Hi,
There is something I can''t explain concerning the interaction of
ldapadd & ldapsearch (from openldap) with FDS while using kerberos
Here is what i do :
1. kinit User.Name
...
2. Verification with klist -ok, i have the kerberos ticket
3. Verification with ldapsearch works without any problem, giving all the
necessary infos:
ldapsearch -Y GSSAPI ''sn=toto*''
SASL/GSSAPI authentication started
SASL username: User.Name@KRB-FDS
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: sn=aic*
# requesting: userPassword
.... infos ...
4. The problem appears when i try to use ldapadd/ldapmodify with some
ldif files (apparently, these files should be larger than some
critical value to produce the error)
Her is an example of such an ldif
test.ldif:
dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some
Organization,dc=fds-example,dc=domain,dc=com
givenName: Gilles
sn: Martin
telephoneNumber: 00 00
loginShell: /bin/bash
departmentNumber: LAB CMLS
physicalDeliveryOfficeName: 402:10-02
uidNumber: 3090
gidNumber: 3000
mail: gilles.martin@some-organization.domain.com
displayName: Gilles Martin (M.)
uid: Gilles.Martin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
cn: Gilles Martin
title: PERSONNEL DE RECHERCHE
homeDirectory: /home/CMLS/Gilles.Martin
userPassword: {clear}Gilles.Martin
When i try to add this entry using ldapadd or ldapmodify with kerberos :
[root@workstation ~]# ldapadd -Y GSSAPI -v -f test.ldif -H
ldap://fds-example.domain.com
ldap_initialize( ldap://fds-example.domain.com )
SASL/GSSAPI authentication started
SASL username: User.Name@KRB-FDS
SASL SSF: 56
SASL installing layers
add givenName:
Gilles
add sn:
Martin
add telephoneNumber:
00 00
add loginShell:
/bin/bash
add departmentNumber:
LAB CMLS
add physicalDeliveryOfficeName:
402:10-02
add uidNumber:
3090
add gidNumber:
3000
add mail:
gilles.martin@some-organization.domain.com
add displayName:
Gilles Martin (M.)
add uid:
Gilles.Martin
add objectClass:
top
person
organizationalPerson
inetorgperson
posixAccount
add gecos:
Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
add cn:
Gilles Martin
add title:
PERSONNEL DE RECHERCHE
add homeDirectory:
/home/CMLS/Gilles.Martin
add userPassword:
{clear}Gilles.Martin
adding new entry " cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some
Organization,dc=fds-example,dc=domain,dc=com"
modify complete
ldap_add: Protocol error (2)
additional info: decoding error
5. Adding the same entry using simple authentification (plain text or
SSL/TLS) is possible without any problem. The only way of using
kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" :
ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com
With this command line, the ldapadd adds the entry with success.
Can someone explain me why ldapsearch works without problem and
ldapadd needs an additional option (this option forbids the double
encryption kerberos+ssl if i understand correctly)?
Thank you!
Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55
Direction des Systemes d''Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France
Richard Megginson
2006-Jul-03 15:17 UTC
Re: [Fedora-directory-users] ldapadd with Kerberos
Andrey Ivanov wrote:> Hi, > > > There is something I can''t explain concerning the interaction of > ldapadd & ldapsearch (from openldap) with FDS while using kerberos > > > Here is what i do : > > 1. kinit User.Name > ... > 2. Verification with klist -ok, i have the kerberos ticket > > 3. Verification with ldapsearch works without any problem, giving all the necessary infos: > > ldapsearch -Y GSSAPI ''sn=toto*'' > SASL/GSSAPI authentication started > SASL username: User.Name@KRB-FDS > SASL SSF: 56 > SASL installing layers > # extended LDIF > # > # LDAPv3 > # base <> with scope sub > # filter: sn=aic* > # requesting: userPassword > .... infos ... > > 4. The problem appears when i try to use ldapadd/ldapmodify with some > ldif files (apparently, these files should be larger than some > critical value to produce the error) > > > Her is an example of such an ldif > > test.ldif: > dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com > givenName: Gilles > sn: Martin > telephoneNumber: 00 00 > loginShell: /bin/bash > departmentNumber: LAB CMLS > physicalDeliveryOfficeName: 402:10-02 > uidNumber: 3090 > gidNumber: 3000 > mail: gilles.martin@some-organization.domain.com > displayName: Gilles Martin (M.) > uid: Gilles.Martin > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE > cn: Gilles Martin > title: PERSONNEL DE RECHERCHE > homeDirectory: /home/CMLS/Gilles.Martin > userPassword: {clear}Gilles.Martin > > > > When i try to add this entry using ldapadd or ldapmodify with kerberos : > > [root@workstation ~]# ldapadd -Y GSSAPI -v -f test.ldif -H ldap://fds-example.domain.com > ldap_initialize( ldap://fds-example.domain.com ) > SASL/GSSAPI authentication started > SASL username: User.Name@KRB-FDS > SASL SSF: 56 > SASL installing layers > add givenName: > Gilles > add sn: > Martin > add telephoneNumber: > 00 00 > add loginShell: > /bin/bash > add departmentNumber: > LAB CMLS > add physicalDeliveryOfficeName: > 402:10-02 > add uidNumber: > 3090 > add gidNumber: > 3000 > add mail: > gilles.martin@some-organization.domain.com > add displayName: > Gilles Martin (M.) > add uid: > Gilles.Martin > add objectClass: > top > person > organizationalPerson > inetorgperson > posixAccount > add gecos: > Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE > add cn: > Gilles Martin > add title: > PERSONNEL DE RECHERCHE > add homeDirectory: > /home/CMLS/Gilles.Martin > add userPassword: > {clear}Gilles.Martin > adding new entry " cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com" > modify complete > ldap_add: Protocol error (2) > additional info: decoding error > > > > 5. Adding the same entry using simple authentification (plain text or > SSL/TLS) is possible without any problem. The only way of using > kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" : > > ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com > > With this command line, the ldapadd adds the entry with success. > > > > > > Can someone explain me why ldapsearch works without problem and > ldapadd needs an additional option (this option forbids the double > encryption kerberos+ssl if i understand correctly)? >I''m not sure. Could you post some relevant excerpts from your directory server access and error logs? Be sure to remove any sensitive data from them first.> Thank you! > > > > Andrey Ivanov > tel +33-(0)1-69-33-99-24 > fax +33-(0)1-69-33-99-55 > > Direction des Systemes d''Information > Ecole Polytechnique > 91128 Palaiseau CEDEX > France > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
>> 5. Adding the same entry using simple authentification (plain text or >> SSL/TLS) is possible without any problem. The only way of using >> kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" : >> >> ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com >> >> With this command line, the ldapadd adds the entry with success. >> >> >> >> >> >> Can someone explain me why ldapsearch works without problem and >> ldapadd needs an additional option (this option forbids the double >> encryption kerberos+ssl if i understand correctly)? >>RM> I''m not sure. Could you post some relevant excerpts from your directory RM> server access and error logs? Be sure to remove any sensitive data from RM> them first. The logs do not reveal anything special - it''s the same error (2 - protocol error). FDS1.0.2. ldapadd/ldapmodify are the rpm versions from FC2, FC3, FC4 (i''ve tested both) ldapadd -Y GSSAPI -v -f test.ldif -H ldap://fds-example.domain.com Access logs : [29/Jun/2006:20:38:47 +0200] conn=225 fd=64 slot=64 connection from xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy [29/Jun/2006:20:38:48 +0200] conn=225 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [29/Jun/2006:20:38:48 +0200] conn=225 op=0 RESULT err=14 tag=97 nentries=0 etime=0.013000, SASL bind in progress [29/Jun/2006:20:38:48 +0200] conn=225 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [29/Jun/2006:20:38:48 +0200] conn=225 op=1 RESULT err=14 tag=97 nentries=0 etime=0.000000, SASL bind in progress [29/Jun/2006:20:38:48 +0200] conn=225 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="dc=fds-example,dc=domain,dc=com" scope=2 filter="(&(uid=User.Name))" attrs=ALL [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0.001000 [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="o=NetscapeRoot" scope=2 filter="(&(uid=User.Name))" attrs=ALL [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 etime=0.000000 [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="cn=user name,ou=cmap,ou=laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL [29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0.000000 [29/Jun/2006:20:38:48 +0200] conn=225 op=2 RESULT err=0 tag=97 nentries=0 etime=0.002000 dn="cn=user name,ou=cmap,ou=laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com" [29/Jun/2006:20:38:48 +0200] conn=225 op=3 ADD dn="cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com", decoding error [29/Jun/2006:20:38:48 +0200] conn=225 op=3 RESULT err=2 tag=105 nentries=0 etime=0.000000 [29/Jun/2006:20:38:48 +0200] conn=225 op=4 UNBIND [29/Jun/2006:20:38:48 +0200] conn=225 op=4 fd=64 closed - U1 And there is nothing in error logs.... What may be important - it''s the size of the ldif file. The error pops up for this file : dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com givenName: Gilles sn: Martin telephoneNumber: 00 00 loginShell: /bin/bash departmentNumber: LAB CMLS physicalDeliveryOfficeName: 402:10-02 uidNumber: 3090 gidNumber: 3000 mail: gilles.martin@some-organization.domain.com displayName: Gilles Martin (M.) uid: Gilles.Martin objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE cn: Gilles Martin title: PERSONNEL DE RECHERCHE homeDirectory: /home/CMLS/Gilles.Martin userPassword: {clear}Gilles.Martin But everything goes smooth for this one : dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com givenName: Gilles sn: Martin #telephoneNumber: 00 00 loginShell: /bin/bash #departmentNumber: LAB CMLS #physicalDeliveryOfficeName: 402:10-02 uidNumber: 3090 gidNumber: 3000 #mail: gilles.martin@some-organization.domain.com #displayName: Gilles Martin (M.) uid: Gilles.Martin objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount #gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE cn: Gilles Martin #title: PERSONNEL DE RECHERCHE homeDirectory: /home/CMLS/Gilles.Martin userPassword: {clear}Gilles.Martin Both files are correctly imported with ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d''Information Ecole Polytechnique 91128 Palaiseau CEDEX France