Ryan Braun [ADS] wrote: > I've only just started playing with kerberos and sasl. So I'm not 100% sure if this is normal behavior. > > My ldapsearch's work, but on the server, I need 3 bind attempts before actually binding successfully. The first 2 throw err=14 SASL bind in progress, then the third always works. > Right. This is normal. err=14 means SASL_BIND_IN_PROGRESS. This SASL mechanism uses a challenge/response which requires a couple of roundtrips between the client and server. > > >From the server > [06/Oct/2010:16:55:47 +0000] conn=16 fd=64 slot=64 connection from 192.xx.xxx.xxx to 192.xx.xxx.xxx > [06/Oct/2010:16:55:47 +0000] conn=16 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI > [06/Oct/2010:16:55:47 +0000] conn=16 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress > [06/Oct/2010:16:55:47 +0000] conn=16 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI > [06/Oct/2010:16:55:47 +0000] conn=16 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress > [06/Oct/2010:16:55:47 +0000] conn=16 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI > [06/Oct/2010:16:55:47 +0000] conn=16 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=ryan,ou=people,dc=xxx,dc=xx,dc=xx,dc=xx" > [06/Oct/2010:16:55:47 +0000] conn=16 op=3 SRCH base="dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 filter="(objectClass=*)" attrs=ALL > [06/Oct/2010:16:55:47 +0000] conn=16 op=3 RESULT err=0 tag=101 nentries=10 etime=0 notes=U > [06/Oct/2010:16:55:47 +0000] conn=16 op=4 UNBIND > [06/Oct/2010:16:55:47 +0000] conn=16 op=4 fd=64 closed - U1 > > and the client > ryan@krbclient:~$ ldapsearch -Y GSSAPI -h kerberos -b "dc=xxx,dc=xx,dc=xx,dc=xx" "objectclass=*" > SASL/GSSAPI authentication started > SASL username: ryan@xxxxxxxxxxxx > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <dc=xxx,dc=xx,dc=xx,dc=xx> with scope subtree > # filter: objectclass=* > # requesting: ALL > # > > # xxx.xx.xx.xx > dn: dc=xxx,dc=xx,dc=xx,dc=xx > objectClass: top > objectClass: domain > dc: isb > > # Directory Administrators, xxx.xx.xx.xx > dn: cn=Directory Administrators,dc=xxx,dc=xx,dc=xx,dc=xx > objectClass: top > objectClass: groupofuniquenames > cn: Directory Administrators > uniqueMember: cn=Directory Manager > > # Groups, xxx.xx.xx.xx > dn: ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx > objectClass: top > objectClass: organizationalunit > ou: Groups > > # People, xxx.xx.xx.xx > dn: ou=People,dc=xxx,dc=xx,dc=xx,dc=xx > objectClass: top > objectClass: organizationalunit > ou: People > > # Special Users, xxx.xx.xx.xx > dn: ou=Special Users,dc=xxx,dc=xx,dc=xx,dc=xx > objectClass: top > objectClass: organizationalUnit > ou: Special Users > description: Special Administrative Accounts > > # Accounting Managers, Groups, xxx.xx.xx.xx > dn: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx > objectClass: top > objectClass: groupOfUniqueNames > cn: Accounting Managers > ou: groups > description: People who can manage accounting entries > uniqueMember: cn=Directory Manager > > # HR Managers, Groups, xxx.xx.xx.xx > dn: cn=HR Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx > objectClass: top > objectClass: groupOfUniqueNames > cn: HR Managers > ou: groups > description: People who can manage HR entries > uniqueMember: cn=Directory Manager > > # QA Managers, Groups, xxx.xx.xx.xx > dn: cn=QA Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx > objectClass: top > objectClass: groupOfUniqueNames > cn: QA Managers > ou: groups > description: People who can manage QA entries > uniqueMember: cn=Directory Manager > > # PD Managers, Groups, xxx.xx.xx.xx > dn: cn=PD Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx > objectClass: top > objectClass: groupOfUniqueNames > cn: PD Managers > ou: groups > description: People who can manage engineer entries > uniqueMember: cn=Directory Manager > > # ryan, People, xxx.xx.xx.xx > dn: uid=ryan,ou=People,dc=xxx,dc=xx,dc=xx,dc=xx > uid: ryan > givenName: ryan > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: braun > cn: ryan > > # search result > search: 4 > result: 0 Success > > # numResponses: 11 > # numEntries: 10 > > > Ryan Braun > Aviation and Defence Services Division > Chief Information Officer Branch, Environment Canada > CIV: 204-833-2500x2625 CSN: 257-2625 FAX: 204-833-2558 > E-Mail: Ryan.Braun@xxxxxxxx > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
