[Pkg-openldap-devel] ldap/localhost TGS requested for remote ldapsearch request

Tue Apr 17 18:42:58 BST 2018

On 04/17/18 16:52 +0000, marlox at ouda.fr wrote:
>I solved the issue.

>I add the AD FQDN in /etc/hosts to get the reverse name and the error has disapeared.
>
>For your information, I have done other investigations to solve this issue and I find that SPN *may* be set in openldap.
>I don't know if such element can be used to improve OpenLdap or Cyrus.

I'm not familiar with SPN, but based on my reading and the context here, I believe
your concern here is regarding the hostname.

If that's the case, you may find the sasl-host (olcSaslHost) and sasl-realm
(olcSaslRealm) slapd options useful.

>If I check manually the value, they are OK.
>
># ldapsearch -H ldap://SRV_B.domain.tld -x -b "" -s base -LLL supportedSASLMechanisms
>dn:
>supportedSASLMechanisms: GSSAPI
>supportedSASLMechanisms: GSS-SPNEGO
>supportedSASLMechanisms: EXTERNAL
>supportedSASLMechanisms: DIGEST-MD5
># ldapsearch -H ldap://SRV_B.domain.tld -x -b "" -s base -LLL ldapServiceName
>dn:
>ldapServiceName: domain.tld:SRV_B$@REALM
># ldapsearch -H ldap://SRV_B.domain.tld -x -b "" -s base -LLL dnsHostName
>dn:
>dnsHostName: SRV_B.domain.tld
>
>I I look in the strace dump, i have done, I get :
># grep supportedSASLMechanisms dump.log
>write(3<TCP:[SRV_A:43210->SRV_B:389]>, "0>\2\1\1c9\4\0\n\1\0\n\1\0\2\1\0\2\1\0\1\1\0\207\vobjectclass0\31\4\27supportedSASLMechanisms", 64) = 64
>read(3<TCP:[SRV_A:43210->SRV_B:389]>, "\1d\204\0\0\0W\4\0000\204\0\0\0O0\204\0\0\0I\4\27supportedSASLMechanisms1\204\0\0\0*\4\6GSSAPI\4\nGSS-SPNEGO\4\10EXTERNAL\4\nDIGEST-MD5", 94) = 94
># grep ldapServiceName dump.log
># grep dnsHostName dump.log
>
>So, according to this incoherency, this is not the executed source code.
>
>supportedSASLMechanisms is also available in libraries/libldap/sasl.c without other part in "ldap_pvt_sasl_getmechs" function,
>in this same file, this function is only called in "ldap_sasl_interactive_bind" and call "ldap_int_sasl_bind" (in libraries/libldap/cyrus.c).
>In this last function, i was able to find printed string "SASL/ authentication started"
>
>My point is to identify where the "ldap" part of the SPN is defined to identify whether the issue is related to openldap.
>Searching for "ldap" in cyrus.c point to sasl_client_new( "ldap", host, NULL, NULL, client_callbacks, 0, &ctx);
>
>After an overview of "ldap_int_sasl_bind" and "sasl_client_new", it seems that SPN is build by SASL layer from
>"ldap" and host arguments and it is frustrating to see ldap GSSAP solve the issue but not Cyrus SASL.
>
>Thank you for your reading.