[Fedora-directory-users] ldapadd with Kerberos

Andrey Ivanov Andrey.Ivanov at polytechnique.fr
Tue Jul 4 08:37:02 UTC 2006 

>> 5. Adding the same entry using simple authentification (plain text or
>> SSL/TLS) is possible without any problem. The only way of using
>> kerberos and ldapadd/ldapmodify is adding the option "-O maxssf=0" :
>>
>> ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com
>>
>> With this command line, the ldapadd adds the entry with success.
>>
>>
>>
>>
>>
>> Can someone explain me why ldapsearch works without problem and
>> ldapadd needs an additional option (this option forbids the double
>> encryption kerberos+ssl if i understand correctly)?
>>   
RM> I'm not sure.  Could you post some relevant excerpts from your directory
RM> server access and error logs?  Be sure to remove any sensitive data from
RM> them first.
The logs do not reveal anything special - it's the same error (2 -
protocol error). FDS1.0.2. ldapadd/ldapmodify are the
rpm versions from FC2, FC3, FC4 (i've tested both)

ldapadd -Y GSSAPI -v -f test.ldif -H ldap://fds-example.domain.com

Access logs :

[29/Jun/2006:20:38:47 +0200] conn=225 fd=64 slot=64 connection from xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy
[29/Jun/2006:20:38:48 +0200] conn=225 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[29/Jun/2006:20:38:48 +0200] conn=225 op=0 RESULT err=14 tag=97 nentries=0 etime=0.013000, SASL bind in progress
[29/Jun/2006:20:38:48 +0200] conn=225 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[29/Jun/2006:20:38:48 +0200] conn=225 op=1 RESULT err=14 tag=97 nentries=0 etime=0.000000, SASL bind in progress
[29/Jun/2006:20:38:48 +0200] conn=225 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="dc=fds-example,dc=domain,dc=com" scope=2 filter="(&(uid=User.Name))" attrs=ALL
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0.001000
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="o=NetscapeRoot" scope=2 filter="(&(uid=User.Name))" attrs=ALL
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 etime=0.000000
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 SRCH base="cn=user name,ou=cmap,ou=laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL
[29/Jun/2006:20:38:48 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0.000000
[29/Jun/2006:20:38:48 +0200] conn=225 op=2 RESULT err=0 tag=97 nentries=0 etime=0.002000 dn="cn=user name,ou=cmap,ou=laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com"
[29/Jun/2006:20:38:48 +0200] conn=225 op=3 ADD dn="cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com", decoding error
[29/Jun/2006:20:38:48 +0200] conn=225 op=3 RESULT err=2 tag=105 nentries=0 etime=0.000000
[29/Jun/2006:20:38:48 +0200] conn=225 op=4 UNBIND
[29/Jun/2006:20:38:48 +0200] conn=225 op=4 fd=64 closed - U1


And there is nothing in error logs....



What may be important - it's the size of the ldif file. The error pops up for this file :

dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com
givenName: Gilles
sn: Martin
telephoneNumber: 00 00
loginShell: /bin/bash
departmentNumber: LAB CMLS
physicalDeliveryOfficeName: 402:10-02
uidNumber: 3090
gidNumber: 3000
mail: gilles.martin at some-organization.domain.com
displayName: Gilles Martin (M.)
uid: Gilles.Martin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
cn: Gilles Martin
title: PERSONNEL DE RECHERCHE
homeDirectory: /home/CMLS/Gilles.Martin
userPassword: {clear}Gilles.Martin


But everything goes smooth for this one :

dn: cn=Gilles Martin,ou=CMLS,ou=Laboratoires,o=Some Organization,dc=fds-example,dc=domain,dc=com
givenName: Gilles
sn: Martin
#telephoneNumber: 00 00
loginShell: /bin/bash
#departmentNumber: LAB CMLS
#physicalDeliveryOfficeName: 402:10-02
uidNumber: 3090
gidNumber: 3000
#mail: gilles.martin at some-organization.domain.com
#displayName: Gilles Martin (M.)
uid: Gilles.Martin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
#gecos: Gilles Martin,LAB CMLS ,PERSONNEL DE RECHERCHE
cn: Gilles Martin
#title: PERSONNEL DE RECHERCHE
homeDirectory: /home/CMLS/Gilles.Martin
userPassword: {clear}Gilles.Martin



Both files are correctly imported with ldapadd -Y GSSAPI -O maxssf=0 -v -f test.ldif -H ldap://fds-example.domain.com




Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55

Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France

More information about the Fedora-directory-users mailing list