Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   err=14 when binding with kerberos/sasl, normal behavior? (http://www.linux-archive.org/fedora-directory/436441-err-14-when-binding-kerberos-sasl-normal-behavior.html)

Rich Megginson 10-06-2010 05:17 PM

err=14 when binding with kerberos/sasl, normal behavior?
 
Ryan Braun [ADS] wrote:
> I've only just started playing with kerberos and sasl. So I'm not 100% sure if this is normal behavior.
>
> My ldapsearch's work, but on the server, I need 3 bind attempts before actually binding successfully. The first 2 throw err=14 SASL bind in progress, then the third always works.
>
Right. This is normal. err=14 means SASL_BIND_IN_PROGRESS. This SASL
mechanism uses a challenge/response which requires a couple of
roundtrips between the client and server.
>
> >From the server
> [06/Oct/2010:16:55:47 +0000] conn=16 fd=64 slot=64 connection from 192.xx.xxx.xxx to 192.xx.xxx.xxx
> [06/Oct/2010:16:55:47 +0000] conn=16 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
> [06/Oct/2010:16:55:47 +0000] conn=16 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [06/Oct/2010:16:55:47 +0000] conn=16 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
> [06/Oct/2010:16:55:47 +0000] conn=16 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [06/Oct/2010:16:55:47 +0000] conn=16 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
> [06/Oct/2010:16:55:47 +0000] conn=16 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=ryan,ou=people,dc=xxx,dc=xx,dc=xx,dc=xx"
> [06/Oct/2010:16:55:47 +0000] conn=16 op=3 SRCH base="dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 filter="(objectClass=*)" attrs=ALL
> [06/Oct/2010:16:55:47 +0000] conn=16 op=3 RESULT err=0 tag=101 nentries=10 etime=0 notes=U
> [06/Oct/2010:16:55:47 +0000] conn=16 op=4 UNBIND
> [06/Oct/2010:16:55:47 +0000] conn=16 op=4 fd=64 closed - U1
>
> and the client
> ryan@krbclient:~$ ldapsearch -Y GSSAPI -h kerberos -b "dc=xxx,dc=xx,dc=xx,dc=xx" "objectclass=*"
> SASL/GSSAPI authentication started
> SASL username: ryan@XXX.XX.XX.XX
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <dc=xxx,dc=xx,dc=xx,dc=xx> with scope subtree
> # filter: objectclass=*
> # requesting: ALL
> #
>
> # xxx.xx.xx.xx
> dn: dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: domain
> dc: isb
>
> # Directory Administrators, xxx.xx.xx.xx
> dn: cn=Directory Administrators,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: groupofuniquenames
> cn: Directory Administrators
> uniqueMember: cn=Directory Manager
>
> # Groups, xxx.xx.xx.xx
> dn: ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: organizationalunit
> ou: Groups
>
> # People, xxx.xx.xx.xx
> dn: ou=People,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: organizationalunit
> ou: People
>
> # Special Users, xxx.xx.xx.xx
> dn: ou=Special Users,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: organizationalUnit
> ou: Special Users
> description: Special Administrative Accounts
>
> # Accounting Managers, Groups, xxx.xx.xx.xx
> dn: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: Accounting Managers
> ou: groups
> description: People who can manage accounting entries
> uniqueMember: cn=Directory Manager
>
> # HR Managers, Groups, xxx.xx.xx.xx
> dn: cn=HR Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: HR Managers
> ou: groups
> description: People who can manage HR entries
> uniqueMember: cn=Directory Manager
>
> # QA Managers, Groups, xxx.xx.xx.xx
> dn: cn=QA Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: QA Managers
> ou: groups
> description: People who can manage QA entries
> uniqueMember: cn=Directory Manager
>
> # PD Managers, Groups, xxx.xx.xx.xx
> dn: cn=PD Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
> objectClass: top
> objectClass: groupOfUniqueNames
> cn: PD Managers
> ou: groups
> description: People who can manage engineer entries
> uniqueMember: cn=Directory Manager
>
> # ryan, People, xxx.xx.xx.xx
> dn: uid=ryan,ou=People,dc=xxx,dc=xx,dc=xx,dc=xx
> uid: ryan
> givenName: ryan
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> sn: braun
> cn: ryan
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 11
> # numEntries: 10
>
>
> Ryan Braun
> Aviation and Defence Services Division
> Chief Information Officer Branch, Environment Canada
> CIV: 204-833-2500x2625 CSN: 257-2625 FAX: 204-833-2558
> E-Mail: Ryan.Braun@ec.gc.ca
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 07:15 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.