lists.arthurdejong.org

Re: Need help in nslcd setup for kerberoes+ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: "Raviteja Bailapudi" <rbailapu [at] in.ibm.com>
To: whm [at] dropbox.com, arthur [at] arthurdejong.org
Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Need help in nslcd setup for kerberoes+ldap
Date: Thu, 6 Dec 2018 12:29:43 +0000

Hi

I cross compiled both ldapsearch and nslcd for my embedded environment. 'ldapsearch' is linked to libsasl2.so.3 library where as 'nslcd' is not linked to libsasl2.so.3 library. I configured nscld with the following option `./configure --host=x86`. Any suggestions on how to link with the sasl library?

./ldd /tmp/ldapsearch

libsasl2.so.3 => /usr/lib/libsasl2.so.3 (0x76ecb000)

libssl.so.1.0.2 => /usr/lib/libssl.so.1.0.2 (0x42580000)

libcrypto.so.1.0.2 => /usr/lib/libcrypto.so.1.0.2 (0x423f0000)

libresolv.so.2 => /lib/libresolv.so.2 (0x42390000)

libc.so.6 => /lib/libc.so.6 (0x41d80000)

libdl.so.2 => /lib/libdl.so.2 (0x42370000)

libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x42040000)

libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x41f60000)

libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x41f20000)

libcom_err.so.2 => /lib/libcom_err.so.2 (0x41f00000)

libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x42020000)

/lib/ld-linux.so.3 (0x76ef2000)

libpthread.so.0 => /lib/libpthread.so.0 (0x41ed0000)

./ldd /tmp/nslcd

libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x42040000)

liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x423c0000)

libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x42090000)

libdl.so.2 => /lib/libdl.so.2 (0x42370000)

libpthread.so.0 => /lib/libpthread.so.0 (0x41ed0000)

libc.so.6 => /lib/libc.so.6 (0x41d80000)

libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x41f60000)

libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x41f20000)

libcom_err.so.2 => /lib/libcom_err.so.2 (0x41f00000)

libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x42020000)

libresolv.so.2 => /lib/libresolv.so.2 (0x42390000)

libssl.so.1.0.2 => /usr/lib/libssl.so.1.0.2 (0x42580000)

libcrypto.so.1.0.2 => /usr/lib/libcrypto.so.1.0.2 (0x423f0000)

/lib/ld-linux.so.3 (0x76f45000)

Thanks and Regards,
Raviteja Bailapudi
IBM Systems &Technology Lab, Firmware Development,

----- Original message -----
From: Raviteja Bailapudi/India/IBM
To: whm@dropbox.com, arthur@arthurdejong.org
Cc: nss-pam-ldapd-users@lists.arthurdejong.org
Subject: Re: Need help in nslcd setup for kerberoes+ldap
Date: Wed, Dec 5, 2018 6:08 PM

Hi Bill,

'ldapsearch' is working fine in my embedded system.but nslcd still fails to bind to ldap server even after providing the localhost.tgt.

Here is nslcd trace:

nslcd: [8b4567] DEBUG: connection from pid=2045 uid=0 gid=0

nslcd: [8b4567] <passwd="tom"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectclass=*)(uid=tom))")

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_rebind_proc()

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://raspberrypi")

nslcd: [8b4567] <passwd="tom"> failed to bind to LDAP server ldap://raspberrypi: Not Supported

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_unbind()

Here is nslcd conf:

cat /etc/nslcd.conf

uid root

gid root

uri ldap://raspberrypi

base dc=example,dc=com

scope sub

ldap_version 3

sasl_mech GSSAPI

sasl_realm NETWORKBOX.NET

krb5_ccname FILE:/tmp/localhost.tgt

referrals off

pagesize 1000

filter passwd (objectclass=*)

map passwd gecos displayName

filter group (objectclass=posixGroup)

We got ldapsearch working with GSSAPI,below is detailed output.

./ldapsearch -H ldap://raspberrypi -R NETWORKBOX.NET -Y GSSAPI uid=tom -b "dc=example,dc=com"

SASL/GSSAPI authentication started

SASL username: tom@NETWORKBOX.NET

SASL SSF: 56

SASL data security layer installed.

# extended LDIF

#

# LDAPv3

# base <dc=example,dc=com> with scope subtree

# filter: uid=tom

# requesting: ALL

#

# tom, people, example.com

dn: uid=tom,ou=people,dc=example,dc=com

objectClass: top

objectClass: posixAccount

objectClass: shadowAccount

objectClass: inetOrgPerson

cn: tom

sn: j

uid: tom

uidNumber: 1301

gidNumber: 1300

homeDirectory: /home/tom

loginShell: /bin/bash

# search result

search: 4

result: 0 Success

# numResponses: 2

Thanks and Regards,
Raviteja Bailapudi
IBM Systems &Technology Lab, Firmware Development,

----- Original message -----
From: Bill MacAllister <whm@dropbox.com>
Sent by: "nss-pam-ldapd-users" <nss-pam-ldapd-users-bounces+rbailapu=in.ibm.com@lists.arthurdejong.org>
To: Raviteja Bailapudi <rbailapu@in.ibm.com>
Cc: nss-pam-ldapd-users@lists.arthurdejong.org
Subject: Re: Need help in nslcd setup for kerberoes+ldap
Date: Tue, Dec 4, 2018 11:40 PM

On 12/3/18 5:08 AM, Raviteja Bailapudi wrote:
> Hi Bill
> Thank you so much for quick reply.I could progress in getting the
> nslcd working with GSSAPI to fetch the LDAP user details on a debian
> desktop.
> But,now i am trying to get the similar setup working on an embedded
> system, and using the same configuration files, nslcd on embedded
> system fails to bind to LDAP server.
> Here is nslcd trace on my embedded system:
> nslcd: [8b4567] DEBUG: connection from pid=3561 uid=0 gid=0
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> myldap_search(base="dc=example,dc=com",
> filter="(&(objectClass=posixAccount)(uid=tom))")
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_rebind_proc()
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [8b4567] <passwd="tom"> DEBUG:
> ldap_sasl_bind_s(NULL,"GSSAPI",NULL) (uri="ldap://raspberrypi")
> nslcd: [8b4567] <passwd="tom"> failed to bind to LDAP server
> ldap://raspberrypi: SASL bind in progress: SASL(0): successful result:
> nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_unbind()
> nslcd: [8b4567] <passwd="tom"> no available LDAP server found,
> sleeping 1 seconds
> Below is my trace on working debian client :
> nslcd: [8b4567] DEBUG: connection from pid=370 uid=0 gid=0
> nslcd: [8b4567] <passwd="*"> request denied by validnames option
> nslcd: [7b23c6] DEBUG: connection from pid=370 uid=0 gid=0
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> myldap_search(base="dc=example,dc=com",
> filter="(&(objectClass=posixAccount)(uid=tom))")
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_rebind_proc()
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [7b23c6] <passwd="tom"> DEBUG:
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://raspberrypi")
> nslcd: [7b23c6] <passwd="tom"> DEBUG: do_sasl_interact(): were asked
> for sasl_authzid but we don't have any
> nslcd: [7b23c6] <passwd="tom"> DEBUG: do_sasl_interact(): were asked
> for sasl_authzid but we don't have any
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_result():
> uid=tom,ou=people,dc=example,dc=com
> nslcd: [7b23c6] <passwd="tom"> (re)loading /etc/nsswitch.conf
> nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_result(): end of results (1
> total)
> I am trying to understand why nslcd calls
> 'ldap_sasl_interactive_bind_s' in debian client setup and calls '
> ldap_sasl_bind_s' in case of my embedded system ?
I am guessing you are using a debian based system. Maybe you are
missing libsasl2-modules-gssapi-mit or libsasl2-modules-gssapi-heimdal
packages.

Bill
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

Re: Need help in nslcd setup for kerberoes+ldap, (continued)
- Re: Need help in nslcd setup for kerberoes+ldap, Bill MacAllister
- Re: Need help in nslcd setup for kerberoes+ldap, Raviteja Bailapudi
  - Re: Need help in nslcd setup for kerberoes+ldap, Bill MacAllister
  - Re: Need help in nslcd setup for kerberoes+ldap, Raviteja Bailapudi
  - Re: Need help in nslcd setup for kerberoes+ldap, Raviteja Bailapudi

Prev by Date: Re: Need help in nslcd setup for kerberoes+ldap
Next by Date: nslcd asking for deref
Previous by thread: Re: Need help in nslcd setup for kerberoes+ldap
Next by thread: nslcd asking for deref