This section discusses the error messages logged by the SASL-GSSAPI authentication mechanism.
LDAP bind with SASL GSSAPI fails if the same Kerberos principal is associated with multiple eDirectory user objects.
RFC2222 specifies support for an authorization ID sent by the user and client. This is not supported by the SASL GSSAPI method.
Error messages are logged in the ndsd.log file in Linux installations.
Error Message |
Cause |
---|---|
SASL-GSSAPI: Reading Object user_FDN FAILED eDirectory error code |
This error is generated in eDirectory. The Kerberos principal name is not attached to the user object (userdn). |
SASL-GSSAPI: Reading Object Realm_FDN FAILED eDirectory error code |
This error is generated in eDirectory. The realm object does not exist. |
SASL-GSSAPI: Not enough memory |
Not enough memory to perform the specific operation. |
SASL-GSSAPI: Invalid Input |
Input from client is defective or invalid |
SASL-GSSAPI: NMAS error NMAS error code |
This error is generated in NMAS and is an internal error. |
SASL-GSS: Invalid LDAP service principal name LDAP_service_principal_name |
The LDAP service principal name is invalid. |
SASL-GSS: Reading LDAP service principal key from eDirectory failed |
Cause: The LDAP service principal object is not created. Cause: The realm object’s master key is changed. Cause: The LDAP service principal object was not found in the subtree of the realm to which it belongs. |
SASL-GSS: Creating GSS context failed |
Cause: The time is not in sync between the client, KDC and the eDirectory servers. Cause: The key of the LDAP service principal was changed in the Kerberos database, but not updated in eDirectory. Cause: The encryption type is not supported. |
SASL GSSAPI: Invalid user FDN = user_FDN |
The user FDN provided by the client is not valid. |
SASL GSSAPI: No user DN is associated with principal client_principal_name |
A user object under the subtree is not attached with the Kerberos principal name. |
SASL GSSAPI: More than one user DN is associated with principal client_principal_name |
More than one user object under the subtree is associated with the same principal. |
ldap_simple_bind_s: Invalid credentials major = 1, minor =0 |
Cause: The cause might be the version mismatch between the LDAP service principal on the KDC server and the LDAP service principal on the eDirectory server. This is because every time you extract the LDAP service principal key to the keytab file, the key version number gets incremented. Action: Complete the following procedure:
|