[Fedora-directory-users] ldapadd with Kerberos
Richard Megginson
rmeggins at redhat.com
Mon Jul 3 15:17:26 UTC 2006
Andrey Ivanov wrote:
> Hi,
>
>
> There is something I can't explain concerning the interaction of
> ldapadd & ldapsearch (from openldap) with FDS while using kerberos
>
>
> Here is what i do :
>
> 1. kinit User.Name
> ...
> 2. Verification with klist -ok, i have the kerberos ticket
>
> 3. Verification with ldapsearch works without any problem, giving all the necessary infos:
>
> ldapsearch -Y GSSAPI 'sn=toto*'
> SASL/GSSAPI authentication started
> SASL username: User.Name at KRB-FDS
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: sn=aic*
> # requesting: userPassword
> .... infos ...
>
> 4. The problem appears when i try to use ldapadd/ldapmodify with some
> ldif files (apparently, these files should be larger than some
> critical value to produce the error)
>
>
> Her is an example of such an ldif
>
> test.ldif:
> dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com
> givenName: Gilles
> sn: Martin
> telephoneNumber: 00 00
> loginShell: /bin/bash
> departmentNumber: LAB CMLS
> physicalDeliveryOfficeName: 402:10-02
> uidNumber: 3090
> gidNumber: 3000
> mail: gilles.martin at some-organization.domain.com
> displayName: Gilles Martin (M.)
> uid: Gilles.Martin
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
> cn: Gilles Martin
> title: PERSONNEL DE RECHERCHE
> homeDirectory: /home/CMLS/Gilles.Martin
> userPassword: {clear}Gilles.Martin
>
>
>
> When i try to add this entry using ldapadd or ldapmodify with kerberos :
>
> [root at workstation ~]# ldapadd -Y GSSAPI -v -f test.ldif -H ldap://fds-example.domain.com
> ldap_initialize( ldap://fds-example.domain.com )
> SASL/GSSAPI authentication started
> SASL username: User.Name at KRB-FDS
> SASL SSF: 56
> SASL installing layers
> add givenName:
> Gilles
> add sn:
> Martin
> add telephoneNumber:
> 00 00
> add loginShell:
> /bin/bash
> add departmentNumber:
> LAB CMLS
> add physicalDeliveryOfficeName:
> 402:10-02
> add uidNumber:
> 3090
> add gidNumber:
> 3000
> add mail:
> gilles.martin at some-organization.domain.com
> add displayName:
> Gilles Martin (M.)
> add uid:
> Gilles.Martin
> add objectClass:
> top
> person
> organizationalPerson
> inetorgperson
> posixAccount
> add gecos:
> Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
> add cn:
> Gilles Martin
> add title:
> PERSONNEL DE RECHERCHE
> add homeDirectory:
> /home/CMLS/Gilles.Martin
> add userPassword:
> {clear}Gilles.Martin
> adding new entry " cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com"
> modify complete
> ldap_add: Protocol error (2)
> additional info: decoding error
>
>
>
> 5. Adding the same entry using simple authentification (plain text or
> SSL/TLS) is possible without any problem. The only way of using
> kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" :
>
> ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com
>
> With this command line, the ldapadd adds the entry with success.
>
>
>
>
>
> Can someone explain me why ldapsearch works without problem and
> ldapadd needs an additional option (this option forbids the double
> encryption kerberos+ssl if i understand correctly)?
>
I'm not sure. Could you post some relevant excerpts from your directory
server access and error logs? Be sure to remove any sensitive data from
them first.
> Thank you!
>
>
>
> Andrey Ivanov
> tel +33-(0)1-69-33-99-24
> fax +33-(0)1-69-33-99-55
>
> Direction des Systemes d'Information
> Ecole Polytechnique
> 91128 Palaiseau CEDEX
> France
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060703/cca08cf8/attachment.bin>
More information about the Fedora-directory-users
mailing list