[Fedora-directory-users] ldapadd with Kerberos

Richard Megginson rmeggins at redhat.com
Mon Jul 3 15:17:26 UTC 2006 

Andrey Ivanov wrote:
> Hi,
>
>
> There is something I can't explain concerning the interaction of
> ldapadd & ldapsearch (from openldap) with FDS while using kerberos
>
>
> Here is what i do :
>
> 1. kinit User.Name
> ...
> 2. Verification with klist -ok, i have the kerberos ticket
>
> 3. Verification with ldapsearch works without any problem, giving all the necessary infos:
>
> ldapsearch -Y GSSAPI  'sn=toto*'
> SASL/GSSAPI authentication started
> SASL username: User.Name at KRB-FDS
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: sn=aic*
> # requesting: userPassword 
> .... infos ...
>
> 4.  The problem appears when i try to use ldapadd/ldapmodify with some
> ldif  files  (apparently,  these  files  should  be  larger  than some
> critical value to produce the error)
>
>
> Her is an example of such an ldif
>
> test.ldif:
> dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com
> givenName: Gilles
> sn: Martin
> telephoneNumber: 00 00
> loginShell: /bin/bash
> departmentNumber: LAB CMLS
> physicalDeliveryOfficeName: 402:10-02
> uidNumber: 3090
> gidNumber: 3000
> mail: gilles.martin at some-organization.domain.com
> displayName: Gilles Martin (M.)
> uid: Gilles.Martin
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
> cn: Gilles Martin
> title: PERSONNEL DE RECHERCHE
> homeDirectory: /home/CMLS/Gilles.Martin
> userPassword: {clear}Gilles.Martin
>
>
>
> When i try to add this entry using ldapadd or ldapmodify with kerberos :
>
> [root at workstation ~]# ldapadd -Y GSSAPI -v -f test.ldif -H ldap://fds-example.domain.com
> ldap_initialize( ldap://fds-example.domain.com )
> SASL/GSSAPI authentication started
> SASL username: User.Name at KRB-FDS
> SASL SSF: 56
> SASL installing layers
> add givenName:
>         Gilles
> add sn:
>         Martin
> add telephoneNumber:
>         00 00
> add loginShell:
>         /bin/bash
> add departmentNumber:
>         LAB CMLS
> add physicalDeliveryOfficeName:
>         402:10-02
> add uidNumber:
>         3090
> add gidNumber:
>         3000
> add mail:
>         gilles.martin at some-organization.domain.com
> add displayName:
>         Gilles Martin (M.)
> add uid:
>         Gilles.Martin
> add objectClass:
>         top
>         person
>         organizationalPerson
>         inetorgperson
>         posixAccount
> add gecos:
>         Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
> add cn:
>         Gilles Martin
> add title:
>         PERSONNEL DE RECHERCHE
> add homeDirectory:
>         /home/CMLS/Gilles.Martin
> add userPassword:
>         {clear}Gilles.Martin
> adding new entry " cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com"
> modify complete
> ldap_add: Protocol error (2)
>         additional info: decoding error
>
>
>
> 5. Adding the same entry using simple authentification (plain text or
> SSL/TLS) is possible without any problem. The only way of using
> kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" :
>
> ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com
>
> With this command line, the ldapadd adds the entry with success.
>
>
>
>
>
> Can someone explain me why ldapsearch works without problem and
> ldapadd needs an additional option (this option forbids the double
> encryption kerberos+ssl if i understand correctly)?
>   
I'm not sure.  Could you post some relevant excerpts from your directory 
server access and error logs?  Be sure to remove any sensitive data from 
them first.
> Thank you!
>   
>
>
> Andrey Ivanov
> tel +33-(0)1-69-33-99-24
> fax +33-(0)1-69-33-99-55
>
> Direction des Systemes d'Information
> Ecole Polytechnique
> 91128 Palaiseau CEDEX
> France
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060703/cca08cf8/attachment.bin>

More information about the Fedora-directory-users mailing list