Error messages

Rick van Rein (OpenFortress) rick at openfortress.nl
Sun Oct 13 15:53:03 EDT 2013


Oh,

> "Invalid credentials" is a string from the OpenLDAP library (corresponding to LDAP_INVALID_CREDENTIALS), not from our source code.

That's helpful to know!  Indeed, "auth access granted" just means access is permitted but not succeeding auth -- except that LDAP gives no further errors.

> We probably need to provide more context when presenting errors returned by ldap_sasl_bind_s(), instead of directly blatting the OpenLDAP message into the extended message.

I suppose I'm an example that that would've been helpful :)

> If you're seeing the same error message, then I believe you're still getting a failure binding to the LDAP server, although I don't know why you wouldn't see a corresponding message in the LDAP server logs.

Drilling down with tcpdump says I shouldn't have skipped that stage, indeed.  There is a successful bind as "" for features, then a failed one as the KDC user.  Something LDAPpy… [split, splot: Trying ldappasswd and other sync / syntax twiddling]  I now get parallel logins, as many as setup for parallelism, which are closed soon thereafter.

Between opening and closing, there is an attempt to read the realms, which delivers 0 objects.  This is an ACL problem -- a cn/uid mixup.  [split, splot].  WORKING :)

> The master key is stored in a stash file in the KDC directory.  The K/M entry in the database some information related to the master key, but does not contain the master key itself in a form that you could get at it without knowing the master password.

This sort of connections between the data files, the attributes in the configurations and the backend database are quite helpful.  It's the sort of thing I've been missing while reading howto-styled information.  I suppose I tend to read docs like an academic, searching for boundaries.


Anyhow, I have it working now, thanks very very much for your help.

I have a bundle of ideas to innovate with Kerberos for our project http://networkeffectalliance.org , now finally I can get to that!


Cheers,
 -Rick


More information about the Kerberos mailing list