On 08/15/2016 09:27 PM, David Kowis wrote: > On 08/15/2016 08:05 PM, Rob Crittenden wrote: >> David Kowis wrote: >>> On 08/15/2016 04:33 AM, Petr Spacek wrote: >>>> This is weird as LDAP SASL & GSSAPI is pretty standard thing. >>>> >>>> In any case, you can check server logs or use tcpdump/wireshark and >>>> see if the >>>> error somes from LDAP server or if it is client side error. >>>> >>>> That would tell us where to focus. >>>> >>> >>> Welp, I've got a pile of logs for you: >>> https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0 >>> >>> The last few lines are probably the relevant ones. >>> >>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97 >>> nentries=0 etime=0 >>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND >>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1 >>> >>> >>> Something tries to bind with no dn, and then fails.... I think? >> >> No this is typical logging for GSSAPI (minus the error). >> >> The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus >> SASL GSSAPI package installed? In Fedora the package is cyrus-sasl-gssapi. >>
Still trying to figure stuff out: root@freeipavm:/var/log/dirsrv/slapd-DARK-KOW-IS# ldapsearch -h localhost -p 389 -x -b "" -s base -LLL SupportedSASLMechanisms dn: SupportedSASLMechanisms: EXTERNAL Should I have more than just EXTERNAL when this happens? How do I debug more about what SASL authentication stuff should be there? I'm having a great deal of difficulty finding documentation for the 389 directory server's SASL configuration. *If* that's even the place I should be looking. How can I narrow this down more? -- David Kowis >> rob > > > searched for gssapi: > > libsasl2-modules-gssapi-mit/xenial,now 2.1.26.dfsg1-14build1 i386 > [installed,automatic] > Cyrus SASL - pluggable authentication modules (GSSAPI) > > > Pretty sure that's the equivalent package on ubuntu > > # dpkg -L libsasl2-modules-gssapi-mit > /. > /usr > /usr/lib > /usr/lib/i386-linux-gnu > /usr/lib/i386-linux-gnu/sasl2 > /usr/lib/i386-linux-gnu/sasl2/libscram.so.2.0.25 > /usr/lib/i386-linux-gnu/sasl2/libgs2.so.2.0.25 > /usr/lib/i386-linux-gnu/sasl2/libgssapiv2.so.2.0.25 > /usr/share > /usr/share/lintian > /usr/share/lintian/overrides > /usr/share/lintian/overrides/libsasl2-modules-gssapi-mit > /usr/share/doc > /usr/share/doc/libsasl2-modules-gssapi-mit > /usr/share/doc/libsasl2-modules-gssapi-mit/copyright > /usr/lib/i386-linux-gnu/sasl2/libgs2.so.2 > /usr/lib/i386-linux-gnu/sasl2/libscram.so > /usr/lib/i386-linux-gnu/sasl2/libgs2.so > /usr/lib/i386-linux-gnu/sasl2/libgssapiv2.so.2 > /usr/lib/i386-linux-gnu/sasl2/libscram.so.2 > /usr/lib/i386-linux-gnu/sasl2/libgssapiv2.so > /usr/share/doc/libsasl2-modules-gssapi-mit/changelog.Debian.gz > /usr/share/doc/libsasl2-modules-gssapi-mit/NEWS.Debian.gz > > python-gssapi is also installed. > > > -- > David Kowis > > > PS: Sorry Rob for sending it directly, I derped in the mail client > > >
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
