[Opendj] SaslException(GSS initiate failed)
Jeff Blaine
jblaine at kickflop.net
Fri Feb 17 15:11:27 EST 2012
export
OPENDS_JAVA_ARGS="-Djava.util.logging.config.file=/LDAP/opendj/sasl.logging.properties"
bin/start-ds --nodetach
GSSAPI startup messages:
[17/Feb/2012:14:50:43 -0500] category=EXTENSIONS severity=INFORMATION
msgID=1048795 msg=GSSAPI SASL mechanism using a server fully qualified
domain name of: barn.our.org
[17/Feb/2012:14:50:43 -0500] category=EXTENSIONS severity=INFORMATION
msgID=1048794 msg=GSSAPI mechanism using a principal name of:
principal="ldap/barn.our.org
[17/Feb/2012:14:50:43 -0500] category=EXTENSIONS severity=INFORMATION
msgID=1049150 msg=The GSSAPI SASL mechanism handler initialization was
successful
The query/bind attempt:
opendj:barnowl> bin/ldapsearch --bindDN
"uid=jblaine,ou=People,dc=our,dc=org" --baseDN ou=People,dc=our,dc=org
--saslOption mech=GSSAPI --saslOption authid=jblaine at OUR.ORG --hostname
barn.our.org --port 389 uid=jblaine cn
Password for user 'uid=jblaine,ou=People,dc=our,dc=org':
An error occurred while attempting to perform GSSAPI authentication to
the Directory Server: PrivilegedActionException(AccessController.java:-2)
Result Code: 82 (Local Error)
opendj:barnowl>
The Kerberos KDC record of the TGS_REQ
Feb 17 14:56:13 kdc1.our.org krb5kdc[2529](info): TGS_REQ (5 etypes
{deleted_for_privacy}) IP_ADDRESS_OF_BARN_HERE: ISSUE: authtime
1329508573, etypes {deleted_for_privacy}, jblaine at OUR.ORG for
ldap/barn.our.org at OUR.ORG
The terminal output from bin/start-ds --nodetach
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
constructor
FINE: SASLIMPL01:Preferred qop property: auth
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
constructor
FINE: SASLIMPL02:Preferred qop mask: 1
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
constructor
FINE: SASLIMPL03:Preferred qops : 1 0 0
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
constructor
FINE: SASLIMPL04:Preferred strength property: null
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
constructor
FINE: SASLIMPL05:Cipher strengths: 4 2 1
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server <init>
FINE: KRB5SRV01:Using service name: ldap at barn.our.org
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server <init>
FINE: KRB5SRV02:Initialization complete
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server
evaluateResponse
FINER: KRB5SRV03:Response [raw]: ( 538 ): 0000: 60 <deleted...>
Note that "Using service name: ldap at barn.our.org" seems wrong
to me, but what do I know. I would expect to see the service
name as "ldap/barn.our.org at OUR.ORG"
Note, too, which I will submit as a bug report unless you
tell me otherwise, that OpenDJ 2.4.3 does not like one
mucking with the SASL GSSAPI settings, then reverting
them all back to defaults, and trying to 'finish'.
This barfs. I had to disable the SASL GSSAPI mechanism,
stop the server, start the server, then re-enable the
SASL GSSAPI mechanism, make the changes back to defaults,
and 'f'inish worked fine.
More information about the OpenDJ
mailing list