Hello,

I am attempting to get a user to log in over LDAP with the SASL
DIGEST-MD5 method. I get error 49, invalid credentials.

My client tool is the openLDAP ldapsearch utility which lets me specify
the SASL mechanism.

DIGEST-MD5 was not installed to my tree (on eDir 8.8.7/SLES 11SP1) when
I started. I installed it using iManager. I restarted eDir.

Here is what I get from ndstrace:

3202062080 LDAP: [2012/11/07 14:46:15.779] DEBUG: New TLS connection
0xdbce000 from 127.0.0.1:52062, monitor = 0xffffffffa6c5c700, index = 2
2797979392 LDAP: [2012/11/07 14:46:15.780] INFO: Monitor
0xffffffffa6c5c700 initiating TLS handshake on connection 0xdbce000
2802247424 LDAP: [2012/11/07 14:46:15.780] INFO:
(127.0.0.1:52062)(0x0000:0x00) DoTLSHandshake on connection 0xdbce000
2802247424 LDAP: [2012/11/07 14:46:15.786] INFO: BIO ctrl called with
unknown cmd 7
2802247424 LDAP: [2012/11/07 14:46:15.786] INFO:
(127.0.0.1:52062)(0x0000:0x00) Completed TLS handshake on connection
0xdbce000
2782131968 LDAP: [2012/11/07 14:46:15.789] DEBUG:
(127.0.0.1:52062)(0x0001:0x60) DoBind on connection 0xdbce000
2782131968 LDAP: [2012/11/07 14:46:15.789] DEBUG:
(127.0.0.1:52062)(0x0001:0x60) Bind name:cn=sampson,ou=users,o=sss,
version:3, authenticationIGEST-MD5
2782131968 RSLV: [2012/11/07 14:46:15.789] DEBUG: Connect to
tcp:127.0.0.1:524 succeeded
2782131968 NMAS: [2012/11/07 14:46:15.789] INFO: 262160: Create NMAS
Session
2782131968 NMAS: [2012/11/07 14:46:15.789] INFO: 262160: SASL DIGEST-MD5
started
2782131968 AREQ: [2012/11/07 14:46:15.789] DEBUG: Calling DS Ping conn:0
for client .sss-idm3.SSS.SSSIDM3.
2782131968 RSLV: [2012/11/07 14:46:15.789] DEBUG: Resolving
\SSSIDM3\Security
2782131968 AREQ: [2012/11/07 14:46:15.789] DEBUG: Calling DSAResolveName
conn:0 for client .sss-idm3.SSS.SSSIDM3.
2782131968 AREQ: [2012/11/07 14:46:15.790] DEBUG: Calling
DSAReadObjectInfo conn:0 for client .sss-idm3.SSS.SSSIDM3.
2782131968 AREQ: [2012/11/07 14:46:15.790] DEBUG: Calling DSARead conn:0
for client .sss-idm3.SSS.SSSIDM3.
2782131968 AREQ: [2012/11/07 14:46:15.790] DEBUG: Calling DS Ping conn:0
for client .sss-idm3.SSS.SSSIDM3.
2782131968 RSLV: [2012/11/07 14:46:15.790] DEBUG: Resolving
\SSSIDM3\CN=Security\CN=Login Policy
2782131968 AREQ: [2012/11/07 14:46:15.790] DEBUG: Calling DSAResolveName
conn:0 for client .sss-idm3.SSS.SSSIDM3.
2782131968 AREQ: [2012/11/07 14:46:15.790] DEBUG: Calling
DSAReadObjectInfo conn:0 for client .sss-idm3.SSS.SSSIDM3.
2782131968 AREQ: [2012/11/07 14:46:15.790] DEBUG: Calling DSARead conn:0
for client .sss-idm3.SSS.SSSIDM3.
2782131968 AREQ: [2012/11/07 14:46:15.790] DEBUG: Calling DS Ping conn:0
for client .sss-idm3.SSS.SSSIDM3.
2782131968 NMAS: [2012/11/07 14:46:15.790] INFO: 262160: NMAS Audit with
Audit PA not installed
2782131968 NMAS: [2012/11/07 14:46:15.790] INFO: 262160: NMAS Audit with
XDAS not installed
2782131968 NMAS: [2012/11/07 14:46:15.790] INFO: 262160: Proxy client
address 127 0 0 1
2782131968 LDAP: [2012/11/07 14:46:15.790] INFO:
(127.0.0.1:52062)(0x0001:0x60) Sending operation result 14:"":"" to
connection 0xdbce000
3217852160 LDAP: [2012/11/07 14:46:15.790] DEBUG:
(127.0.0.1:52062)(0x0002:0x60) DoBind on connection 0xdbce000
3217852160 LDAP: [2012/11/07 14:46:15.790] DEBUG:
(127.0.0.1:52062)(0x0002:0x60) Bind (cont)
name:cn=myuser,ou=users,o=sss, version:3, authenticationIGEST-MD5
3217852160 AREQ: [2012/11/07 14:46:15.790] DEBUG: Calling DS Ping conn:0
for client .sss-idm3.SSS.SSSIDM3.
3217852160 RSLV: [2012/11/07 14:46:15.790] DEBUG: Resolving
\SSSIDM3\Security
3217852160 AREQ: [2012/11/07 14:46:15.790] DEBUG: Calling DSAResolveName
conn:0 for client .sss-idm3.SSS.SSSIDM3.
3217852160 AREQ: [2012/11/07 14:46:15.791] DEBUG: Calling
DSAReadObjectInfo conn:0 for client .sss-idm3.SSS.SSSIDM3.
3217852160 AREQ: [2012/11/07 14:46:15.791] DEBUG: Calling DSARead conn:0
for client .sss-idm3.SSS.SSSIDM3.
3217852160 AREQ: [2012/11/07 14:46:15.791] DEBUG: Calling DS Ping conn:0
for client .sss-idm3.SSS.SSSIDM3.
3217852160 RSLV: [2012/11/07 14:46:15.791] DEBUG: Resolving
\SSSIDM3\CN=Security\CN=Login Policy
3217852160 AREQ: [2012/11/07 14:46:15.791] DEBUG: Calling DSAResolveName
conn:0 for client .sss-idm3.SSS.SSSIDM3.
3217852160 AREQ: [2012/11/07 14:46:15.791] DEBUG: Calling
DSAReadObjectInfo conn:0 for client .sss-idm3.SSS.SSSIDM3.
3217852160 AREQ: [2012/11/07 14:46:15.791] DEBUG: Calling DSARead conn:0
for client .sss-idm3.SSS.SSSIDM3.
3217852160 RSLV: [2012/11/07 14:46:15.791] DEBUG: Begin->
DCResolveWithConstraint context = 311f004b
3217852160 RSLV: [2012/11/07 14:46:15.791] DEBUG: Getting name service
addresses from cache, succeeded.
3217852160 RSLV: [2012/11/07 14:46:15.791] DEBUG: --> 2 addresses
retrieved.
3217852160 RSLV: [2012/11/07 14:46:15.791] INFO: ->
tcp:127.0.0.1:524 400
3217852160 RSLV: [2012/11/07 14:46:15.791] INFO: -> 4294967295
3217852160 RSLV: [2012/11/07 14:46:15.791] DEBUG: (2)Trying to connect.
tries = 1
3217852160 RSLV: [2012/11/07 14:46:15.791] DEBUG: Connect to
tcp:127.0.0.1:524 succeeded
3217852160 RSLV: [2012/11/07 14:46:15.791] DEBUG: Resolving
\SSSIDM3\root
3217852160 AREQ: [2012/11/07 14:46:15.791] DEBUG: Calling DSAResolveName
conn:3 for client .[Public].
3217852160 RSLV: [2012/11/07 14:46:15.791] INFO: Resolving
\SSSIDM3\root, flags 00004042.
3217852160 RSLV: [2012/11/07 14:46:15.791] INFO: Responding with no such
entry for \SSSIDM3\root
3217852160 AREQ: [2012/11/07 14:46:15.791] DEBUG: DSAResolveName failed,
no such entry (-601).
3217852160 RSLV: [2012/11/07 14:46:15.791] DEBUG: ResolveName Request
failed, no such entry (-601).
3217852160 RSLV: [2012/11/07 14:46:15.791] DEBUG: ------> tag = 0
3217852160 RSLV: [2012/11/07 14:46:15.791] DEBUG: End--->
DCResolveWithConstraint err = -601
3217852160 NMAS: [2012/11/07 14:46:15.791] INFO: 262160: NMAS Audit with
Audit PA not installed
3217852160 NMAS: [2012/11/07 14:46:15.791] INFO: 262160: NMAS Audit with
XDAS not installed
3217852160 NMAS: [2012/11/07 14:46:15.791] INFO: 262160: ERROR: -601
SASL_DoMechanism: NMAS_InvokeMechanism
3217852160 NMAS: [2012/11/07 14:46:15.791] INFO: 262160: Client Session
Destroy Request
3217852160 NMAS: [2012/11/07 14:46:15.791] INFO: 262160: Destroy NMAS
Session
3217852160 NMAS: [2012/11/07 14:46:15.791] INFO: 262160: Aborted Session
Destroyed (with MAF)
3217852160 LDAP: [2012/11/07 14:46:15.791] INFO: Environment variable is
set to not put NMAS NetworkAddress:
3217852160 LDAP: [2012/11/07 14:46:15.791] ERR:
(127.0.0.1:52062)(0x0002:0x60) Failed to authenticate full context on
connection 0xdbce000, err = no such entry (-601)
3217852160 LDAP: [2012/11/07 14:46:15.791] INFO:
(127.0.0.1:52062)(0x0002:0x60) Sending operation result 49:"":"" to
connection 0xdbce000
2797979392 LDAP: [2012/11/07 14:46:15.792] INFO:
(127.0.0.1:52062)(0x0000:0x00) TLS read failure 5 on connection
0xdbce000, setting err = -5875. Error stack:
2797979392 LDAP: [2012/11/07 14:46:15.792] INFO: Monitor
0xffffffffa6c5c700 found connection 0xdbce000 socket failure, err =
-5875, 0 of 0 bytes read
2797979392 LDAP: [2012/11/07 14:46:15.792] INFO: Monitor
0xffffffffa6c5c700 initiating close for connection 0xdbce000
2793768704 LDAP: [2012/11/07 14:46:15.792] INFO: Server closing
connection 0xdbce000, socket error = -5875
2793768704 LDAP: [2012/11/07 14:46:15.792] INFO: Connection 0xdbce000
closed

So the critical point is where NMAS gets -601, no entry, searching for
"SSSIDM3\root" as the [Public] user. I don't know if root is a real
object or if it refers to the tree root. There's no such object visible
in iManager.

Does anyone have any ideas on this?

Thanks!


--
Zygomax
------------------------------------------------------------------------
Zygomax's Profile: https://forums.netiq.com/member.php?userid=215
View this thread: https://forums.netiq.com/showthread.php?t=46108