directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRSERVER-2205) ldap tools don't work with gssapi sasl
Date Tue, 01 Aug 2017 15:31:00 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-2205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16109084#comment-16109084
] 

Emmanuel Lecharny commented on DIRSERVER-2205:
----------------------------------------------

Strange...

AFAICT, the 'Message stream modified' means  :

"Cause:

There was a mismatch between the computed checksum and the message checksum. The message might
have been modified while in transit, which can indicate a security leak.
Solution:

Make sure that the messages are being sent across the network correctly. Because this message
can also indicate the possible tampering of messages while they are being sent, destroy your
tickets using kdestroy and reinitialize the Kerberos services that you are using."

But you are running everything locally :/

Can you set the LDAP server logs to DEBUG and attach the logs to the ticket? I'd like to see
what we get on the server.

> ldap tools don't work with gssapi sasl 
> ---------------------------------------
>
>                 Key: DIRSERVER-2205
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2205
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.0-M24
>         Environment: Linux Centos 7 x64
> ApacheDS 2.0.0-M4
> openJDK 
> krb5-workstation
> openlda-clients
>            Reporter: Alex Duzsardi
>
> Hi,
> I successfully installed ApacheDS , was able to start , configure the service and set
up kerberos authentication.
> It work without problem from ApacheDS Studio , i can login with GSSAPI , but can't say
the same from local ldap tools (openldap-clients)
> I can't get a tgt from the kerberos with kinit , i've exported the ldap service principal
using ktutil and saved it as /etc/krb5.keytab , configured krb5.conf , configured ldap.conf
. 
> hostnames are configured statically through /etc/hosts , actually only one host as the
server is also the client (LAN_IP example.com , ldap/example.com@EXAMPLE.COM got exported
with ktutil)
> [root@example ~]# cat /etc/krb5.conf
> [libdefaults]
>     default_realm = EXAMPLE.COM
> #    rdns = false
> [realms]
>     EXAMPLE.COM = {
>         kdc = example.com:60088
>         default_domain = EXAMPLE.COM
>     }
> [domain_realm]
>          example.com = EXAMPLE.COM
>         .example.com = EXAMPLE.COM
> ------------------------------------------------------------------------
> [root@example ~]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    1 ldap/EXAMPLE.COM@EXAMPLE.COM
> [root@example ~]#
> --------------------------------------------------------------------------------
> [root@example ~]# kinit hnelson
> Password for hnelson@EXAMPLE.COM:
> [root@example ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: hnelson@EXAMPLE.COM
> Valid starting       Expires              Service principal
> 07/31/2017 20:54:48  08/01/2017 20:54:38  krbtgt/EXAMPLE.COM@EXAMPLE.COM
> [root@example ~]#
> {color:red}[root@example ~]# ldapsearch -Y GSSAPI -H ldap://example.com:10389 -b "dc=example,dc=com"
"(uid=hnelson)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>         additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
 Minor code may provide more information (Message stream modified)
> {color}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message