I forgot that I disabled referrals with
ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
I think it is a bug in sasl as I saw this too:
Program received signal SIGSEGV, Segmentation fault.
0xd1f28cae in ___sasl_log () from /usr/lib/libsasl.so.1
(gdb) where
#0 0xd1f28cae in ___sasl_log () from /usr/lib/libsasl.so.1
#1 0xd1f28be4 in _sasl_log () from /usr/lib/libsasl.so.1
#2 0xd1f27146 in sasl_encodev () from /usr/lib/libsasl.so.1
#3 0xd1f26ff6 in sasl_encode () from /usr/lib/libsasl.so.1
#4 0xd1f73dc1 in nsldapi_sasl_write () from /usr/lib/libldap.so.5
#5 0xd1f5cb67 in ber_flush () from /usr/lib/libldap.so.5
#6 0xd1f6f6a6 in nsldapi_ber_flush () from /usr/lib/libldap.so.5
#7 0xd1f6f0a8 in nsldapi_send_server_request () from /usr/lib/libldap.so.5
#8 0xd1f6ec8b in nsldapi_send_initial_request () from /usr/lib/libldap.so.5
#9 0xd1f74ffd in simple_bind_nolock () from /usr/lib/libldap.so.5
#10 0xd1f74d33 in ldap_simple_bind () from /usr/lib/libldap.so.5
#11 0xd1f7508d in ldap_simple_bind_s () from /usr/lib/libldap.so.5
#12 0xd1f5e9c6 in ldap_bind_s () from /usr/lib/libldap.so.5
#13 0xd1f6fa2b in nsldapi_new_connection () from /usr/lib/libldap.so.5
#14 0xd1f6eee7 in nsldapi_send_server_request () from /usr/lib/libldap.so.5
#15 0xd1f702c7 in chase_one_referral () from /usr/lib/libldap.so.5
#16 0xd1f7005d in nsldapi_chase_v3_refs () from /usr/lib/libldap.so.5
#17 0xd1f7253f in check_for_refs () from /usr/lib/libldap.so.5
#18 0xd1f71dea in read1msg () from /usr/lib/libldap.so.5
#19 0xd1f71369 in wait4msg () from /usr/lib/libldap.so.5
#20 0xd1f70a31 in nsldapi_result_nolock () from /usr/lib/libldap.so.5
#21 0xd1f70953 in ldap_result () from /usr/lib/libldap.so.5
#22 0xd1f76504 in nsldapi_search_s () from /usr/lib/libldap.so.5
#23 0xd1f7640a in ldap_search_s () from /usr/lib/libldap.so.5
#24 0x080519c7 in main ()
BTW if you want to provide an authorization id use dn: in front of the dn as
shown below.
./ldap_test
============================================
Starting ...
Step#1) Enter LDAP server name|DNS|IP: w2k3r2.win2003r2.home
Step#2) Enter LDAP server port [389]:
Step#3) Enter LDAP server base DN: dc=win2003r2,dc=home
Step#4) Enter LDAP authentication method; 1) Simple [default] 2) GSSAPI-Krb5
: 2
Step#5) Entering LDAP SASL authentication phase
--[Start]---------------------------------------
>> Prompt: [4001|USER] Please enter your authorization name: dn:CN=Markus
Moeller,CN=Users,DC=win2003r2,DC=home
--[End]-----------------------------------------
Bind successful, security level is 56
Step#6) Enter search DN: dc=win2003r2,dc=home
Step#7) Enter search filter: (cn=markus*)
Step#8) LDAP search results
--[Start]---------------------------------------
=> dn: CN=Markus Moeller,CN=Users,DC=win2003r2,DC=home
--- objectClass: top
--- objectClass: person
--- objectClass: organizationalPerson
--- objectClass: user
--- cn: Markus Moeller
--- sn: Moeller
--- givenName: Markus
--- distinguishedName: CN=Markus Moeller,CN=Users,DC=win2003r2,DC=home
--- instanceType: 4
--- whenCreated: 20071221213740.0Z
--- whenChanged: 20071226183848.0Z
--- displayName: Markus Moeller
--- uSNCreated: 20500
--- uSNChanged: 32984
--- name: Markus Moeller
--- objectGUID: ùW \C~Nwe$
--- userAccountControl: 66048
--- badPwdCount: 0
--- codePage: 0
--- countryCode: 0
--- employeeID: 500
--- badPasswordTime: 128436841317493750
--- lastLogoff: 0
--- lastLogon: 128437604944212500
--- pwdLastSet: 128427466604375000
--- primaryGroupID: 513
--- objectSid:
--- accountExpires: 9223372036854775807
--- logonCount: 3
--- sAMAccountName: mm
--- sAMAccountType: 805306368
--- userPrincipalName: [EMAIL PROTECTED]
--- objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=win2003r2,DC=home
--- lastLogonTimestamp: 128431679281250000
--- uid: mm
--- msSFU30Name: mm
--- msSFU30NisDomain: win2003r2
--- msSFU30PosixMemberOf: CN=SuseGroup,CN=Users,DC=win2003r2,DC=home
--- msSFU30PosixMemberOf: CN=SolarisGroup,CN=Users,DC=win2003r2,DC=home
--- uidNumber: 10000
--- gidNumber: 10000
--- unixHomeDirectory: /export/home/mm
--- loginShell: /bin/ksh
.
--[End]-----------------------------------------
Terminating ...
"Kashif Ali Siddiqui" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>I have tried with empty authorization name, and the sasl bind
> succeeded with just first step, but the code get crashed on the
> ldap_search_s call with segmentation fault. The fault occurs in the
> ldap_search_s call trace. Besides that I need to authenticate the user
> just as to verify their credentials, so I can't use empty
> authorization name.
>
> Any other solution please.
>
>
>
>
> On Jan 2, 7:54 pm, "Markus Moeller" <[EMAIL PROTECTED]> wrote:
>> Can you try with an empty authorization name. I compiled your test
>> program
>> on Opensolaris with minor modification (no DEBUG and no bind_ext
>> available
>> in Sun's ldap release which is based on mozilla) and it works fine
>> against
>> my w2k3 AD.
>>
>> Markus
>>
>> "Kashif Ali Siddiqui" <[EMAIL PROTECTED]> wrote in
>> messagenews:[EMAIL PROTECTED]
>>
>> > Hi all,
>>
>> > I am experiencing a problem in ldap user authentication over SASL
>> > +GSSAPI with a Microsoft AD 2003. After doing the "kinit", I have get
>> > the first user ticket. But when I try to do a SASL bind with mechanism
>> > GSSAPI, and try to give the same user principal that I gave to kinit
>> > in the first SASL step that asks "Please enter your authorization
>> > name" (code 0x4001), I get the service ticket (as shown by the klist
>> > command), but my ldap sasl bind fails with the message
>>
>> > "LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data
>> > 7a, vece"
>>
>> > with LDAP return code 49 means Invalid Credentials. I am using a
>> > custom client here. The code is pasted after the environment details.
>> > Please go through the code. By the way, I am getting the user and
>> > service tickets from the AD server, its just the bind which is failing
>> > in the SASL. In normal (simple bind), it is succeeding.
>>
>> > Here is the environment details
>>
>> > Server
>> > =======
>> > Microsoft Server 2003
>>
>> > Client
>> > ======
>> > RedHat ES 3
>> > MozillaLDAP 6.0.4
>> > Cyrus-sasl 2.1.22
>>
>> > Client code
>> > ====================================================================
>>
>> > #include <stdio.h>
>> > #include <stdlib.h>
>> > #include <errno.h>
>> > #include <string.h>
>> > #include <time.h>
>>
>> > #include <sasl.h>
>> > #include <ldap.h>
>>
>> > static char progname[50];
>>
>> > //static int sasl_flags = LDAP_SASL_QUIET;
>> > static int sasl_flags = LDAP_SASL_INTERACTIVE;
>> > static char *sasl_mech = "GSSAPI";
>>
>> > static char buf[1024];
>>
>> > #define VALIDVAL(n) ((n >= SASL_CB_USER) && (n <= SASL_CB_GETREALM))
>>
>> > static char* getCString(char *strPtr, size_t sizeStrPtr, size_t
>> > *strLength)
>> > {
>> > int len = 0;
>>
>> > if (strLength != NULL) *strLength = 0;
>>
>> > if (strPtr && (strPtr = fgets(strPtr, sizeStrPtr, stdin)) != NULL)
>> > {
>> > len = strlen(strPtr);
>>
>> > if ((len > 0) && (strPtr[len - 1] == '\n'))
>> > {
>> > strPtr[len - 1] = '\0';
>> > len--;
>> > }
>> > if (strLength != NULL) *strLength = len;
>> > }
>> > return strPtr;
>> > }
>>
>> > static int
>> > example_sasl_interact( LDAP *ld, unsigned flags, void *defaults, void
>> > *prompts )
>> > {
>> > //static times = 0;
>> > //printf(" -- Enter times : #%d\n", ++times);
>>
>> > char *promptStrings[9] = {
>> > "USER",
>> > "AUTHNAME",
>> > "LANGUAGE",
>> > "PASS",
>> > "ECHOPROMPT",
>> > "NOECHOPROMPT",
>> > "CNONCE",
>> > "GETREALM",
>> > NULL
>> > };
>>
>> > sasl_interact_t *interact = NULL;
>> > int rc;
>>
>> > if (prompts == NULL) {
>> > return (LDAP_PARAM_ERROR);
>> > }
>>
>> > int promptId = ((sasl_interact_t *)prompts)->id;
>> > int promptStringId = promptId - 0x4001;
>>
>> > for (interact = prompts; interact->id != SASL_CB_LIST_END; interact+
>> > +)
>> > {
>> > if (VALIDVAL(interact->id))
>> > {
>> > printf(" >> Prompt: [%x|%s] %s: ", promptId, (promptStringId >=0
>> > && promptStringId < 9 ? promptStrings[promptId-0x4001] : "N/A"),
>> > interact->prompt?interact->prompt:"N/A");
>> > getCString(buf, sizeof buf, NULL);
>> > interact->result = buf;
>> > interact->len = strlen(buf);
>> > }
>> > }
>> > return (LDAP_SUCCESS);
>> > }
>>
>> > static int
>> > usage(char *progname)
>> > {
>> > fprintf(stderr, "Usage: %s [ debuglevel ]\n", progname);
>> > return 1;
>> > }
>>
>> > int
>> > main(int argc, char *argv[])
>> > {
>> > int index;
>> > int rc;
>> > LDAP *ld;
>> > LDAPControl **ctrls = NULL;
>> > int ldversion = LDAP_VERSION3;
>> > int debuglevel = 0;
>>
>> > LDAPMessage *result, *e;
>> > BerElement *ber;
>> > char *a, *dn;
>> > char **vals;
>> > int i;
>> > int step = 1;
>>
>> > strncpy(progname, argv[0], sizeof progname);
>>
>> > if (argc == 2)
>> > debuglevel = atoi(argv[1]);
>> > /* set the default sasl args from the user input */
>> > else if (argc > 2)
>> > return usage(argv[0]);
>>
>> > printf("============================================\n");
>> > printf("Starting ...\n\n");
>>
>> > ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debuglevel);
>> > /* get a handle to an LDAP connection */
>>
>> > char serverName[100];
>> > int serverPort=389;
>> > char serverBaseDN[512];
>> > char searchDN[1024];
>> > char searchFilter[512];
>>
>> > printf("Step#%d) Enter LDAP server name|DNS|IP: ", step++);
>> > getCString(serverName, sizeof serverName, NULL);
>> > printf("Step#%d) Enter LDAP server port [389]: ", step++);
>> > getCString(buf, sizeof buf, NULL);
>> > serverPort=atoi(buf);
>>
>> > if ( (ld = ldap_init( serverName, serverPort )) == NULL )
>> > {
>> > perror( "ldap_open" );
>> > return( 1 );
>> > }
>>
>> > ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &ldversion );
>>
>> > printf("Step#%d) Enter LDAP server base DN: ", step++);
>> > getCString(serverBaseDN, sizeof serverBaseDN, NULL);
>>
>> > int s1 = step++;
>> > int s2 = step++;
>> > do {
>> > printf("Step#%d) Enter LDAP authentication method; 1) Simple
>> > [default] 2) GSSAPI-Krb5 : ", s1);
>> > getCString(buf, sizeof buf, NULL);
>> > i = atoi(buf);
>> > if (i == 2)
>> > {
>> > printf("Step#%d) Entering LDAP SASL authentication phase\n", s2);
>> > printf("--[Start]---------------------------------------\n");
>>
>> > LDAPControl auth_resp_ctrl, *ctrl_array[ 3 ], **bindctrls;
>> > LDAPControl pwpolicy_req_ctrl;
>> > LDAPControl **ctrls = NULL;
>> > LDAPControl **rctrls = NULL;
>>
>> > auth_resp_ctrl.ldctl_oid = LDAP_CONTROL_AUTH_REQUEST;
>> > auth_resp_ctrl.ldctl_value.bv_val = NULL;
>> > auth_resp_ctrl.ldctl_value.bv_len = 0;
>> > auth_resp_ctrl.ldctl_iscritical = 0;
>> > ctrl_array[0] = &auth_resp_ctrl;
>>
>> > pwpolicy_req_ctrl.ldctl_oid = LDAP_X_CONTROL_PWPOLICY_REQUEST;
>> > pwpolicy_req_ctrl.ldctl_value.bv_val = NULL;
>> > pwpolicy_req_ctrl.ldctl_value.bv_len = 0;
>> > pwpolicy_req_ctrl.ldctl_iscritical = 0;
>> > ctrl_array[1] = &pwpolicy_req_ctrl;
>> > ctrl_array[2] = NULL;
>> > bindctrls = ctrl_array;
>>
>> > rc = ldap_sasl_interactive_bind_ext_s( ld, serverBaseDN,
>> > sasl_mech,
>> > bindctrls, ctrls,
>> > sasl_flags,
>> > example_sasl_interact,
>> > NULL, &rctrls );
>> > printf("--[End]-----------------------------------------\n");
>>
>> > }
>> > else
>> > {
>> > printf("Step#%d) Launching LDAP simple BIND\n", s2);
>> > printf("--[Start]---------------------------------------\n");
>>
>> > char userName[100];
>> > char userPass[100];
>> > printf(" >> Prompt: Enter user DN: ");
>> > getCString(userName, sizeof userName, NULL);
>> > printf(" >> Prompt: Enter user passwd: ");
>> > getCString(userPass, sizeof userPass, NULL);
>>
>> > rc = ldap_simple_bind_s( ld, userName, userPass );
>> > printf("--[End]-----------------------------------------\n");
>> > }
>> > if (rc == LDAP_SUCCESS )
>> > break;
>>
>> > sprintf(buf, "Bind Error [%d]", rc);
>> > ldap_perror( ld, buf);
>>
>> > printf("Do you want to try again ?[y/N] ");
>> > getCString(buf, sizeof buf, NULL);
>> > } while (buf[0] == 'y' || buf[0] == 'Y');
>>
>> > if (rc != LDAP_SUCCESS )
>> > return ( 1 );
>>
>> > sasl_ssf_t ssf;
>> > unsigned long val = 0;
>> > if (!ldap_get_option(ld, LDAP_OPT_X_SASL_SSF, &ssf))
>> > {
>> > val = (unsigned long)ssf;
>> > }
>> > printf("Bind successful, security level is %lu\n", val);
>>
>> > printf("Step#%d) Enter search DN: ", step++);
>> > getCString(searchDN, sizeof searchDN, NULL);
>> > printf("Step#%d) Enter search filter: ", step++);
>> > getCString(searchFilter, sizeof searchFilter, NULL);
>>
>> > if ( (rc = ldap_search_s( ld, searchDN, LDAP_SCOPE_SUBTREE,
>> > searchFilter, NULL, 0, &result )) != LDAP_SUCCESS )
>> > {
>> > sprintf(buf, "'ldap_search_s' Error [%d]", rc);
>> > ldap_perror( ld, buf);
>> > if ( result == NULL )
>> > {
>> > ldap_unbind( ld );
>> > return( 1 );
>> > }
>> > }
>>
>> > printf("Step#%d) LDAP search results\n", step++);
>> > printf("--[Start]---------------------------------------\n");
>> > /* for each entry print out name + all attrs and values */
>> > for ( e = ldap_first_entry( ld, result ); e != NULL; e =
>> > ldap_next_entry( ld, e ) )
>> > {
>> > if ( (dn = ldap_get_dn( ld, e )) != NULL )
>> > {
>> > printf( " => dn: %s\n", dn );
>> > ldap_memfree( dn );
>> > }
>> > for ( a = ldap_first_attribute( ld, e, &ber ); a != NULL; a =
>> > ldap_next_attribute( ld, e, ber ) )
>> > {
>> > if ((vals = ldap_get_values( ld, e, a)) != NULL )
>> > {
>> > for ( i = 0; vals[i] != NULL; i++ )
>> > {
>> > printf( " --- %s: %s\n", a, vals[i] );
>> > }
>> > ldap_value_free( vals );
>> > }
>> > ldap_memfree( a );
>> > }
>> > if ( ber != NULL )
>> > {
>> > ber_free( ber, 0 );
>> > }
>> > printf( ".\n" );
>> > }
>> > printf("--[End]-----------------------------------------\n\n
>> > Terminating ...\n");
>> > ldap_msgfree( result );
>> > ldap_unbind( ld );
>> > return( 0 );
>> > }
>>
>> > ====================================================================
>>
>> > Kashif Ali Siddiqui
>> > Tech Lead | Folio3 (www.folio3.com)
>> > Email: [EMAIL PROTECTED]
>
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
