Re: [389-users] err=14 when binding with kerberos/sasl, normal behavior?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ryan Braun [ADS] wrote:
> I've only just started playing with kerberos and sasl.  So I'm not 100% sure if this is normal behavior.
>
> My ldapsearch's work,  but on the server,  I need 3 bind attempts before actually binding successfully.  The first 2 throw err=14 SASL bind in progress,  then the third always works.
>   
Right.  This is normal.  err=14 means SASL_BIND_IN_PROGRESS.  This SASL 
mechanism uses a challenge/response which requires a couple of 
roundtrips between the client and server.
>
> >From the server
> [06/Oct/2010:16:55:47 +0000] conn=16 fd=64 slot=64 connection from 192.xx.xxx.xxx to 192.xx.xxx.xxx
> [06/Oct/2010:16:55:47 +0000] conn=16 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
> [06/Oct/2010:16:55:47 +0000] conn=16 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [06/Oct/2010:16:55:47 +0000] conn=16 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
> [06/Oct/2010:16:55:47 +0000] conn=16 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [06/Oct/2010:16:55:47 +0000] conn=16 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
> [06/Oct/2010:16:55:47 +0000] conn=16 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=ryan,ou=people,dc=xxx,dc=xx,dc=xx,dc=xx"
> [06/Oct/2010:16:55:47 +0000] conn=16 op=3 SRCH base="dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 filter="(objectClass=*)" attrs=ALL
> [06/Oct/2010:16:55:47 +0000] conn=16 op=3 RESULT err=0 tag=101 nentries=10 etime=0 notes=U
> [06/Oct/2010:16:55:47 +0000] conn=16 op=4 UNBIND
> [06/Oct/2010:16:55:47 +0000] conn=16 op=4 fd=64 closed - U1
>
> and the client
> ryan@krbclient:~$ ldapsearch -Y GSSAPI -h kerberos -b "dc=xxx,dc=xx,dc=xx,dc=xx" "objectclass=*"
> SASL/GSSAPI authentication started
> SASL username: ryan@xxxxxxxxxxxx
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <dc=xxx,dc=xx,dc=xx,dc=xx> with scope subtree
> # filter: objectclass=*
> # requesting: ALL
> #
>
> # xxx.xx.xx.xx
> dn: dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: domain
> dc: isb
>
> # Directory Administrators, xxx.xx.xx.xx
> dn: cn=Directory Administrators,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: groupofuniquenames
> cn: Directory Administrators
> uniqueMember: cn=Directory Manager
>
> # Groups, xxx.xx.xx.xx
> dn: ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: organizationalunit
> ou: Groups
>
> # People, xxx.xx.xx.xx
> dn: ou=People,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: organizationalunit
> ou: People
>
> # Special Users, xxx.xx.xx.xx
> dn: ou=Special Users,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: organizationalUnit
> ou: Special Users
> description: Special Administrative Accounts
>
> # Accounting Managers, Groups, xxx.xx.xx.xx
> dn: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: Accounting Managers
> ou: groups
> description: People who can manage accounting entries
> uniqueMember: cn=Directory Manager
>
> # HR Managers, Groups, xxx.xx.xx.xx
> dn: cn=HR Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: HR Managers
> ou: groups
> description: People who can manage HR entries
> uniqueMember: cn=Directory Manager
>
> # QA Managers, Groups, xxx.xx.xx.xx
> dn: cn=QA Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: QA Managers
> ou: groups
> description: People who can manage QA entries
> uniqueMember: cn=Directory Manager
>
> # PD Managers, Groups, xxx.xx.xx.xx
> dn: cn=PD Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: PD Managers
> ou: groups
> description: People who can manage engineer entries
> uniqueMember: cn=Directory Manager
>
> # ryan, People, xxx.xx.xx.xx
> dn: uid=ryan,ou=People,dc=xxx,dc=xx,dc=xx,dc=xx
> uid: ryan
> givenName: ryan
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> sn: braun
> cn: ryan
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 11
> # numEntries: 10
>
>
> Ryan Braun
> Aviation and Defence Services Division 
> Chief Information Officer Branch, Environment Canada
> CIV: 204-833-2500x2625 CSN: 257-2625 FAX: 204-833-2558
> E-Mail: Ryan.Braun@xxxxxxxx
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>   

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux