[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

kadmin errors connecting to ldapi socket

To: heimdal-discuss@sics.se
Subject: kadmin errors connecting to ldapi socket
From: Rouven Sacha <rs@blinkenlichten.de>
Date: Sun, 04 Jun 2006 22:51:01 +0200
Sender: owner-heimdal-discuss@sics.se

Hi everybody.

I'm a little bit confused about the way heimdal connects to my ldap
server, so here are a few facts:

I have configured OpenLDAP (slapd 2.2.23-8 on debian stable) and Heimdal
(0.6.3-10sarge2) to connect over a unix domain socket:

The socket seems to be open (lsof): 
> slapd  24610 root 8u unix 0xf700f0f0   11130205 /var/run/ldapi

and should be writable as well:

> srwxr-x---  1 root root 0 2006-06-04 20:54 /var/run/ldapi=

/etc/ldap/slapd.conf gives write access:

access to dn.subtree="ou=KerberosPrincipals,dc=blinkenlichten,dc=de"
	 by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write        

(also tried:

	by sockurl="ldapi:///" write
        by sockname="PATH=/var/run/ldapi" write

but that doesn't work either)

kadmin -l 
> init BLINKENLICHTEN.DE

fails:

> kadmin: kadm5_create_principal: ldap_add_s: default@blinkenlichten.de (dn=cn=default@blinkenlichten.de,ou=KerberosPrincipals,dc=blinkenlichten,dc=de) Insufficient access

OpenLDAP logs:

> slapd[26720]: connection_input: conn=4 deferring operation: binding

When i do an anonymous bind to the socket i get a proper response:

# ldapsearch -x -H ldapi:///

[...]
# KerberosPrincipals, blinkenlichten.de
dn: ou=KerberosPrincipals,dc=blinkenlichten,dc=de
description: Kerberos
objectClass: top
objectClass: organizationalUnit
ou: KerberosPrincipals
[...]

It seems to me that kadmin is looking at /etc/ldap/ldap.conf, tries to
do a strong bind to the socket using GSSAPI and fails:

[...]
open("/usr/lib/sasl2/libgssapiv2.la", O_RDONLY) = 5
[...]
connect(4, {sa_family=AF_FILE, path="/var/run/ldapi"}, 110) = 0
[...]
sendto(3, "\\\0\0\0", 4, 0, {sa_family=AF_FILE,
path="ldap:ou=KerberosPrincipals,dc=blinkenlichten,dc=de.signal"}, 110)
= -1 ENOENT (No such file or directory)
[...]
write(5, "0\202\1\235\2\1\2c\202\1\226\4-ou=KerberosPrincipa"..., 417) =
417
select(1024, [5], [], NULL, NULL)       = 1 (in [5])
read(5, "0\f\2\1\2e\7\n", 8)            = 8
read(5, "\1\0\4\0\4\0", 6)              = 6
time(NULL)                              = 1149451305
time(NULL)                              = 1149451305
write(5, "0\202\2\212\2\1\3h\202\2\203\4[cn=krbtgt/blinkenli"..., 654) =
654
select(1024, [5], [], NULL, NULL)       = 1 (in [5])
read(5, "0%\2\1\3i \n", 8)              = 8
read(5, "\0012\4\0\4\31no write access to parent", 31) = 31
time(NULL)                              = 1149451305
write(5, "0\5\2\1\4B\0", 7)             = 7
close(5)                                = 0
[...]
write(2, "kadm5_create_principal: ldap_add"...,
161kadm5_create_principal: ldap_add_s: default@blinkenlichten.de
(dn=cn=default@blinkenlichten.de,ou=KerberosPrincipals,dc=blinkenlichten,dc=de) Insufficient access) = 161

The whole strace is available at http://pastebin.com/758386

If I understand Heimdal and LDAP correctly, it should never try to do a
strong bind to a ldapi using GSSAPI, shouldn't it?

Any hint is much appreciated,

Rouven Sacha

Dies ist ein digital signierter Nachrichtenteil

Prev by Date: Anouncement of the 12th. german speeking AFS-conference (a.k.aafsws)
Next by Date: One week until AFS & Kerberos Best Practices Workshop 2006
Prev by thread: Anouncement of the 12th. german speeking AFS-conference (a.k.aafsws)
Next by thread: One week until AFS & Kerberos Best Practices Workshop 2006
Index(es):
- Date
- Thread