700 ber_scanf fmt ([W]) ber:
621f91e8.2a4612ec 0x7fd802e54700 ber_scanf fmt ({xx) ber:
621f91e8.2a464168 0x7fd802e54700 ldap_msgfree
621f91e8.2a464f72 0x7fd802e54700 ldap_result ld 0x7fd7f41100e0 msgid 5
621f91e8.2a465d72 0x7fd802e54700 wait4msg ld 0x7fd7f41100e0 msgid 5 (timeout 100000 usec)
621f91e8.2a4669c0 0x7fd802e54700 wait4msg continue ld 0x7fd7f41100e0 msgid 5 all 0
621f91e8.2a46760b 0x7fd802e54700 ** ld 0x7fd7f41100e0 Connections:
621f91e8.2a46820c 0x7fd802e54700 * host: 192.168.2.190  port: 10983  (default)
621f91e8.2a469afc 0x7fd802e54700 * from: IP=192.168.2.110:36190
621f91e8.2a46a647 0x7fd802e54700   refcnt: 2  status: Connected
621f91e8.2a46c0c2 0x7fd802e54700   last used: Wed Mar  2 10:48:56 2022

621f91e8.2a46cd37 0x7fd802e54700
621f91e8.2a46d7d1 0x7fd802e54700 ** ld 0x7fd7f41100e0 Outstanding Requests:
621f91e8.2a46e376 0x7fd802e54700  * msgid 5,  origid 5, status InProgress
621f91e8.2a46ee6f 0x7fd802e54700    outstanding referrals 0, parent count 0
621f91e8.2a46f9f1 0x7fd802e54700   ld 0x7fd7f41100e0 request count 1 (abandoned 0)
621f91e8.2a470434 0x7fd802e54700 ** ld 0x7fd7f41100e0 Response Queue:
621f91e8.2a470d9c 0x7fd802e54700    Empty
621f91e8.2a471898 0x7fd802e54700   ld 0x7fd7f41100e0 response count 0
621f91e8.2a4723a2 0x7fd802e54700 ldap_chkResponseList ld 0x7fd7f41100e0 msgid 5 all 0
621f91e8.2a472dfb 0x7fd802e54700 ldap_chkResponseList returns ld 0x7fd7f41100e0 NULL
621f91e8.2a47396e 0x7fd802e54700 ldap_int_select
621f91e8.2a474fed 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 5 all 0
621f91e8.2a475d10 0x7fd802e54700 ber_get_next
621f91e8.2a492ac1 0x7fd802e54700 ber_get_next: tag 0x30 len 12 contents:
621f91e8.2a494779 0x7fd802e54700 ldap_find_request_by_msgid: msgid 5, lr 0x7fd7f4118dd0 lr->lr_refcnt = 1
621f91e8.2a49549e 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 5 message type search-result
621f91e8.2a496015 0x7fd802e54700 ber_scanf fmt ({eAA) ber:
621f91e8.2a498953 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 0 new referrals
621f91e8.2a499c73 0x7fd802e54700 read1msg:  mark request completed, ld 0x7fd7f41100e0 msgid 5
621f91e8.2a49dbca 0x7fd802e54700 request done: ld 0x7fd7f41100e0 msgid 5
621f91e8.2a49f4bb 0x7fd802e54700 res_errno: 0, res_error: <>, res_matched: <>
621f91e8.2a4a05ec 0x7fd802e54700 ldap_return_request: lrx 0x7fd7f4118dd0, lr 0x7fd7f4118dd0
621f91e8.2a4a182d 0x7fd802e54700 ldap_return_request: lrx->lr_msgid 5, lrx->lr_refcnt is now 0, lr is still present
621f91e8.2a4a298b 0x7fd802e54700 ldap_free_request (origid 5, msgid 5)
621f91e8.2a4a3d5c 0x7fd802e54700 ldap_free_request_int: lr 0x7fd7f4118dd0 msgid 5 removed
621f91e8.2a4a4f04 0x7fd802e54700 ldap_do_free_request: asked to free lr 0x7fd7f4118dd0 msgid 5 refcnt 0
621f91e8.2a4a62e9 0x7fd802e54700 ldap_parse_result
621f91e8.2a4a6fd6 0x7fd802e54700 ber_scanf fmt ({iAA) ber:
621f91e8.2a4a7d53 0x7fd802e54700 ber_scanf fmt (}) ber:
621f91e8.2a4a886f 0x7fd802e54700 ldap_msgfree
621f91e8.2a4a97ed 0x7fd802e54700 send_ldap_result: conn=1001 op=1 p=3
621f91e8.2a4ac858 0x7fd802e54700 SASL [conn=1001] Failure: no secret in database
621f91e8.2a4b7daf 0x7fd802e54700 send_ldap_result: conn=1001 op=1 p=3
621f91e8.2a4ba2be 0x7fd802e54700 send_ldap_response: msgid=2 tag=97 err=49
621f91e8.2a4bc326 0x7fd802e54700 ber_flush2: 62 bytes to sd 9
621f91e8.2a4d96b5 0x7fd802e54700 <== slap_sasl_bind: rc=49
621f91e8.2a5736e7 0x7fd802e54700 connection_get(9): got connid=1001
621f91e8.2a575bcf 0x7fd802e54700 connection_read(9): checking for input on id=1001
621f91e8.2a5768b2 0x7fd802e54700 ber_get_next
621f91e8.2a57874f 0x7fd802e54700 ber_get_next: tag 0x30 len 5 contents:
621f91e8.2a5796d1 0x7fd802e54700 op tag 0x42, time 1646236136
621f91e8.2a57a77e 0x7fd802e54700 ber_get_next
621f91e8.2a5802c8 0x7fd802e54700 ber_get_next on fd 9 failed errno=0 (Success)
621f91e8.2a58367a 0x7fd802e54700 conn=1001 op=2 do_unbind
621f91e8.2a5881b7 0x7fd802e54700 connection_close: conn=1001 sd=9
621f91e8.2a588fef 0x7fd802e54700 =>ldap_back_conn_destroy: fetching conn 1001
^C621f91ea.1f6a360b 0x7fd803655700 daemon: shutdown requested and initiated.
621f91ea.1f6d18b1 0x7fd803655700 slapd shutdown: waiting for 0 operations/tasks to finish
621f91ea.1f73b8c6 0x7fd807671840 slapd shutdown: initiated
621f91ea.1f765b39 0x7fd807671840 slapd destroy: freeing system resources.
621f91ea.1f770206 0x7fd807671840 ldap_free_connection 1 1
621f91ea.1f7732d9 0x7fd807671840 ldap_send_unbind
621f91ea.1f77fcc1 0x7fd807671840 ber_flush2: 7 bytes to sd 10
621f91ea.1f7ba879 0x7fd807671840 ldap_free_connection: actually freed
621f91ea.1f7e833c 0x7fd807671840 slapd stopped.

The error from ldapsearch is:
ldap_sasl_interactive_bind: Invalid credentials (49)
	additional info: SASL(-13): user not found: no secret in databas

Is Cyrus NTLM looking for a secret in the backendldap to check the password against?  Or does it not know how to validate the credentials against AD? (/etc/krb5.conf is there and I can generate a TGT using kinit).  The OpenLDAP team said I need to reach out to the Cyrus project.

Thanks
Marc
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux