Open
Bug 655074
Opened 14 years ago
Updated 2 years ago
GSSAPI and LDAP not working
Categories
(Thunderbird :: Address Book, defect)
Tracking
(Not tracked)
NEW
People
(Reporter: brian, Unassigned)
References
(Blocks 1 open bug)
Details
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/11.0.696.57 Chrome/11.0.696.57 Safari/534.24
Build Identifier:
I have an LDAP server which allows GSSAPI authentication. That works fine. I can authenticate and browse/search with "GQ" without any problems.
With Thunderbird however, I can see using wireshark that it does initially bind with GSSAPI and it appears to be successful however subsequent searches fail.
If I change the authentication method to simple and bind with my password the search returns results.
Where should I start in debugging this? Is there some Thunderbird side debug which will help us determine what is not working?
Reproducible: Always
|
||
Comment 1•14 years ago
|
||
You can attach pcap file from wireshark or you can follow instructions
https://wiki.mozilla.org/MailNews:Logging
|
Reporter | |
Comment 2•14 years ago
|
||
NSPR_LOG_MODULES=ldap:5 didn't seem to yield anything terribly useful:
-1324213392[a094f2f0]: nsLDAPConnection::Run() entered
-1216943440[b750f060]: pending operation added; total pending operations now = 1
-1324213392[a094f2f0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
-1324213392[a094f2f0]: pending operation added; total pending operations now = 1
-1324213392[a094f2f0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
-1324213392[a094f2f0]: pending operation added; total pending operations now = 1
-1324213392[a094f2f0]: pending operation removed; total pending operations now = 0
-1454376080[a48f9f50]: nsLDAPConnection::Run() entered
-1216943440[b750f060]: pending operation added; total pending operations now = 1
-1454376080[a48f9f50]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
-1454376080[a48f9f50]: pending operation added; total pending operations now = 1
-1454376080[a48f9f50]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
-1454376080[a48f9f50]: pending operation added; total pending operations now = 1
-1454376080[a48f9f50]: pending operation removed; total pending operations now = 0
-1324213392[a094f2f0]: unbinding
-1324213392[a094f2f0]: unbound
-1454376080[a48f9f50]: unbinding
-1454376080[a48f9f50]: unbound
|
|
||
Comment 3•14 years ago
|
||
Yep, so it's better to see what's going during binding, can you attach pcap file? What LDAP server you are connecting to?
|
|
Reporter | |
Comment 4•14 years ago
|
||
Well, I am sure you can understand how I am reluctant to post a network trace complete with authentication credentials in it right?
LDAP server is OpenLDAP.
|
|
||
Comment 5•14 years ago
|
||
You can send it to me privately. And you do know how GSSAPI work right, no clear password is sent during this negotiation. If you still afraid to do this just do cap and save file, change you password.
|
|
Reporter | |
Comment 6•14 years ago
|
||
Sent privately. And yes, I do know that in theory, no clear-text password is sent over the wire, but just because I'm paranoid doesn't mean everyone isn't out to get me. :-)
|
|
||
Comment 7•14 years ago
|
||
Here is detailed error from OpenLDAP
LDAPMessage bindResponse(3) insufficientAccessRights (SASL(-14): authorization failure: Inappropriate authentication)
I think there maybe some misconfiguration of GSSAPI or some accessRights wrong in OpenLDAP can't sure not familiar with OpenLDAP really.
|
|
Reporter | |
Comment 8•14 years ago
|
||
Right. I saw that too of course, but as I mentioned previously, both GQ and Evolution have no problem with this exact same server for the exact same user. Thunderbird appears to be the odd-man out here.
|
|
||
Comment 9•14 years ago
|
||
Can you bind with your server using ldapsearch?
ldapsearch -LLL -b 'dc=example,dc=com' '(givenname=Murrell)' cn
|
|
Reporter | |
Comment 10•14 years ago
|
||
$ ldapsearch -LLL -b 'ou=People,dc=example,dc=com' '(uid=brian)' cn
SASL/GSSAPI authentication started
SASL username: brian@ILINX
SASL SSF: 56
SASL data security layer installed.
dn: uid=brian,ou=People,dc=example,dc=com
cn: Brian J. Murrell
|
|
||
Comment 11•14 years ago
|
||
Looks good I assume you are using 3.1.10 release. Because I having problem right now with LDAP gssapi with Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0a2) Gecko/20110505 Thunderbird/3.3a4pre. Little different from yours but this could be some regression anyway.
|
|
Reporter | |
Comment 12•14 years ago
|
||
3.1.8 in fact.
|
|
Reporter | |
Updated•14 years ago
|
Version: unspecified → 3.1
|
|
||
Comment 13•14 years ago
|
||
It seems your third bind request in pcap file isn't complete it doesn't contain GSSAPI krb5_blob section, thus OpenLDAP complain about that. It just have there mechanism and credentials. This is need more attention who familiar with Kerberos code in TB.
|
|
||
Updated•14 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 14•13 years ago
|
||
I am finding this same issue with Thunderbird 13.0.1 on Fedora 17 x86_64:
~]$ export NSPR_LOG_MODULES="ldap:10,gssapi:10,ldapautocomplete:10,negotiateauth:10"
~]$ thunderbird -addressbook -safe-mode
-424626368[7f2de6921590]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-424626368[7f2de6921590]: Attempting to load gss functions
-424626368[7f2de6921590]: entering nsAuthGSSAPI::Init()
-424626368[7f2de6921590]: entering nsAuthGSSAPI::GetNextToken()
-424626368[7f2de6921590]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
-424626368[7f2de6921590]: pending operation added; total pending operations now = 1
-1044388096[7f2dc3632120]: nsLDAPConnection::RemovePendingOperation(): operation removed
-1044388096[7f2dc3632120]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
-1044388096[7f2dc3632120]: entering nsAuthGSSAPI::GetNextToken()
-1044388096[7f2dc3632120]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
-1044388096[7f2dc3632120]: pending operation added; total pending operations now = 1
-1044388096[7f2dc3632120]: nsLDAPConnection::RemovePendingOperation(): operation removed
-1044388096[7f2dc3632120]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
-1044388096[7f2dc3632120]: pending operation added; total pending operations now = 1
-1044388096[7f2dc3632120]: pending operation removed; total pending operations now = 0
-424626368[7f2de6921590]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-424626368[7f2de6921590]: entering nsAuthGSSAPI::Init()
-424626368[7f2de6921590]: entering nsAuthGSSAPI::GetNextToken()
-424626368[7f2de6921590]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
-424626368[7f2de6921590]: pending operation added; total pending operations now = 1
-1044388096[7f2dc3632120]: nsLDAPConnection::RemovePendingOperation(): operation removed
-1044388096[7f2dc3632120]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
-1044388096[7f2dc3632120]: entering nsAuthGSSAPI::GetNextToken()
-1044388096[7f2dc3632120]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
-1044388096[7f2dc3632120]: pending operation added; total pending operations now = 1
-1044388096[7f2dc3632120]: nsLDAPConnection::RemovePendingOperation(): operation removed
-1044388096[7f2dc3632120]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
-1044388096[7f2dc3632120]: pending operation added; total pending operations now = 1
-1044388096[7f2dc3632120]: pending operation removed; total pending operations now = 0
I am using the 389 Directory Server (http://port389.org) and command line ldapsearch has no issue finding all of my contacts.
|
||
Comment 16•10 years ago
|
||
Hello!
I can confirm that GSSAPI binding to an LDAP server is still not working. I tested on Thunderbird 31.5, 36.0b1, and 38.0a2. In all 3 cases, Thunderbird reports the same messages to what was shown in comment 14. When I look at a packet capture, I see that Thunderbird starts the binding process OK, but eventually fails with the following error from the LDAP server:
> generic failure: protocol violation: client requested invalid layer
One interesting note: If I turn on SSL, it looks like the bind works! I am not able to look into the traffic with Wireshark anymore, but Thunderbird's debugging shows that it has moved on to searching. I don't get any results from my query, but I think that's a different issue.
|
|
||
Comment 17•10 years ago
|
||
Here's the debug output Thunderbird provides when NSPR_LOG_MODULES is set to "ldap:10,gssapi:10,negotiateauth:10":
-216611040[7fe5f1e3b260]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-216611040[7fe5f1e3b260]: Attempting to load gss functions
-216611040[7fe5f1e3b260]: entering nsAuthGSSAPI::Init()
-216611040[7fe5f1e3b260]: entering nsAuthGSSAPI::GetNextToken()
-216611040[7fe5f1e3b260]: leaving nsAuthGSSAPI::GetNextToken [rv=0]
-216611040[7fe5f1e3b260]: pending operation added; total pending operations now = 1
-1101060352[7fe5ca941b80]: nsLDAPConnection::RemovePendingOperation(): operation removed
-1101060352[7fe5ca941b80]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
-1101060352[7fe5ca941b80]: entering nsAuthGSSAPI::GetNextToken()
-1101060352[7fe5ca941b80]: leaving nsAuthGSSAPI::GetNextToken [rv=4b0028]
-1101060352[7fe5ca941b80]: pending operation added; total pending operations now = 1
-1101060352[7fe5ca941b80]: nsLDAPConnection::RemovePendingOperation(): operation removed
-1101060352[7fe5ca941b80]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
-1101060352[7fe5ca941b80]: pending operation added; total pending operations now = 1
-1101060352[7fe5ca941b80]: pending operation removed; total pending operations now = 0
-216611040[7fe5f1e3b260]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'cn=people,dc=stanford,dc=edu'; aFilter = '(&(|(mail=*NAME_HERE*)(cn=*NAME_HERE*)(givenName=*NAME_HERE*)(sn=*NAME_HERE*)))'; aAttributes = mozillaUseHtmlMail,xmozillausehtmlmail,description,notes,telephoneNumber,title,sn,surname,mozillaHomeLocalityName,o,company,givenName,mozillaHomeState,mail,mozillaWorkUrl,workurl,labeledURI,mozillaNickname,xmozillanickname,nsAIMid,nscpaimscreenname,mozillaHomeStreet2,mobile,cellphone,carphone,modifytimestamp,birthmonth,facsimiletelephonenumber,fax,birthyear,c,countryname,mozillaHomeStreet,ou,department,departmentnumber,orgunit,mozillaSecondEmail,xmozillasecondemail,postalCode,zip,mozillaCustom1,custom1,mozillaHomeCountryName,homePhone,st,region,mozillaCustom2,custom2,pager,pagerphone,mozillaHomePostalCode,mozillaCustom3,custom3,birthday,street,streetaddress,postOfficeBox,mozillaCustom4,custom4,mozillaHomeUrl,homeurl,l,locality,cn,commonname,mozillaWorkStreet2,objectClass; aSizeLimit = 100
-216611040[7fe5f1e3b260]: pending operation added; total pending operations now = 1
-1101060352[7fe5ca941b80]: pending operation removed; total pending operations now = 0
I replaced the name I was searching for with "NAME_HERE".
I am not able to provide any pcap, because the above results were obtained using SSL.
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•