LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-19-2015, 07:58 AM   #1
peridian
Member
 
Registered: Jan 2010
Posts: 60

Rep: Reputation: 17
LDAP SASL Permission Denied: olcAuthzRegexp problem?


Hi,

I get the below error when attempting to authenticate to LDAP via SASL/GSSAPI/Kerberos (Ubuntu Server 14.04).

Code:
user@hostname:/$ sudo kinit -p user
user@hostname:/$ sudo klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@DOMAIN


Valid starting     Expires            Service principal
16/02/15 16:53:45  17/02/15 04:53:45  krbtgt/DOMAIN@DOMAIN
    renew until 17/02/15 16:53:45, Flags: PRI

user@hostname:/$ sudo ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
    additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Permission denied)
An existing post with current configuration exists here.

I can successfully use Kerberos functions, and can also use the testsaslauthd and sasl-sample-{client|server} methods. I am certain the problem is in the configuration of LDAP.

Articles suggest that this is a keytab access problem but I have ruled this out; the correct export line is in the slapd script, the correct permissions are set on the file, the correct path is valid in the apparmor profile, and I can see from debugging that the principal ldap/fqdn@DOMAIN is used and authenticated correctly.

I have increased the logging levels of slapd and run through a standard test. Looking at the output in the syslog, I can see all the authentication up to the point that it looks for the user mapped to the GSSAPI dn.

Then something interesting appears:

Code:
Feb 18 15:18:45 hostname slapd[2050]: ==> sasl_bind: dn="" mech=GSSAPI datalen=593
Feb 18 15:18:45 hostname slapd[2050]: SASL [conn=1001] Failure: GSSAPI Error: An invalid name was supplied (Permission denied)
Feb 18 15:18:45 hostname slapd[2050]: send_ldap_result: conn=1001 op=0 p=3
Feb 18 15:18:45 hostname slapd[2050]: send_ldap_result: err=80 matched="" text="SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Permission denied)"
Feb 18 15:18:45 hostname slapd[2050]: send_ldap_response: msgid=1 tag=97 err=80
Feb 18 15:18:45 hostname slapd[2050]: <== slap_sasl_bind: rc=80
If I am reading this right, the "invalid name" is because the dn is blank. I am assuming this is a fault of the olcAuthzRegexp property not correctly mapping the GSSAPI account to the LDAP account.

Here is what I have tried:

Code:
olcAuthzRegexp: {0}uid=([^,]*),cn=domain,cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=domain
olcAuthzRegexp: {1}uid=([^,]*),cn=DOMAIN,cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=domain
olcAuthzRegexp: {2}uid=([^,]*),cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=domain

OR

olcAuthzRegexp: {0}uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=$2
olcAuthzRegexp: {2}uid=([^,]*),cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=domain

OR

olcAuthzRegexp: {0}uid=([^,]*)(,cn=domain)?,cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=domain
None of these appear to work.

How can I inspect/debug what the dn passed to openldap by GSSAPI actually was?

Regards,
Rob.
 
Old 02-23-2015, 08:56 AM   #2
peridian
Member
 
Registered: Jan 2010
Posts: 60

Original Poster
Rep: Reputation: 17
Well, haven't solved the problem, but I have found the answer to my question.

To test your olcAuthzRegexp settings, use the below command line:

Code:
sudo slapauth -v -d 4 -M GSSAPI -R MYDOMAIN <username>
This will show you the final DN that it bound the given user to. Using this, I changed my expressions to:

Code:
olcAuthzRegexp: {0}uid=([^,/]*)(,cn=domain)?,cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=domain
olcAuthzRegexp: {1}uid=([^,]*)(,cn=domain)?,cn=gssapi,cn=auth krbPrincipalName=$1@DOMAIN,cn=DOMAIN,cn=Kerberos,dc=hostname,dc=domain
I was concerned that the ldap/fqdn@DOMAIN principal was not being correctly mapped due to the Kerberos principals being stored separately to the LDAP User accounts, so I added an additional entry to correct the mapping.

Code:
user@hostname:/$ sudo slapauth -d 4 -M GSSAPI -R DOMAIN user
54eb3b64 send_ldap_result: err=0 matched="" text=""
54eb3b64 hdb_db_open: "dc=hostname,dc=domain"
54eb3b64 slap_sasl_getdn: conn 18446744073709551615 id=user [len=6]
54eb3b64 [rw] authid: "uid=user,cn=domain,cn=gssapi,cn=auth" -> "cn=user,ou=Users,dc=hostname,dc=domain"
ID: <user> check succeeded
authcID:     <cn=user,ou=users,dc=hostname,dc=domain>

user@hostname:/$ sudo slapauth -d 4 -M GSSAPI -R DOMAIN ldap/fqdn
54eb3b69 send_ldap_result: err=0 matched="" text=""
54eb3b69 hdb_db_open: "dc=hostname,dc=domain"
54eb3b69 slap_sasl_getdn: conn 18446744073709551615 id=ldap/fqdn [len=15]
54eb3b69 [rw] authid: "uid=ldap/fqdn,cn=domain,cn=gssapi,cn=auth" -> "krbPrincipalName=ldap/fqdn@DOMAIN,cn=DOMAIN,cn=Kerberos,dc=hostname,dc=domain"
ID: <ldap/fqdn> check succeeded
authcID:     <krbPrincipalName=ldap/fqdn@DOMAIN,cn=domain,cn=kerberos,dc=hostname,dc=domain>
So if you need to figure out the validity of your expressions, that's how. It doesn't help me identify whether this is actually what openldap is doing, or how far through the process it gets before an error, but it helps rule out a possible problem.

Regards,
Rob.
 
  


Reply

Tags
openldap, sasl2


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP removed, passwd: permission denied nexusdk Linux - Security 4 02-26-2013 07:14 AM
SSSD/Kerberos/LDAP- Permission denied using ssh R09u3Bull Linux - Server 6 11-16-2012 01:04 AM
SVN + LDAP + Apache in Debian Can't open file /db/txn-current-lock Permission denied Ricio Linux - General 3 06-14-2009 03:46 PM
[SOLVED] ssh problem - permission denied windstory Linux - Newbie 4 03-11-2009 04:26 PM
permission denied problem chandan_shetty Programming 3 04-21-2008 07:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration