Dear list!
I'm using FDS-1.0.2 together with Heimdal Kerberos as NIS replacement. I having rather strange problem with SASL. I have two posixGroups. The first is cn=peopleGroup,ou=people,dc=example,dc=com and the other is cn=testGroup,ou=Groups,dc=example,dc=com testGroup is affected by Pointer CoS - this important!
On client I run: # kinit foo # ldapsearch -h directory.example.com -b "dc=example,dc=com" -s sub -Y GSSAPI -I '(&(objectClass=posixGroup)(cn=peopleGroup))' Search returns sane results. However running serach for testGroup returns the following: --------------------------- # ldapsearch -h directory.example.com -b "dc=example,dc=com" -s sub -Y GSSAPI -I '(&(objectClass=posixGroup)(cn=testGroup))' SASL/GSSAPI authentication started SASL Interaction Please enter your authorization name: SASL username: foo@EXAMPLE.COM SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (&(objectClass=posixGroup)(cn=testGroup)) # requesting: ALL #
ldap_result: Can't contact LDAP server (-1) --------------------------- If I remove CoS from ou=Groups,dc=example,dc=com, then It all works OK (but of course I do not get any of 'uniquememeber' attributes that come from CoS).
The most strange things is however that if I set SASL_SECPROPS maxssf=0 in /etc/openldap/ldap.conf, then everything works just fine (but no security).
To the end, here is what FDS access log says: [10/Sep/2006:17:02:51 +0300] conn=111 fd=67 slot=67 connection from 10.0.2.236 to 10.0.0.10 [10/Sep/2006:17:02:51 +0300] conn=111 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2006:17:02:51 +0300] conn=111 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2006:17:02:51 +0300] conn=111 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=example,dc=com" [10/Sep/2006:17:02:51 +0300] conn=111 op=3 SRCH base="dc=example,dc=com" scope=2 filter="(&(objectClass=posixGroup)(cn=testGroup))" attrs=ALL [10/Sep/2006:17:02:51 +0300] conn=111 op=3 fd=67 closed - B4 It looks like server just drops connection. Error logs indicate nothing.
Any ideas anyone?
Hai Zaar wrote:
Dear list!
I'm using FDS-1.0.2 together with Heimdal Kerberos as NIS replacement. I having rather strange problem with SASL. I have two posixGroups. The first is cn=peopleGroup,ou=people,dc=example,dc=com and the other is cn=testGroup,ou=Groups,dc=example,dc=com testGroup is affected by Pointer CoS - this important!
On client I run: # kinit foo # ldapsearch -h directory.example.com -b "dc=example,dc=com" -s sub -Y GSSAPI -I '(&(objectClass=posixGroup)(cn=peopleGroup))' Search returns sane results. However running serach for testGroup returns the following:
# ldapsearch -h directory.example.com -b "dc=example,dc=com" -s sub -Y GSSAPI -I '(&(objectClass=posixGroup)(cn=testGroup))' SASL/GSSAPI authentication started SASL Interaction Please enter your authorization name: SASL username: foo@EXAMPLE.COM SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (&(objectClass=posixGroup)(cn=testGroup)) # requesting: ALL #
ldap_result: Can't contact LDAP server (-1)
If I remove CoS from ou=Groups,dc=example,dc=com, then It all works OK (but of course I do not get any of 'uniquememeber' attributes that come from CoS).
The most strange things is however that if I set SASL_SECPROPS maxssf=0 in /etc/openldap/ldap.conf, then everything works just fine (but no security).
To the end, here is what FDS access log says: [10/Sep/2006:17:02:51 +0300] conn=111 fd=67 slot=67 connection from 10.0.2.236 to 10.0.0.10 [10/Sep/2006:17:02:51 +0300] conn=111 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2006:17:02:51 +0300] conn=111 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2006:17:02:51 +0300] conn=111 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=example,dc=com" [10/Sep/2006:17:02:51 +0300] conn=111 op=3 SRCH base="dc=example,dc=com" scope=2 filter="(&(objectClass=posixGroup)(cn=testGroup))" attrs=ALL [10/Sep/2006:17:02:51 +0300] conn=111 op=3 fd=67 closed - B4 It looks like server just drops connection. Error logs indicate nothing.
Any ideas anyone?
I'm unable to reproduce the issue. Could you supply us with your COS template, COS definition, and testGroup entries?
-NGK
389-users@lists.fedoraproject.org