[Opendj] SaslException(GSS initiate failed)

Jeff Blaine jblaine at kickflop.net
Fri Feb 17 15:11:27 EST 2012


export 
OPENDS_JAVA_ARGS="-Djava.util.logging.config.file=/LDAP/opendj/sasl.logging.properties"

bin/start-ds --nodetach

GSSAPI startup messages:

[17/Feb/2012:14:50:43 -0500] category=EXTENSIONS severity=INFORMATION 
msgID=1048795 msg=GSSAPI SASL mechanism using a server fully qualified 
domain name of: barn.our.org
[17/Feb/2012:14:50:43 -0500] category=EXTENSIONS severity=INFORMATION 
msgID=1048794 msg=GSSAPI mechanism using a principal name of: 
principal="ldap/barn.our.org
[17/Feb/2012:14:50:43 -0500] category=EXTENSIONS severity=INFORMATION 
msgID=1049150 msg=The GSSAPI SASL mechanism handler initialization was 
successful

The query/bind attempt:

opendj:barnowl> bin/ldapsearch --bindDN 
"uid=jblaine,ou=People,dc=our,dc=org" --baseDN ou=People,dc=our,dc=org 
--saslOption mech=GSSAPI --saslOption authid=jblaine at OUR.ORG --hostname 
barn.our.org --port 389 uid=jblaine cn
Password for user 'uid=jblaine,ou=People,dc=our,dc=org':
An error occurred while attempting to perform GSSAPI authentication to 
the Directory Server: PrivilegedActionException(AccessController.java:-2)
Result Code:  82 (Local Error)
opendj:barnowl>

The Kerberos KDC record of the TGS_REQ

Feb 17 14:56:13 kdc1.our.org krb5kdc[2529](info): TGS_REQ (5 etypes 
{deleted_for_privacy}) IP_ADDRESS_OF_BARN_HERE: ISSUE: authtime 
1329508573, etypes {deleted_for_privacy}, jblaine at OUR.ORG for 
ldap/barn.our.org at OUR.ORG

The terminal output from bin/start-ds --nodetach

Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server 
constructor
FINE: SASLIMPL01:Preferred qop property: auth
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server 
constructor
FINE: SASLIMPL02:Preferred qop mask: 1
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server 
constructor
FINE: SASLIMPL03:Preferred qops : 1 0 0
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server 
constructor
FINE: SASLIMPL04:Preferred strength property: null
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server 
constructor
FINE: SASLIMPL05:Cipher strengths: 4 2 1
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server <init>
FINE: KRB5SRV01:Using service name: ldap at barn.our.org
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server <init>
FINE: KRB5SRV02:Initialization complete
Feb 17, 2012 2:56:14 PM com.sun.security.sasl.gsskerb.GssKrb5Server 
evaluateResponse
FINER: KRB5SRV03:Response [raw]: ( 538 ): 0000: 60 <deleted...>

Note that "Using service name: ldap at barn.our.org" seems wrong
to me, but what do I know.  I would expect to see the service
name as "ldap/barn.our.org at OUR.ORG"

Note, too, which I will submit as a bug report unless you
tell me otherwise, that OpenDJ 2.4.3 does not like one
mucking with the SASL GSSAPI settings, then reverting
them all back to defaults, and trying to 'finish'.
This barfs.  I had to disable the SASL GSSAPI mechanism,
stop the server, start the server, then re-enable the
SASL GSSAPI mechanism, make the changes back to defaults,
and 'f'inish worked fine.




More information about the OpenDJ mailing list