1 Reply Latest reply on Feb 26, 2007 2:50 PM by 807573

    error=49 from the LDAP server for GSSAPI Kerberos authentication

    807573
      I am trying to find solution for ldapsearch failure with GSSAPI Kerberos authentication . I am running Sun Directory Server 5.2 P4 on a Solaris-9 sparc machine..

      Steps :

      bash-2.05# kinit tester1
      Password for tester1@TEST1.COM:
      bash-2.05#

      When I do ldapsearch , I am getting following logs on the server :

      tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
      [22/Feb/2007:01:44:16 -0700] conn=32 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
      [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
      [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
      [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
      [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
      [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
      [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
      [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=4 - UNBIND
      [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=-1 - closing - U1
      [22/Feb/2007:01:44:17 -0700] conn=32 op=-1 msgId=-1 - closed.
      [22/Feb/2007:01:45:50 -0700] conn=33 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
      [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
      [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
      [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
      [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
      [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
      [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
      [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=4 - UNBIND
      [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=-1 - closing - U1
      [22/Feb/2007:01:45:51 -0700] conn=33 op=-1 msgId=-1 - closed.

      -------------------------------------------------------------------------

      I am using default Identiy Mapping and the ldif file looks like this :

      dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
      objectClass: dsIdentityMapping
      objectClass: nsContainer
      objectClass: dsPatternMatching
      objectClass: top
      cn: default
      dsMatching-pattern: ${Principal}
      creatorsName: cn=directory manager
      createTimestamp: 20070220045812Z
      dsMatching-regexp: uid=(.*)
      dsSearchBaseDN: ou=people,dc=test1,dc=com
      dsMappedDN: uid=${Principal},ou=people,dc=test1,dc=com
      modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
      t
      modifyTimestamp: 20070221082740Z
      -------------------------------------------------------------------------------------------

      Following is the snoop for LDAP on the server :

      bash-2.05# !snoop
      snoop -v port 389 | grep LDAP
      Using device /dev/eri (promiscuous mode)
      TCP: Destination port = 389 (LDAP)
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:
      TCP: Destination port = 389 (LDAP)
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:
      TCP: Destination port = 389 (LDAP)
      LDAP: ----- Lightweight Directory Access Protocol Header -----
      LDAP: *[LDAPMessage]
      LDAP: [Message ID]
      LDAP: Operation *[APPL 0: Bind Request]
      LDAP: [Version]
      LDAP: [Object Name]
      LDAP: uid=tester1,ou=people,dc=test1,d
      LDAP: c=com
      LDAP: Authentication: SASL *[3]
      LDAP: [OctetString]
      LDAP: GSSAPI
      LDAP: [OctetString]
      LDAP: *** NOT PRINTED - Too long value ***
      LDAP:
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:
      LDAP: ----- Lightweight Directory Access Protocol Header -----
      LDAP: *[LDAPMessage]
      LDAP: [Message ID]
      LDAP: Operation *[APPL 1: Bind Response]
      LDAP: [Result Code]
      LDAP: SASL Bind In Progress
      LDAP: [Matched DN]
      LDAP: [Error Message]
      LDAP: SASL Credentials [7]
      LDAP:
      TCP: Destination port = 389 (LDAP)
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:
      TCP: Destination port = 389 (LDAP)
      LDAP: ----- Lightweight Directory Access Protocol Header -----
      LDAP: *[LDAPMessage]
      LDAP: [Message ID]
      LDAP: Operation *[APPL 0: Bind Request]
      LDAP: [Version]
      LDAP: [Object Name]
      LDAP: uid=tester1,ou=people,dc=test1,d
      LDAP: c=com
      LDAP: Authentication: SASL *[3]
      LDAP: [OctetString]
      LDAP: GSSAPI
      LDAP:
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:
      LDAP: ----- Lightweight Directory Access Protocol Header -----
      LDAP: *[LDAPMessage]
      LDAP: [Message ID]
      LDAP: Operation *[APPL 1: Bind Response]
      LDAP: [Result Code]
      LDAP: SASL Bind In Progress
      LDAP: [Matched DN]
      LDAP: [Error Message]
      LDAP: SASL Credentials [7]
      LDAP:
      TCP: Destination port = 389 (LDAP)
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:
      TCP: Destination port = 389 (LDAP)
      LDAP: ----- Lightweight Directory Access Protocol Header -----
      LDAP: *[LDAPMessage]
      LDAP: [Message ID]
      LDAP: Operation *[APPL 0: Bind Request]
      LDAP: [Version]
      LDAP: [Object Name]
      LDAP: uid=tester1,ou=people,dc=test1,d
      LDAP: c=com
      LDAP: Authentication: SASL *[3]
      LDAP: [OctetString]
      LDAP: GSSAPI
      LDAP: [OctetString]
      LDAP:
      LDAP: ----- Lightweight Directory Access Protocol Header -----
      LDAP: *[LDAPMessage]
      LDAP: [Message ID]
      LDAP: Operation *[APPL 1: Bind Response]
      LDAP: [Result Code]
      LDAP: 1
      LDAP: Invalid Credentials
      LDAP: [Matched DN]
      LDAP: [Error Message]
      LDAP: SASL(-1): generic failure:
      LDAP:
      TCP: Destination port = 389 (LDAP)
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:
      TCP: Destination port = 389 (LDAP)
      LDAP: ----- Lightweight Directory Access Protocol Header -----
      LDAP: *[LDAPMessage]
      LDAP: [Message ID]
      LDAP: Operation [APPL 2: Unbind Request]
      LDAP:
      TCP: Destination port = 389 (LDAP)
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:
      TCP: Destination port = 389 (LDAP)
      LDAP: ----- LDAP: -----
      LDAP:
      LDAP: ""
      LDAP:


      Please help me on how to fix this issue.

      Thanks,
      Radhakrishnan