Unable to run SASL using GSSAPI/kerberos 5 as authentication against Sun One Directory Server
Vikas Gandhi
vgandhi at quark.co.in
Mon Mar 1 23:32:23 EST 2004
Hi Alberto
I am sending to u same modified programs. Can u just let me know
where I am faulting. I am terribly confused.
I run this program as
./test -v -D quark.co.in -s blade -p 389 -B
"ou=people,dc=quark,dc=co,dc=in" test
"You asked me to change DN: but where ????" Please guide me.
Its linking is against the same AD(microsoft code) as things were not
running so I took a small part of code in order to test the things
out.
FYI: test is a user in Kerberos. And before I run this program. I do
kinit test and get the tgt.
Ticket cache: /tmp/krb5cc_1023
Default principal: test at QUARK.CO.IN
Valid starting Expires
Service principal
Tue Mar 02 09:38:28 2004 Tue Mar 02 17:38:28 2004
krbtgt/QUARK.CO.IN at QUARK.CO.IN
Tue Mar 02 09:38:39 2004 Tue Mar 02 17:38:28 2004
ldap/blade.quark.co.in at QUARK.CO.IN
After the program If I do klist test I have the ldap service ticket
but I am not able to do any add/modify operation on ldap.
---------------------Code Fot
Test--------------------------------------
//#ifdef HAVE_CONFIG_H
//#include "config.h"
//#endif
//#ifdef HAVE_UNISTD_H
#include <unistd.h>
//#endif
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <string.h>
//#ifdef HAVE_GETOPT_H
//#include <getopt.h>
//#endif
//#include <krb5.h>
#include <lber.h>
#include <ldap.h>
//#include "kpasswd.h"
#include "locator.h"
//#include "person.h"
#include <errno.h>
static const char rcsid[] = "$Id$";
//#ifdef HAVE_LIBGSSLDAP
#include <gssldap.h>
#include <gsssasl.h>
//#endif
int ldap_debug=1;
char *argv0;
int verbose = 3;
struct creds
{
char *dn;
char *pw;
} creds;
///////////////////
#define MODIFY_DN "uid=test,ou=People,dc=quark,dc=co,dc=in"
LDAPMod *list_of_mods[1];
LDAPMod attribute1;
int msgid;
char *vals0[ 1 ];
int find_user(
LDAP *ld,
LDAPMessage **res,
char *bind_path,
char *user
)
{
char search_exp[1024];
sprintf(search_exp, "(samAccountName=%s)", user);
return ldap_search_s(ld, bind_path, LDAP_SCOPE_SUBTREE,
search_exp, NULL, 0, res);
}
LDAPMessage *result, *e;
BerElement *ber;
char *a;
char **vals;
#define FIND_DN "uid=test,ou=people,dc=quark,dc=co,dc=in"
////////////////////////////
int printdse( LDAP *ld ) ;
int check_version( char *hostname, int portnum );
void dump_entry(LDAP *ld, LDAPMessage *res);
int convert_domain_to_dn(char *domain, char **bind_path);
int LDAP_CALL LDAP_CALLBACK ldap_simple_rebind( LDAP *ld, char **dnp,
char **passwdp, int *authmethodp, int freeit, void *arg );
void usage()
{
printf("%s: [-vxI] [-A admin-account-dn] [-D domain] [-O ous] [-s
LDAPserver] [-p LDAPport] [-B bind-path] [-a attributeName=value]
<user at domain>\n", argv0);
exit(1);
}
int main(int argc, char *argv[])
{
LDAP *ld;
int i, rc;
LDAPMessage *res;
char *bind_path = NULL;
char *add_path = NULL;
u_short ldap_port = LDAP_PORT;
char *ldap_host = NULL;
int ch;
char *user, *cp;
char *admindn = NULL;
char *domain = NULL;
char *defOU = "ou=people,dc=quark,dc=co,dc=in", *ou = NULL;
int num_ds_hosts;
PSRV_LOCATION *ds_hosts;
int deluser = 0;
int accountFound = 0;
int invalidateAccount = 0;
char *c;
char *attributeNames[20];
char *attributeValues[20];
int numAttrs = 0;
if (argv0 = strrchr(argv[0], '/'))
argv0++;
else
argv0 = argv[0];
while ((ch = getopt(argc, argv, "A:vxIs:p:a:B:D:O:?")) != -1) {
switch(ch) {
case 'v':
verbose++;
break;
case 'A':
admindn = optarg;
break;
case 'O':
ou = optarg;
break;
case 'D':
domain = optarg;
break;
case 'B':
bind_path = optarg;
break;
case 's':
ldap_host = optarg;
break;
case 'p':
ldap_port = atoi(optarg);
break;
case 'x':
deluser = 1;
break;
case 'I':
invalidateAccount = 1;
break;
case 'a':
if (!(c = strrchr(optarg, '=')))
usage();
else {
*c = '\0';
attributeNames[numAttrs] = optarg;
attributeValues[numAttrs++] = c + 1;
}
break;
case '?':
default:
usage();
}
}
argc -= optind;
argv += optind;
if (argc < 1) {
usage();
}
attributeNames[numAttrs] = NULL;
attributeValues[numAttrs] = NULL;
user = argv[0];
if (!domain) {
domain = strchr(user, '@');
if (domain)
domain++;
else
usage();
}
if (verbose > 2)
ldap_debug = 1 /*LDAP_DEBUG_TRACE*/;
if (cp = strchr(user, '@'))
*cp = '\0';
if (!bind_path) {
convert_domain_to_dn(domain, &bind_path);
if (!ou)
ou = defOU;
}
if (verbose) {
if (!deluser)
printf("Creating user account for %s\n", user);
else
printf("Deleting user account for %s\n", user);
}
if (ldap_host) {
static SRV_LOCATION srv_ldap;
static PSRV_LOCATION psrv_ldap[1];
psrv_ldap[0] = &srv_ldap;
srv_ldap.srv_host = ldap_host;
srv_ldap.srv_port = ldap_port;
ds_hosts = psrv_ldap;
num_ds_hosts = 1;
}
else {
if (locate_srv(domain, LDAP_SRV, TCP_PROTO, NO_SITE, &ds_hosts,
&num_ds_hosts) == -1 ||
num_ds_hosts == 0) {
printf("ERROR: Cannot locate a directory server for %s\n",
domain);
exit(1);
}
}
for (i = 0; i < num_ds_hosts; i++) {
ld = ldap_open(ds_hosts[i]->srv_host, ds_hosts[i]->srv_port);
if (ld)
break;
}
if (ld == NULL) {
perror("ldap_open");
return 1;
}
//fprintf(stdout,"check_version=%d",check_version("blade",389));
//fprintf(stdout, "printdse=%d\n",printdse(ld));
rc = LDAP_VERSION3;
(void)ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &rc);
/*if (admindn) {
char prompt[80];
char pw[1024];
int pwlen;
printf("Warning: Using simple LDAP bind.\n");
sprintf(prompt, "Password for %s:", admindn);
pwlen = sizeof(pw);
if (rc = krb5_read_password(NULL, prompt, NULL, pw, &pwlen)) {
com_err(argv0, rc, "while reading admin password");
return 1;
}
rc = ldap_simple_bind_s(ld, admindn, pw);
if (rc != LDAP_SUCCESS) {
ldap_perror(ld, "ldap_simple_bind");
ldap_unbind(ld);
return 1;
}
creds.dn = strdup(admindn);
creds.pw = strdup(pw);
ldap_set_rebind_proc(ld, ldap_simple_rebind, &creds);
memset(pw, 0, sizeof(pw));
}
else
*/
{
//#ifdef HAVE_LIBGSSLDAP
rc = ldap_gssapi_bind(ld, bind_path, GSSSASL_NO_SECURITY_LAYER);
fprintf(stdout, "after ldap_gssapi_bind \n");
if (rc != LDAP_SUCCESS) {
fprintf(stdout, "an error occurred in ldap_gssapi_bind\n");
ldap_perror(ld, "ldap_gssapi_bind");
ldap_unbind(ld);
return 1;
}
//#else
// printf("Warning: Using anonymous simple LDAP bind.\n");
// rc = ldap_simple_bind_s(ld, NULL, NULL);
// if (rc != LDAP_SUCCESS) {
// ldap_perror(ld, "ldap_simple_bind");
// ldap_unbind(ld);
// return 1;
// }
//#endif
}
///////////////////////
/// Test For Search
/* Search for the entry. */
/*
if ( ( rc = ldap_search_ext_s( ld, FIND_DN, LDAP_SCOPE_BASE,
"(objectclass=*)", NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result ) ) != LDAP_SUCCESS ) {
fprintf(stderr, "ldap_search_ext_s: %s\n", ldap_err2string(rc));
return( 1 );
}
// Since we are doing a base search, there should be only
one matching entry.
e = ldap_first_entry( ld, result );
if ( e != NULL ) {
printf( "\nFound %s:\n\n", FIND_DN );
// Iterate through each attribute in the entry.
for ( a = ldap_first_attribute( ld, e, &ber );
a != NULL; a = ldap_next_attribute( ld, e, ber ) ) {
// For each attribute, print the attribute name and values.
if ((vals = ldap_get_values( ld, e, a)) != NULL ) {
for ( i = 0; vals[i] != NULL; i++ ) {
printf( "%s: %s\n", a, vals[i] );
}
ldap_value_free( vals );
}
ldap_memfree( a );
}
if ( ber != NULL ) {
ber_free( ber, 0 );
}
}
*/
//////////////////////////
/// Test For Mod
///////////////////////
fprintf(stdout, "before LDAP_MOD_REPLACE\n\n\n");
attribute1.mod_op = LDAP_MOD_REPLACE;
attribute1.mod_type = "sn";
vals0[0] = "wbj";
vals0[1] = NULL;
attribute1.mod_values = vals0;
list_of_mods[0] = &attribute1;
list_of_mods[1] = NULL;
// Send the LDAP modify request.
//rc = ldap_modify_ext( ld, MODIFY_DN, list_of_mods, NULL, NULL,
&msgid );
rc = ldap_modify_s( ld, MODIFY_DN, list_of_mods);
if ( rc != LDAP_SUCCESS ) {
ldap_perror(ld, "ldap_modify_s");
fprintf( stderr, "ldap_modify_ext: %s\n", ldap_err2string( rc )
);
ldap_unbind( ld );
//return( 1 );
}
fprintf(stdout, "after LDAP_MOD_REPLACE\n");
exit(0);
///////////////////////////////////////////
if (ou) {
add_path = malloc(strlen(bind_path)+strlen(ou)+2);
if (!add_path)
return ENOMEM;
sprintf(add_path, "%s,%s", ou, bind_path);
}
else
add_path = bind_path;
if (verbose)
printf("Searching for \"%s\" at \"%s\" ...\n", user, bind_path);
rc = find_user(ld, &res, bind_path, user);
if (rc != LDAP_SUCCESS) {
ldap_perror(ld, "ldap_search_s");
}
printf("after find_user ..\n");
if (verbose > 1)
dump_entry(ld, &res);
// added
ldap_unbind(ld);
exit (0);
// end added
//////////
//////////
/*
if (rc == LDAP_MORE_RESULTS_TO_RETURN ||
(rc == LDAP_SUCCESS && ldap_count_entries(ld, res) == 0)) {
if (!deluser) {
if (verbose)
printf("Existing user account not found - adding as \"cn=%s,%s\"\n",
user, add_path);
rc = add_user(ld, add_path, user, domain, invalidateAccount,
attributeNames, attributeValues);
if (rc != LDAP_SUCCESS) {
ldap_perror(ld, "ldap_add_s");
ldap_unbind(ld);
return 1;
}
rc = find_user(ld, &res, add_path, user);
if (rc != LDAP_SUCCESS) {
ldap_perror(ld, "ldap_search_s");
ldap_unbind(ld);
return 1;
}
}
else {
if (verbose)
printf("Existing user account not found.\n");
return 1;
}
}
else {
accountFound = 1;
if (!deluser) {
if (verbose)
printf("User account already present\n");
if (attributeNames[0])
rc = add_string_values_to_attrs(ld, &res, bind_path, user,
attributeNames, attributeValues);
else
rc = LDAP_SUCCESS;
if (rc != LDAP_SUCCESS) {
ldap_perror(ld, "ldap_add_s");
ldap_unbind(ld);
return 1;
}
if (attributeNames[0] && verbose)
printf("Updates successful.\n");
}
else {
char *dn = ldap_get_dn(ld, res);
if (dn) {
if (verbose)
printf("Existing user account found - deleting.\n");
rc = delete_user(ld, dn);
if (rc != LDAP_SUCCESS) {
ldap_memfree(dn);
ldap_perror(ld, "ldap_add_s");
ldap_unbind(ld);
return 1;
}
ldap_memfree(dn);
}
else
printf("ERROR: User DN not known.\n");
}
}
if (verbose > 1)
dump_entry(ld, res);
else
ldap_msgfree(res);
ldap_unbind(ld);
if (!invalidateAccount && !deluser && !accountFound)
rc = set_password(user, domain);
*/
return (rc != 0);
}
#define P1 "Enter new password: "
#define P2 "Enter it again: "
/*
int set_password(
char *user,
char *domain
)
{
krb5_context context;
krb5_data salt;
krb5_encrypt_block eblock;
krb5_keyblock * key;
char pw[1024];
int pwlen;
int res_code;
krb5_data res_code_str, res_string;
krb5_principal user_princ, princ;
krb5_error_code retval;
krb5_ccache ccache;
int i;
char *userrealm, *realm;
retval = krb5_init_context(&context);
if (retval) {
return retval;
}
if (retval = krb5_cc_default(context, &ccache)) {
com_err(argv0, retval, "opening default ccache");
exit(1);
}
realm = malloc(strlen(domain)+1);
if (!realm)
return ENOMEM;
for (i = 0; i < strlen(domain); i++)
realm[i] = toupper(domain[i]);
realm[i] = '\0';
userrealm = malloc(strlen(user) + strlen(domain) + 2);
if (!userrealm)
return ENOMEM;
sprintf(userrealm, "%s@%s", user, realm);
retval = krb5_parse_name(context, userrealm, &user_princ);
if (retval)
return retval;
#define NUMTRIES 10
if (verbose)
printf("Setting password...\n");
for (i = 0; i < NUMTRIES; i++) {
pwlen = sizeof(pw);
if (retval = krb5_read_password(context, P1, P2, pw, &pwlen)) {
com_err(argv0, retval, "while reading password");
continue;
}
retval = krb5_set_password(context, ccache, pw, user_princ,
&res_code, &res_code_str, &res_string);
if (retval) {
com_err(argv0, retval, "setting user password");
exit(1);
}
if (res_code == KRB5_KPASSWD_SUCCESS)
break;
else if (res_code != KRB5_KPASSWD_MALFORMED) {
printf("Set password for account failed: %.*s%s%.*s\n",
res_code_str.length, res_code_str.data,
res_string.length?": ":"",
res_string.length, res_string.data);
exit(2);
}
memset(pw, 0, sizeof(pw));
}
if (i == NUMTRIES) // Didn't get a good password
return KRB5KRB_AP_ERR_NOKEY;
return retval;
}
*/
int LDAP_CALL LDAP_CALLBACK ldap_simple_rebind(
LDAP *ld,
char **dnp,
char **passwdp,
int *authmethodp,
int freeit,
void *arg
)
{
struct creds *cp = (struct creds *)arg;
if (!freeit) {
*authmethodp = LDAP_AUTH_SIMPLE;
*dnp = cp->dn;
*passwdp = cp->pw;
}
return( LDAP_SUCCESS );
}
int convert_domain_to_dn(
char *domain,
char **dnp
)
{
char *fp, *dp;
char dn[1024];
int dnlen = 1;
memset(dn, 0, sizeof(dn));
strcpy(dn, "dc=");
dp = dn+3;
for (fp = domain; *fp; fp++) {
if (*fp == '.') {
strcpy(dp, ",dc=");
dp += 4;
}
else
*dp++ = *fp;
}
*dnp = strdup(dn);
return 0;
}
void dump_entry(
LDAP *ld,
LDAPMessage *res
)
{
LDAPMessage *e;
for (e = ldap_first_entry(ld, res);
e;
e = ldap_next_entry(ld, e)) {
printf("dump_entry found\n");
BerElement *b;
char *attr;
char *dn = ldap_get_dn(ld, res);
if (dn)
printf("dn: %s\n", dn);
ldap_memfree(dn);
for (attr = ldap_first_attribute(ld, e, &b);
attr;
attr = ldap_next_attribute(ld, e, b)) {
char **values, **p;
values = ldap_get_values(ld, e, attr);
for (p = values; *p; p++) {
printf("%s: %s\n", attr, *p);
}
ldap_value_free(values);
ldap_memfree(attr);
}
ber_free(b, 1);
printf("\n");
}
}
int check_version( char *hostname, int portnum )
{
LDAP *ld;
int i, rc, v3supported = 0;
LDAPMessage *result, *e;
BerElement *ber;
LDAPControl **serverctrls = NULL, **clntctrls = NULL;
char *a, *dn;
char **vals;
char *attrs[2];
char *filter = "(objectClass=*)";
/* Check arguments */
if ( !hostname || !hostname[0] || !portnum ) {
printf( "Error: hostname or port number not specified\n" );
return( -1 );
}
/* Get a handle to an LDAP connection. */
if ( (ld = ldap_init( hostname, portnum )) == NULL ) {
perror( "ldap_init" );
return( -1 );
}
/* Set automatic referral processing off. */
if ( ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF ) !=
LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_set_option" );
return( -1 );
}
/* Search for the root DSE and get the supportedLDAPVersion
attribute. */
attrs[0] = "supportedLDAPVersion";
attrs[1] = NULL;
rc = ldap_search_ext_s( ld, "", LDAP_SCOPE_BASE, filter, attrs, 0,
serverctrls, clntctrls, NULL, 0, &result );
/* Check the search results. */
switch( rc ) {
/* If successful, the root DSE was found. */
case LDAP_SUCCESS:
break;
/* If the root DSE was not found, the server does not comply
with the LDAP v3 protocol. */
case LDAP_PARTIAL_RESULTS:
case LDAP_NO_SUCH_OBJECT:
case LDAP_OPERATIONS_ERROR:
case LDAP_PROTOCOL_ERROR:
ldap_perror( ld, "ldap_search_ext_s" );
return( 0 );
break;
/* If an different result code is returned, an error may have
occurred (for example, the server may be down. */
default:
ldap_perror( ld, "ldap_search_ext_s" );
return( -1 );
break;
}
/* Get the values of the supportedLDAPVersion attribute in the
entry. */
if (( e = ldap_first_entry( ld, result )) != NULL &&
( a = ldap_first_attribute( ld, e, &ber )) != NULL &&
(vals = ldap_get_values( ld, e, a)) != NULL ) {
for ( i = 0; vals[i] != NULL; i++ ) {
if ( !strcmp( "3", vals[i] ) ) {
v3supported = 1;
break;
}
}
/* Free any memory allocated. */
ldap_value_free( vals );
ldap_memfree( a );
if ( ber != NULL ) {
ber_free( ber, 0 );
}
}
/* Free memory allocated by ldap_search_ext_s(). */
ldap_msgfree( result );
/* Free the ld structure. */
ldap_unbind_s( ld );
/* Return a value indicating whether or not LDAP v3 is supported.
*/
return( v3supported );
}
int printdse( LDAP *ld )
{
int rc, i;
char *matched_msg = NULL, *error_msg = NULL;
LDAPMessage *result, *e;
BerElement *ber;
char *a;
char **vals;
/* Verify that the connection handle is valid. */
if ( ld == NULL ) {
fprintf( stderr, "Invalid connection handle.\n" );
return( 1 );
}
/* Set automatic referral processing off. */
if ( ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF ) != 0 )
{
rc = ldap_get_lderrno( ld, NULL, NULL );
fprintf( stderr, "ldap_set_option: %s\n", ldap_err2string( rc )
);
return( 1 );
}
/* Search for the root DSE. */
rc = ldap_search_ext_s( ld, "", LDAP_SCOPE_BASE, "(objectclass=*)",
NULL, 0,
NULL, NULL, NULL, 0, &result );
/* Check the search results. */
switch( rc ) {
/* If successful, the root DSE was found. */
case LDAP_SUCCESS:
break;
/* If the root DSE was not found, the server does not comply
with the LDAP v3 protocol. */
case LDAP_PARTIAL_RESULTS:
case LDAP_NO_SUCH_OBJECT:
case LDAP_OPERATIONS_ERROR:
case LDAP_PROTOCOL_ERROR:
printf( "LDAP server returned result code %d (%s).\n"
"This server does not support the LDAP v3 protocol.\n",
rc, ldap_err2string( rc ) );
return( 1 );
/* If any other value is returned, an error must have occurred. */
default:
fprintf( stderr, "ldap_search_ext_s: %s\n", ldap_err2string( rc
) );
return( 1 );
}
/* Since only one entry should have matched, get that entry. */
e = ldap_first_entry( ld, result );
if ( e == NULL ) {
fprintf( stderr, "ldap_search_ext_s: Unable to get root
DSE.\n");
ldap_memfree( result );
return( 1 );
}
/* Iterate through each attribute in the entry. */
for ( a = ldap_first_attribute( ld, e, &ber );
a != NULL; a = ldap_next_attribute( ld, e, ber ) ) {
/* Print each value of the attribute. */
if ((vals = ldap_get_values( ld, e, a)) != NULL ) {
for ( i = 0; vals[i] != NULL; i++ ) {
printf( "%s: %s\n", a, vals[i] );
}
/* Free memory allocated by ldap_get_values(). */
ldap_value_free( vals );
}
/* Free memory allocated by ldap_first_attribute(). */
ldap_memfree( a );
}
/* Free memory allocated by ldap_first_attribute(). */
if ( ber != NULL ) {
ber_free( ber, 0 );
}
printf( "\n" );
/* Free memory allocated by ldap_search_ext_s(). */
ldap_msgfree( result );
// ldap_unbind( ld );
return( 0 );
}
--Vikas
jalbertop at aranea.com.mx (Alberto Patino) wrote in message news:<1078166334.16588.11.camel at turing.linux.aranea.com.mx>...
> On Mon, 2004-03-01 at 08:56, Vikas Gandhi wrote:
> > I am tring to run the same example that Microsoft has given for
> > authentication. I am tring this sample against SEAM and not AD.
> First thing is that I think this is not a SEAM a.k.a. MIT problem.
> SEAM is the MIT version of the kdc for Solaris, but the Microsoft sample
> do LDAP things against AD y just use the kerberos stuff to set the
> password in the kerberos principal.
>
> The MS sample works fine against AD but if I remember you need to do
> changes in the gsssasl source code to work against OpenLDAP or in your
> case Sun One DS.
>
> One of the changes I did was to remove the "dn:" string and send instead
> an empty string "" to the Unix Server in the saslbind negotiation.
>
> > FYI: I am able to run gssapi samples successfully. Also
> > /var/Sun/mps/shared/bin/ldapsearch -o mech=GSSAPI -h blade -p 389
> > -o realm="quark.co.in" -o authzid="test at QUARK.CO.IN" -b
> > "ou=people,dc=quark,dc=co,dc=in" objectclass=*
> > runs well So I know that I do not have installing probs.
> >
> > Though I am abl to get the ticket still error.txt(attaches is the
> > output)
> >
> > $klist
> > Ticket cache: /tmp/krb5cc_1023
> > Default principal: test at QUARK.CO.IN
> >
> > Valid starting Expires
> > Service principal
> > Fri Feb 27 20:22:14 2004 Sat Feb 28 04:22:14 2004
> > krbtgt/QUARK.CO.IN at QUARK.CO.IN
> > Fri Feb 27 20:26:52 2004 Sat Feb 28 04:22:14 2004
> > ldap/blade.quark.co.in at QUARK.CO.IN
> >
> >
> > Any small hint shall also be of great use.
> > ---------------------------Output at full log
> > traceLevel-----------------------------
> > ldap_open
> > ldap_init
> > nsldapi_open_ldap_connection
> > nsldapi_connect_to_host: blade:389
> > sd 4 connected to: 10.91.198.100
> > ldap_open successful, ld_host is (null)
> > LDAP service name: ldap at blade
> > ==> client_establish_context
> > Sending init_sec_context token (size=466)...
> > 60 82 01 ce 06 09 2a 86 48 86 f7 12 01 02 02 01
> > 00 6e 82 01 bd 30 82 01 b9 a0 03 02 01 05 a1 03
> > 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 01 01
> > 61 81 fe 30 81 fb a0 03 02 01 05 a1 0d 1b 0b 51
> > 55 41 52 4b 2e 43 4f 2e 49 4e a2 24 30 22 a0 03
> > 02 01 03 a1 1b 30 19 1b 04 6c 64 61 70 1b 11 62
> > 6c 61 64 65 2e 71 75 61 72 6b 2e 63 6f 2e 69 6e
> > a3 81 be 30 81 bb a0 03 02 01 01 a2 81 b3 04 81
> > b0 a9 d9 b3 6e 42 77 5e a8 82 7b a5 16 98 79 0c
> > 1e a3 70 00 45 f2 d4 cc 23 9d ef ca d5 ea 7a 12
> > f2 42 a8 44 a1 6a a0 b0 c1 37 b8 68 fa 6f 22 f1
> > a3 79 ce 4c db c4 b9 02 b6 04 10 f5 ec 22 03 c9
> > 55 53 6b 4d e3 f9 d5 0e 7a 43 7a 40 35 95 4f 33
> > 74 9c 82 c3 29 36 cf 7c 04 1d ab b7 c6 9e 43 f0
> > 78 0c 9f d1 49 bf ec c9 83 45 34 a9 e6 df 99 56
> > c0 06 04 36 bc f3 f1 bd f1 f8 30 0b 12 01 0a d4
> > e9 da 84 e7 71 3a d5 7c 90 02 64 eb 74 96 d3 5d
> > 69 b5 0c 5e 20 02 32 cc 34 e9 06 0e 18 9f 16 00
> > bd bf b3 9f f7 59 3c 3f 5f bc d7 4a e5 32 8f 51
> > 98 a4 81 9e 30 81 9b a0 03 02 01 01 a2 81 93 04
> > 81 90 81 1c 61 cf 45 b3 8e 8b b7 a1 b8 2e 1f da
> > ef b8 c0 be 9c 60 3a e3 08 43 52 37 2a 99 02 9d
> > 50 05 61 1b 04 4a 17 2d 89 da 12 11 3d 1e 93 f1
> > d8 64 eb b0 7f 0e 5d 34 c5 35 92 6d aa fc 80 bd
> > 1d a8 e3 40 1b 17 8c 63 d2 12 b9 1c 51 84 7c 9e
> > f2 d7 9b 7f 39 bb 3e e8 37 6c cd 01 86 92 3c 02
> > fb 04 18 58 81 c5 4d 3d d2 ae 22 d4 c4 c2 39 ba
> > dd 6f ac c0 46 a9 25 c6 5f cb e2 77 a2 82 d8 e4
> > f1 5e 7f ca 75 3a 5e 41 72 d4 cc d4 6a 32 ef 17
> > cd e0
> > ==> send_token
> > ldap_sasl_bind
> > nsldapi_send_initial_request
> > nsldapi_send_server_request
> > <== send_token
> > continue needed...
> > ==> recv_token
> > ldap_result
> > nsldapi_result_nolock
> > wait4msg (infinite timeout)
> > ** Connections:
> > * host: blade port: 389 secure: No (default)
> > refcnt: 2 status: Connected
> > last used: Mon Mar 1 13:47:58 2004
> >
> > ** Outstanding Requests:
> > * msgid 1, origid 1, status InProgress
> > outstanding referrals 0, parent count 0
> > pending bind DN: <uid=test,ou=people,dc=quark,dc=co,dc=in>
> > ** Response Queue:
> > Empty
> > nsldapi_do_ldap_select
> > read1msg
> > got RESULT msgid 1, original id 1
> > check_for_refs
> > check_for_refs: new result: msgid 1, res_errno 14, res_error <>,
> > res_matched <>
> > check_for_refs: 0 new refs(s); chasing 0 of them
> > request 1 done
> > res_errno: 14, res_error: <>, res_matched: <>
> > nsldapi_free_request (origid 1, msgid 1)
> > nsldapi_free_connection
> > nsldapi_free_connection: refcnt 1
> > ldap_parse_sasl_bind_result
> > ldap_msgfree
> > <== recv_token
> > <== recv_token
> > Received token (size=106)...
> > 60 68 06 09 2a 86 48 86 f7 12 01 02 02 02 00 6f
> > 59 30 57 a0 03 02 01 05 a1 03 02 01 0f a2 4b 30
> > 49 a0 03 02 01 01 a2 42 04 40 89 2a a0 b6 b6 65
> > 98 f1 79 2f 8a 9d ce 92 cc 32 12 86 d9 2a 73 49
> > 02 12 17 0e 41 88 5e c0 09 78 19 c2 b6 00 93 b6
> > 16 35 33 43 7e 81 4f ec d2 9d 99 e0 c1 5c 5b ee
> > 1c 13 88 46 7a 09 dd 92 30 ea
> > Sending init_sec_context token (size=0)...
> >
> > ==> send_token
> > ldap_sasl_bind
> > nsldapi_send_initial_request
> > nsldapi_send_server_request
> > <== send_token
> > <== client_establish_context
> > ==> negotiate_security_options
> > ==> recv_token
> > ldap_result
> > nsldapi_result_nolock
> > wait4msg (infinite timeout)
> > ** Connections:
> > * host: blade port: 389 secure: No (default)
> > refcnt: 2 status: Connected
> > last used: Mon Mar 1 13:47:58 2004
> >
> > ** Outstanding Requests:
> > * msgid 2, origid 2, status InProgress
> > outstanding referrals 0, parent count 0
> > pending bind DN: <uid=test,ou=people,dc=quark,dc=co,dc=in>
> > ** Response Queue:
> > Empty
> > nsldapi_do_ldap_select
> > read1msg
> > got RESULT msgid 2, original id 2
> > check_for_refs
> > check_for_refs: new result: msgid 2, res_errno 14, res_error <>,
> > res_matched <>
> > check_for_refs: 0 new refs(s); chasing 0 of them
> > request 2 done
> > res_errno: 14, res_error: <>, res_matched: <>
> > nsldapi_free_request (origid 2, msgid 2)
> > nsldapi_free_connection
> > nsldapi_free_connection: refcnt 1
> > ldap_parse_sasl_bind_result
> > ldap_msgfree
> > <== recv_token
> > <== recv_token
> > Received token (size=53)...
> > 60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00
> > 00 ff ff ff ff bf c6 cc 61 b8 48 2f 1e 6f 44 28
> > 77 d6 81 34 3f 24 26 0c 24 1d a6 6e 31 01 00 ff
> > ff 04 04 04 04
> > Received security token level 1 size 65535
> > Sending security token level 1 size 65535
> > ==> send_token
> > ldap_sasl_bind
> > nsldapi_send_initial_request
> > nsldapi_send_server_request
> > <== send_token
> > ==> parse_bind_result
> > ldap_result
> > nsldapi_result_nolock
> > wait4msg (infinite timeout)
> > ** Connections:
> > * host: blade port: 389 secure: No (default)
> > refcnt: 2 status: Connected
> > last used: Mon Mar 1 13:47:58 2004
> >
> > ** Outstanding Requests:
> > * msgid 3, origid 3, status InProgress
> > outstanding referrals 0, parent count 0
> > pending bind DN: <uid=test,ou=people,dc=quark,dc=co,dc=in>
> > ** Response Queue:
> > Empty
> > nsldapi_do_ldap_select
> > read1msg
> > got RESULT msgid 3, original id 3
> > check_for_refs
> > check_for_refs: new result: msgid 3, res_errno 49, res_error
> > <SASL(-1): generic failure: >, res_matched <>
> > check_for_refs: 0 new refs(s); chasing 0 of them
> > request 3 done
> > res_errno: 49, res_error: <SASL(-1): generic failure: >, res_matched:
> > <>
> > nsldapi_free_request (origid 3, msgid 3)
> > nsldapi_free_connection
> > nsldapi_free_connection: refcnt 1
> > ldap_first_message
> > ldap_first_message::LDAP_RES_BIND
> > ldap_msgfree
> > <== parse_bind_result
> > rc !=0 after parse_bind_result
> > <== negotiate_security_options
> > after negotiate_security_options -1
> > after ldap_gssapi_bind
> > an error occurred in ldap_gssapi_bind
> > ldap_perror
> > ldap_gssapi_bind: Requested LDAP control not found
> > ldap_unbind
> > nsldapi_free_connection
> > nsldapi_send_unbind
> > nsldapi_free_connection: actually freed
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list