I've only just started playing with kerberos and sasl. So I'm not 100% sure if this is normal behavior.

My ldapsearch's work, but on the server, I need 3 bind attempts before actually binding successfully. The first 2 throw err=14 SASL bind in progress, then the third always works.


>From the server
[06/Oct/2010:16:55:47 +0000] conn=16 fd=64 slot=64 connection from 192.xx.xxx.xxx to 192.xx.xxx.xxx
[06/Oct/2010:16:55:47 +0000] conn=16 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Oct/2010:16:55:47 +0000] conn=16 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[06/Oct/2010:16:55:47 +0000] conn=16 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Oct/2010:16:55:47 +0000] conn=16 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[06/Oct/2010:16:55:47 +0000] conn=16 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Oct/2010:16:55:47 +0000] conn=16 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=ryan,ou=people,dc=xxx,dc=xx,dc=xx,dc=xx"
[06/Oct/2010:16:55:47 +0000] conn=16 op=3 SRCH base="dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 filter="(objectClass=*)" attrs=ALL
[06/Oct/2010:16:55:47 +0000] conn=16 op=3 RESULT err=0 tag=101 nentries=10 etime=0 notes=U
[06/Oct/2010:16:55:47 +0000] conn=16 op=4 UNBIND
[06/Oct/2010:16:55:47 +0000] conn=16 op=4 fd=64 closed - U1

and the client
ryan@krbclient:~$ ldapsearch -Y GSSAPI -h kerberos -b "dc=xxx,dc=xx,dc=xx,dc=xx" "objectclass=*"
SASL/GSSAPI authentication started
SASL username: ryan@XXX.XX.XX.XX
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=xxx,dc=xx,dc=xx,dc=xx> with scope subtree
# filter: objectclass=*
# requesting: ALL
#

# xxx.xx.xx.xx
dn: dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: domain
dc: isb

# Directory Administrators, xxx.xx.xx.xx
dn: cn=Directory Administrators,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager

# Groups, xxx.xx.xx.xx
dn: ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: organizationalunit
ou: Groups

# People, xxx.xx.xx.xx
dn: ou=People,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: organizationalunit
ou: People

# Special Users, xxx.xx.xx.xx
dn: ou=Special Users,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts

# Accounting Managers, Groups, xxx.xx.xx.xx
dn: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager

# HR Managers, Groups, xxx.xx.xx.xx
dn: cn=HR Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager

# QA Managers, Groups, xxx.xx.xx.xx
dn: cn=QA Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager

# PD Managers, Groups, xxx.xx.xx.xx
dn: cn=PD Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager

# ryan, People, xxx.xx.xx.xx
dn: uid=ryan,ou=People,dc=xxx,dc=xx,dc=xx,dc=xx
uid: ryan
givenName: ryan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: braun
cn: ryan

# search result
search: 4
result: 0 Success

# numResponses: 11
# numEntries: 10


Ryan Braun
Aviation and Defence Services Division
Chief Information Officer Branch, Environment Canada
CIV: 204-833-2500x2625 CSN: 257-2625 FAX: 204-833-2558
E-Mail: Ryan.Braun@ec.gc.ca

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users