info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
eDirectory GSSAPI Invalid credentials
86 views
Skip to first unread message
ariee dzig
Jun 29, 2012, 4:52:17 AM6/29/12
to
Hi,
Anyone have success integrating GSSAPI in eDirectory?
I have installed eDirectory 8.8 in SLES11 and want to set up GSSAPI with the eDirectory, using MIT Kerberos.
I have followed the documentation from here (https://www.netiq.com/documentation/edir88/edir88/?page=/documentation/edir88/edir88/data/bs3o4x0.html)
But it was not succeed. I got this result everytime try to connect to ldap using ldapsearch:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
In my client, I got ticket for the edirectory principal, but got error like above. What is wrong?
What I think, eDirectory did not load the correct keytab that I have exported from MIT Kerberos, but i have uploaded the keytab in the step for creating service principal in eDirectory, or is there another way to upload the keytab to eDirectory? In my imanager worktstation, i have KrbKeyUpload link in the Kerberos Management module, but the link give nothing. Would this link be the correct way to upload the keytab? Anyone know how to activate this link in the imanager?
In openldap server, we only need to load the keytab in the openldap configuration file, but i didn't find any information about that for eDirectory ldap. Can anyone give a clue?
Here is more log from ndstrace:
2836913008 NMAS: [2012/06/18 8:59:05.76] INFO: 262166: Create NMAS Session
2836913008 NMAS: [2012/06/18 8:59:05.76] INFO: 262166: SASL GSSAPI started
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: GSS_Accept_sec_context: Unspecified GSS failure. Minor code may provide more information
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: GSS_Accept_sec_context: Key table entry not found
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: NMAS Audit with Audit PA not installed
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: NMAS Audit with XDAS not installed
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: ERROR: -1647 SASL_DoMechanism: NMAS_InvokeMechanism
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: Client Session Destroy Request
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: Destroy NMAS Session
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: Aborted Session Destroyed (with MAF)
2836913008 LDAP: [2012/06/18 8:59:05.78] INFO: Environment variable is set to not put NMAS NetworkAddress:
2836913008 LDAP: [2012/06/18 8:59:05.78] ERR: (192.168.56.92:37753)(0x0002:0x60) Failed to authenticate full context on connection 0x14e91680, err = -1647 (0xfffff991)
2836913008 LDAP: [2012/06/18 8:59:05.78] INFO: (192.168.56.92:37753)(0x0002:0x60) Sending operation result 49:"":"" to connection 0x14e91680
2835860336 LDAP: [2012/06/18 8:59:05.82] INFO: (192.168.56.92:37753)(0x0000:0x00) TLS read failure 5 on connection 0x14e91680, setting err = -5875. Error stack:
2835860336 LDAP: [2012/06/18 8:59:05.82] INFO: Monitor 0xa907cb70 found connection 0x14e91680 socket failure, err = -5875, 0 of 0 bytes read
2835860336 LDAP: [2012/06/18 8:59:05.82] INFO: Monitor 0xa907cb70 initiating close for connection 0x14e91680
3050703728 LDAP: [2012/06/18 8:59:05.82] INFO: Server closing connection 0x14e91680, socket error = -5875
3050703728 LDAP: [2012/06/18 8:59:05.91] INFO: Connection 0x14e91680 closed
Any Idea?
Best Regards,
Arief
Anyone have success integrating GSSAPI in eDirectory?
I have installed eDirectory 8.8 in SLES11 and want to set up GSSAPI with the eDirectory, using MIT Kerberos.
I have followed the documentation from here (https://www.netiq.com/documentation/edir88/edir88/?page=/documentation/edir88/edir88/data/bs3o4x0.html)
But it was not succeed. I got this result everytime try to connect to ldap using ldapsearch:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
In my client, I got ticket for the edirectory principal, but got error like above. What is wrong?
What I think, eDirectory did not load the correct keytab that I have exported from MIT Kerberos, but i have uploaded the keytab in the step for creating service principal in eDirectory, or is there another way to upload the keytab to eDirectory? In my imanager worktstation, i have KrbKeyUpload link in the Kerberos Management module, but the link give nothing. Would this link be the correct way to upload the keytab? Anyone know how to activate this link in the imanager?
In openldap server, we only need to load the keytab in the openldap configuration file, but i didn't find any information about that for eDirectory ldap. Can anyone give a clue?
Here is more log from ndstrace:
2836913008 NMAS: [2012/06/18 8:59:05.76] INFO: 262166: Create NMAS Session
2836913008 NMAS: [2012/06/18 8:59:05.76] INFO: 262166: SASL GSSAPI started
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: GSS_Accept_sec_context: Unspecified GSS failure. Minor code may provide more information
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: GSS_Accept_sec_context: Key table entry not found
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: NMAS Audit with Audit PA not installed
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: NMAS Audit with XDAS not installed
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: ERROR: -1647 SASL_DoMechanism: NMAS_InvokeMechanism
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: Client Session Destroy Request
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: Destroy NMAS Session
2836913008 NMAS: [2012/06/18 8:59:05.78] INFO: 262166: Aborted Session Destroyed (with MAF)
2836913008 LDAP: [2012/06/18 8:59:05.78] INFO: Environment variable is set to not put NMAS NetworkAddress:
2836913008 LDAP: [2012/06/18 8:59:05.78] ERR: (192.168.56.92:37753)(0x0002:0x60) Failed to authenticate full context on connection 0x14e91680, err = -1647 (0xfffff991)
2836913008 LDAP: [2012/06/18 8:59:05.78] INFO: (192.168.56.92:37753)(0x0002:0x60) Sending operation result 49:"":"" to connection 0x14e91680
2835860336 LDAP: [2012/06/18 8:59:05.82] INFO: (192.168.56.92:37753)(0x0000:0x00) TLS read failure 5 on connection 0x14e91680, setting err = -5875. Error stack:
2835860336 LDAP: [2012/06/18 8:59:05.82] INFO: Monitor 0xa907cb70 found connection 0x14e91680 socket failure, err = -5875, 0 of 0 bytes read
2835860336 LDAP: [2012/06/18 8:59:05.82] INFO: Monitor 0xa907cb70 initiating close for connection 0x14e91680
3050703728 LDAP: [2012/06/18 8:59:05.82] INFO: Server closing connection 0x14e91680, socket error = -5875
3050703728 LDAP: [2012/06/18 8:59:05.91] INFO: Connection 0x14e91680 closed
Any Idea?
Best Regards,
Arief
0 new messages