On Tue, 16 Aug 2016, David Kowis wrote:
On 08/15/2016 09:27 PM, David Kowis wrote:
On 08/15/2016 08:05 PM, Rob Crittenden wrote:
David Kowis wrote:
On 08/15/2016 04:33 AM, Petr Spacek wrote:
This is weird as LDAP SASL & GSSAPI is pretty standard thing.

In any case, you can check server logs or use tcpdump/wireshark and
see if the
error somes from LDAP server or if it is client side error.

That would tell us where to focus.


Welp, I've got a pile of logs for you:
https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0

The last few lines are probably the relevant ones.

[15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97
nentries=0 etime=0
[15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND
[15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1


Something tries to bind with no dn, and then fails.... I think?

No this is typical logging for GSSAPI (minus the error).

The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus
SASL GSSAPI package installed? In Fedora the package is cyrus-sasl-gssapi.


Still trying to figure stuff out:

root@freeipavm:/var/log/dirsrv/slapd-DARK-KOW-IS# ldapsearch -h
localhost -p 389 -x -b "" -s base -LLL SupportedSASLMechanisms
dn:
SupportedSASLMechanisms: EXTERNAL


Should I have more than just EXTERNAL when this happens? How do I debug
more about what SASL authentication stuff should be there? I'm having a
great deal of difficulty finding documentation for the 389 directory
server's SASL configuration. *If* that's even the place I should be
looking. How can I narrow this down more?
389-ds does dynamically include all supported SASL mechanisms returned
by CyrusSASL library. If you only get EXTERNAL, it means NO mechanisms
were returned by your system SASL library. The attribute
SupportedSASLMechanisms you see in the rootdse query above is read-only:
it only shows which SASL mechanisms 389-ds knows about but you cannot
influence them via this attribute. You need to look at your CyrusSASL
library system configuration.

What does 'pluginviewer' output show? Here is what Fedora 24 reports
when following packages are installed:
cyrus-sasl-2.1.26-26.2.fc24.x86_64
cyrus-sasl-md5-2.1.26-26.2.fc24.x86_64
cyrus-sasl-plain-2.1.26-26.2.fc24.x86_64
cyrus-sasl-gssapi-2.1.26-26.2.fc24.x86_64
cyrus-sasl-lib-2.1.26-26.2.fc24.x86_64

# pluginviewer Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,     API version: 8
        supports store: yes

Installed and properly configured SASL (server side) mechanisms are:
 GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS
Available SASL (server side) mechanisms matching your criteria are:
 GSS-SPNEGO GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS
List of server plugins follows
Plugin "gssapiv2" [loaded],   API version: 4
        SASL mechanism: GSS-SPNEGO, best SSF: 56, supports setpass: no
        security flags: 
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: 
WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD|SUPPORTS_HTTP
Plugin "gssapiv2" [loaded],   API version: 4
        SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
        security flags: 
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD
Plugin "digestmd5" [loaded],  API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|SUPPORTS_HTTP
Plugin "crammd5" [loaded],    API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "login" [loaded],      API version: 4
        SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features:
Plugin "plain" [loaded],      API version: 4
        SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],  API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST|DONTUSE_USERPASSWD
Installed and properly configured SASL (client side) mechanisms are:
 GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS
Available SASL (client side) mechanisms matching your criteria are:
 GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS
List of client plugins follows
Plugin "gssapiv2" [loaded],   API version: 4
        SASL mechanism: GSS-SPNEGO, best SSF: 56
        security flags: 
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: 
WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "gssapiv2" [loaded],   API version: 4
        SASL mechanism: GSSAPI, best SSF: 56
        security flags: 
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN
Plugin "digestmd5" [loaded],  API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION|NEED_SERVER_FQDN|SUPPORTS_HTTP
Plugin "EXTERNAL" [loaded],   API version: 4
        SASL mechanism: EXTERNAL, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "crammd5" [loaded],    API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST
Plugin "login" [loaded],      API version: 4
        SASL mechanism: LOGIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: SERVER_FIRST
Plugin "plain" [loaded],      API version: 4
        SASL mechanism: PLAIN, best SSF: 0
        security flags: NO_ANONYMOUS|PASS_CREDENTIALS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "anonymous" [loaded],  API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to