LDAP, SASL GSSAPI, and group membership, rebind fails

Tom Carroll Thomas.Carroll at pnnl.gov
Thu Sep 29 21:04:48 CEST 2016 

Hello list,

I'm experiencing difficulties with freeradius-3.0.11 when using 
Ldap-Group and SASL GSSAPI mechanism.

rlm_ldap can successfully query for user accounts,binding anonyously and 
SASL GSSAPI. But when it queries for group membership, rebind operation 
fails, erroring:

Strong(er) authentication required
Server said: SASL:[GSSAPI]: Sign or Seal are required..

A subset of ldapsearch -X output: > Thu Sep 29 11:49:54 2016 : Debug: 
(0) files: Searching for user in group "IPMI Admins"
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Reserved connection (0)
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND TMPL XLAT
> Thu Sep 29 11:49:54 2016 : Debug: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
> Thu Sep 29 11:49:54 2016 : Debug: Parsed xlat tree:
> Thu Sep 29 11:49:54 2016 : Debug: literal --> (sAMAccountName=
> Thu Sep 29 11:49:54 2016 : Debug: if {
> Thu Sep 29 11:49:54 2016 : Debug: 	attribute --> Stripped-User-Name
> Thu Sep 29 11:49:54 2016 : Debug: }
> Thu Sep 29 11:49:54 2016 : Debug: else {
> Thu Sep 29 11:49:54 2016 : Debug: 	attribute --> User-Name
> Thu Sep 29 11:49:54 2016 : Debug: }
> Thu Sep 29 11:49:54 2016 : Debug: literal --> )
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:    --> (sAMAccountName=johndoe)
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: EXPAND TMPL LITERAL
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: Performing search in "DC=example,DC=org" with filter "(sAMAccountName=johndoe)", scope "sub"
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: Waiting for search result...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://example.org/CN=Configuration,DC=example,DC=org
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL challenge : Authorization Name
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL prompt    : Please enter your authorization name
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL result    : RADIUS1$@EXAMPLE.ORG
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  : `???	*?H???????
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  : ????
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech (null)...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  :
> SASL username: RADIUS1$@EXAMPLE.ORG
> SASL SSF: 56
> SASL data security layer installed.
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Bind successful
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: User object found at DN "CN=johndoe,CN=Users,DC=example,DC=org"
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: Checking for user in group objects
> Thu Sep 29 11:49:54 2016 : Debug: (&(cn=IPMI Admins)(objectClass=group)(member=%{control:Ldap-UserDn}))
> Thu Sep 29 11:49:54 2016 : Debug: Parsed xlat tree:
> Thu Sep 29 11:49:54 2016 : Debug: literal --> (&(cn=IPMI Admins)(objectClass=group)(member=
> Thu Sep 29 11:49:54 2016 : Debug: attribute --> LDAP-UserDN
> Thu Sep 29 11:49:54 2016 : Debug: literal --> ))
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   EXPAND (&(cn=IPMI Admins)(objectClass=group)(member=%{control:Ldap-UserDn}))
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:      --> (&(cn=IPMI Admins)(objectClass=group)(member=CN\3djohndoe\2cCN\3dUsers\2cDC\3dexample\2cDC\3dorg))
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   EXPAND TMPL LITERAL
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   SASL challenge : Authorization Name
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   SASL prompt    : Please enter your authorization name
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   SASL result    : RADIUS1$@EXAMPLE.ORG
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   SASL response  : `???	*?H???????
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: (0) files:   SASL response  : ????
> Thu Sep 29 11:49:54 2016 : ERROR: (0) files:   Bind with (anonymous) to ldap://ad1.example.org:389 failed: Strong(er) authentication required
> Thu Sep 29 11:49:54 2016 : ERROR: (0) files:   Server said: SASL:[GSSAPI]: Sign or Seal are required..
> Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Deleting connection (0)
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap: Closing libldap handle 0xb46810
> Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Need 6 more connections to reach 10 spares
> Thu Sep 29 11:49:54 2016 : Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots used
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Connecting to ldap://smbdc0.example.org:389
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): New libldap handle 0xb46810
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
> SASL/GSSAPI authentication started
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL challenge : Authorization Name
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL prompt    : Please enter your authorization name
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL result    : RADIUS1$@EXAMPLE.ORG
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  : `???	*?H???????
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech GSSAPI...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  : ????
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Continuing SASL mech (null)...
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): SASL response  :
> SASL username: RADIUS1$@EXAMPLE.ORG
> SASL SSF: 56
> SASL data security layer installed.
> Thu Sep 29 11:49:54 2016 : Debug: rlm_ldap (ldap): Bind successful
> Thu Sep 29 11:49:54 2016 : Debug: (0) files: User is not a member of "IPMI Admins"

More information about the Freeradius-Users mailing list