[Fedora-directory-users] ldapadd with Kerberos

Andrey Ivanov Andrey.Ivanov at polytechnique.fr
Mon Jul 3 08:32:54 UTC 2006 

Hi,


There is something I can't explain concerning the interaction of
ldapadd & ldapsearch (from openldap) with FDS while using kerberos


Here is what i do :

1. kinit User.Name
...
2. Verification with klist -ok, i have the kerberos ticket

3. Verification with ldapsearch works without any problem, giving all the necessary infos:

ldapsearch -Y GSSAPI  'sn=toto*'
SASL/GSSAPI authentication started
SASL username: User.Name at KRB-FDS
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: sn=aic*
# requesting: userPassword 
.... infos ...

4.  The problem appears when i try to use ldapadd/ldapmodify with some
ldif  files  (apparently,  these  files  should  be  larger  than some
critical value to produce the error)


Her is an example of such an ldif

test.ldif:
dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com
givenName: Gilles
sn: Martin
telephoneNumber: 00 00
loginShell: /bin/bash
departmentNumber: LAB CMLS
physicalDeliveryOfficeName: 402:10-02
uidNumber: 3090
gidNumber: 3000
mail: gilles.martin at some-organization.domain.com
displayName: Gilles Martin (M.)
uid: Gilles.Martin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
cn: Gilles Martin
title: PERSONNEL DE RECHERCHE
homeDirectory: /home/CMLS/Gilles.Martin
userPassword: {clear}Gilles.Martin



When i try to add this entry using ldapadd or ldapmodify with kerberos :

[root at workstation ~]# ldapadd -Y GSSAPI -v -f test.ldif -H ldap://fds-example.domain.com
ldap_initialize( ldap://fds-example.domain.com )
SASL/GSSAPI authentication started
SASL username: User.Name at KRB-FDS
SASL SSF: 56
SASL installing layers
add givenName:
        Gilles
add sn:
        Martin
add telephoneNumber:
        00 00
add loginShell:
        /bin/bash
add departmentNumber:
        LAB CMLS
add physicalDeliveryOfficeName:
        402:10-02
add uidNumber:
        3090
add gidNumber:
        3000
add mail:
        gilles.martin at some-organization.domain.com
add displayName:
        Gilles Martin (M.)
add uid:
        Gilles.Martin
add objectClass:
        top
        person
        organizationalPerson
        inetorgperson
        posixAccount
add gecos:
        Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
add cn:
        Gilles Martin
add title:
        PERSONNEL DE RECHERCHE
add homeDirectory:
        /home/CMLS/Gilles.Martin
add userPassword:
        {clear}Gilles.Martin
adding new entry " cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com"
modify complete
ldap_add: Protocol error (2)
        additional info: decoding error



5. Adding the same entry using simple authentification (plain text or
SSL/TLS) is possible without any problem. The only way of using
kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" :

ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com

With this command line, the ldapadd adds the entry with success.





Can someone explain me why ldapsearch works without problem and
ldapadd needs an additional option (this option forbids the double
encryption kerberos+ssl if i understand correctly)?

Thank you!
  


Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55

Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France

More information about the Fedora-directory-users mailing list