I created an openldap client that connects to a Microsoft Active Directory
server.
The client uses ldap_sasl_interactive_bind_s to verify a user name and
password. The mechanisms used is DIGEST-MD5.
My client could bind multiple users before unbinding them. If it binds twice
the same user, the second bind request fails with a message of invalid
credentials.
Looking into the code, I'm under the impression that the problem is related to
the reauth_cache.
More in details, when binding a user for the first time, the
digestmd5_client_mech_step function is called once for executing the step 1,
that does nothing (simply sets the next step as the step 2). Then the function
is called the second time to execute the step two and finally called to execute
the step 3.
When performing the binding the second time for the same user, the
digestmd5_client_mech_step is again called to execute the step 1. Because the
user is cached in the reauth_cache, the step 1 executes the function
digestmd5_client_mech_step1 (that was not executed in the previous run). This
makes the second attempt fail with a message of "invalid credentials".
If I "remove" the cache, also the second attempt works fine.
Does anybody have an idea of why the cache make the second attempt fail when
working with Active Directory?
Is there any way to disable the cache?
Thanks in advance for you help. Regards,
Bernardo
