Can you try with an empty authorization name. I compiled your test program on Opensolaris with minor modification (no DEBUG and no bind_ext available in Sun's ldap release which is based on mozilla) and it works fine against my w2k3 AD.
Markus "Kashif Ali Siddiqui" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi all, > > I am experiencing a problem in ldap user authentication over SASL > +GSSAPI with a Microsoft AD 2003. After doing the "kinit", I have get > the first user ticket. But when I try to do a SASL bind with mechanism > GSSAPI, and try to give the same user principal that I gave to kinit > in the first SASL step that asks "Please enter your authorization > name" (code 0x4001), I get the service ticket (as shown by the klist > command), but my ldap sasl bind fails with the message > > "LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data > 7a, vece" > > with LDAP return code 49 means Invalid Credentials. I am using a > custom client here. The code is pasted after the environment details. > Please go through the code. By the way, I am getting the user and > service tickets from the AD server, its just the bind which is failing > in the SASL. In normal (simple bind), it is succeeding. > > Here is the environment details > > Server > ======= > Microsoft Server 2003 > > Client > ====== > RedHat ES 3 > MozillaLDAP 6.0.4 > Cyrus-sasl 2.1.22 > > > Client code > ==================================================================== > > #include <stdio.h> > #include <stdlib.h> > #include <errno.h> > #include <string.h> > #include <time.h> > > #include <sasl.h> > #include <ldap.h> > > static char progname[50]; > > //static int sasl_flags = LDAP_SASL_QUIET; > static int sasl_flags = LDAP_SASL_INTERACTIVE; > static char *sasl_mech = "GSSAPI"; > > static char buf[1024]; > > #define VALIDVAL(n) ((n >= SASL_CB_USER) && (n <= SASL_CB_GETREALM)) > > > static char* getCString(char *strPtr, size_t sizeStrPtr, size_t > *strLength) > { > int len = 0; > > if (strLength != NULL) *strLength = 0; > > if (strPtr && (strPtr = fgets(strPtr, sizeStrPtr, stdin)) != NULL) > { > len = strlen(strPtr); > > if ((len > 0) && (strPtr[len - 1] == '\n')) > { > strPtr[len - 1] = '\0'; > len--; > } > if (strLength != NULL) *strLength = len; > } > return strPtr; > } > > static int > example_sasl_interact( LDAP *ld, unsigned flags, void *defaults, void > *prompts ) > { > //static times = 0; > //printf(" -- Enter times : #%d\n", ++times); > > char *promptStrings[9] = { > "USER", > "AUTHNAME", > "LANGUAGE", > "PASS", > "ECHOPROMPT", > "NOECHOPROMPT", > "CNONCE", > "GETREALM", > NULL > }; > > sasl_interact_t *interact = NULL; > int rc; > > if (prompts == NULL) { > return (LDAP_PARAM_ERROR); > } > > int promptId = ((sasl_interact_t *)prompts)->id; > int promptStringId = promptId - 0x4001; > > for (interact = prompts; interact->id != SASL_CB_LIST_END; interact+ > +) > { > if (VALIDVAL(interact->id)) > { > printf(" >> Prompt: [%x|%s] %s: ", promptId, (promptStringId >=0 > && promptStringId < 9 ? promptStrings[promptId-0x4001] : "N/A"), > interact->prompt?interact->prompt:"N/A"); > getCString(buf, sizeof buf, NULL); > interact->result = buf; > interact->len = strlen(buf); > } > } > return (LDAP_SUCCESS); > } > > static int > usage(char *progname) > { > fprintf(stderr, "Usage: %s [ debuglevel ]\n", progname); > return 1; > } > > int > main(int argc, char *argv[]) > { > int index; > int rc; > LDAP *ld; > LDAPControl **ctrls = NULL; > int ldversion = LDAP_VERSION3; > int debuglevel = 0; > > LDAPMessage *result, *e; > BerElement *ber; > char *a, *dn; > char **vals; > int i; > int step = 1; > > strncpy(progname, argv[0], sizeof progname); > > if (argc == 2) > debuglevel = atoi(argv[1]); > /* set the default sasl args from the user input */ > else if (argc > 2) > return usage(argv[0]); > > printf("============================================\n"); > printf("Starting ...\n\n"); > > ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debuglevel); > /* get a handle to an LDAP connection */ > > char serverName[100]; > int serverPort=389; > char serverBaseDN[512]; > char searchDN[1024]; > char searchFilter[512]; > > printf("Step#%d) Enter LDAP server name|DNS|IP: ", step++); > getCString(serverName, sizeof serverName, NULL); > printf("Step#%d) Enter LDAP server port [389]: ", step++); > getCString(buf, sizeof buf, NULL); > serverPort=atoi(buf); > > if ( (ld = ldap_init( serverName, serverPort )) == NULL ) > { > perror( "ldap_open" ); > return( 1 ); > } > > ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &ldversion ); > > printf("Step#%d) Enter LDAP server base DN: ", step++); > getCString(serverBaseDN, sizeof serverBaseDN, NULL); > > int s1 = step++; > int s2 = step++; > do { > printf("Step#%d) Enter LDAP authentication method; 1) Simple > [default] 2) GSSAPI-Krb5 : ", s1); > getCString(buf, sizeof buf, NULL); > i = atoi(buf); > if (i == 2) > { > printf("Step#%d) Entering LDAP SASL authentication phase\n", s2); > printf("--[Start]---------------------------------------\n"); > > LDAPControl auth_resp_ctrl, *ctrl_array[ 3 ], **bindctrls; > LDAPControl pwpolicy_req_ctrl; > LDAPControl **ctrls = NULL; > LDAPControl **rctrls = NULL; > > auth_resp_ctrl.ldctl_oid = LDAP_CONTROL_AUTH_REQUEST; > auth_resp_ctrl.ldctl_value.bv_val = NULL; > auth_resp_ctrl.ldctl_value.bv_len = 0; > auth_resp_ctrl.ldctl_iscritical = 0; > ctrl_array[0] = &auth_resp_ctrl; > > pwpolicy_req_ctrl.ldctl_oid = LDAP_X_CONTROL_PWPOLICY_REQUEST; > pwpolicy_req_ctrl.ldctl_value.bv_val = NULL; > pwpolicy_req_ctrl.ldctl_value.bv_len = 0; > pwpolicy_req_ctrl.ldctl_iscritical = 0; > ctrl_array[1] = &pwpolicy_req_ctrl; > ctrl_array[2] = NULL; > bindctrls = ctrl_array; > > rc = ldap_sasl_interactive_bind_ext_s( ld, serverBaseDN, > sasl_mech, > bindctrls, ctrls, > sasl_flags, > example_sasl_interact, > NULL, &rctrls ); > printf("--[End]-----------------------------------------\n"); > > } > else > { > printf("Step#%d) Launching LDAP simple BIND\n", s2); > printf("--[Start]---------------------------------------\n"); > > char userName[100]; > char userPass[100]; > printf(" >> Prompt: Enter user DN: "); > getCString(userName, sizeof userName, NULL); > printf(" >> Prompt: Enter user passwd: "); > getCString(userPass, sizeof userPass, NULL); > > rc = ldap_simple_bind_s( ld, userName, userPass ); > printf("--[End]-----------------------------------------\n"); > } > if (rc == LDAP_SUCCESS ) > break; > > sprintf(buf, "Bind Error [%d]", rc); > ldap_perror( ld, buf); > > printf("Do you want to try again ?[y/N] "); > getCString(buf, sizeof buf, NULL); > } while (buf[0] == 'y' || buf[0] == 'Y'); > > if (rc != LDAP_SUCCESS ) > return ( 1 ); > > sasl_ssf_t ssf; > unsigned long val = 0; > if (!ldap_get_option(ld, LDAP_OPT_X_SASL_SSF, &ssf)) > { > val = (unsigned long)ssf; > } > printf("Bind successful, security level is %lu\n", val); > > > printf("Step#%d) Enter search DN: ", step++); > getCString(searchDN, sizeof searchDN, NULL); > printf("Step#%d) Enter search filter: ", step++); > getCString(searchFilter, sizeof searchFilter, NULL); > > if ( (rc = ldap_search_s( ld, searchDN, LDAP_SCOPE_SUBTREE, > searchFilter, NULL, 0, &result )) != LDAP_SUCCESS ) > { > sprintf(buf, "'ldap_search_s' Error [%d]", rc); > ldap_perror( ld, buf); > if ( result == NULL ) > { > ldap_unbind( ld ); > return( 1 ); > } > } > > printf("Step#%d) LDAP search results\n", step++); > printf("--[Start]---------------------------------------\n"); > /* for each entry print out name + all attrs and values */ > for ( e = ldap_first_entry( ld, result ); e != NULL; e = > ldap_next_entry( ld, e ) ) > { > if ( (dn = ldap_get_dn( ld, e )) != NULL ) > { > printf( " => dn: %s\n", dn ); > ldap_memfree( dn ); > } > for ( a = ldap_first_attribute( ld, e, &ber ); a != NULL; a = > ldap_next_attribute( ld, e, ber ) ) > { > if ((vals = ldap_get_values( ld, e, a)) != NULL ) > { > for ( i = 0; vals[i] != NULL; i++ ) > { > printf( " --- %s: %s\n", a, vals[i] ); > } > ldap_value_free( vals ); > } > ldap_memfree( a ); > } > if ( ber != NULL ) > { > ber_free( ber, 0 ); > } > printf( ".\n" ); > } > printf("--[End]-----------------------------------------\n\n > Terminating ...\n"); > ldap_msgfree( result ); > ldap_unbind( ld ); > return( 0 ); > } > > > > ==================================================================== > > > Kashif Ali Siddiqui > Tech Lead | Folio3 (www.folio3.com) > Email: [EMAIL PROTECTED] _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
