Yeah you are right. I finally get through it. Thank you And yes, the new SASL version do crashes on the ldap_search_s call.
Once again thankyou for your kind help. One more question; Can I use other LDAP attribute in the SASL authentication step#1 instead of 'dn' like samaccountname? On Jan 2, 8:25 pm, "Markus Moeller" <[EMAIL PROTECTED]> wrote: > I forgot that I disabled referrals with > > ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); > > I think it is a bug in sasl as I saw this too: > > Program received signal SIGSEGV, Segmentation fault. > 0xd1f28cae in ___sasl_log () from /usr/lib/libsasl.so.1 > (gdb) where > #0 0xd1f28cae in ___sasl_log () from /usr/lib/libsasl.so.1 > #1 0xd1f28be4 in _sasl_log () from /usr/lib/libsasl.so.1 > #2 0xd1f27146 in sasl_encodev () from /usr/lib/libsasl.so.1 > #3 0xd1f26ff6 in sasl_encode () from /usr/lib/libsasl.so.1 > #4 0xd1f73dc1 in nsldapi_sasl_write () from /usr/lib/libldap.so.5 > #5 0xd1f5cb67 in ber_flush () from /usr/lib/libldap.so.5 > #6 0xd1f6f6a6 in nsldapi_ber_flush () from /usr/lib/libldap.so.5 > #7 0xd1f6f0a8 in nsldapi_send_server_request () from /usr/lib/libldap.so.5 > #8 0xd1f6ec8b in nsldapi_send_initial_request () from /usr/lib/libldap.so.5 > #9 0xd1f74ffd in simple_bind_nolock () from /usr/lib/libldap.so.5 > #10 0xd1f74d33 in ldap_simple_bind () from /usr/lib/libldap.so.5 > #11 0xd1f7508d in ldap_simple_bind_s () from /usr/lib/libldap.so.5 > #12 0xd1f5e9c6 in ldap_bind_s () from /usr/lib/libldap.so.5 > #13 0xd1f6fa2b in nsldapi_new_connection () from /usr/lib/libldap.so.5 > #14 0xd1f6eee7 in nsldapi_send_server_request () from /usr/lib/libldap.so.5 > #15 0xd1f702c7 in chase_one_referral () from /usr/lib/libldap.so.5 > #16 0xd1f7005d in nsldapi_chase_v3_refs () from /usr/lib/libldap.so.5 > #17 0xd1f7253f in check_for_refs () from /usr/lib/libldap.so.5 > #18 0xd1f71dea in read1msg () from /usr/lib/libldap.so.5 > #19 0xd1f71369 in wait4msg () from /usr/lib/libldap.so.5 > #20 0xd1f70a31 in nsldapi_result_nolock () from /usr/lib/libldap.so.5 > #21 0xd1f70953 in ldap_result () from /usr/lib/libldap.so.5 > #22 0xd1f76504 in nsldapi_search_s () from /usr/lib/libldap.so.5 > #23 0xd1f7640a in ldap_search_s () from /usr/lib/libldap.so.5 > #24 0x080519c7 in main () > > BTW if you want to provide an authorization id use dn: in front of the dn as > shown below. > > ./ldap_test > ============================================ > Starting ... > > Step#1) Enter LDAP server name|DNS|IP: w2k3r2.win2003r2.home > Step#2) Enter LDAP server port [389]: > Step#3) Enter LDAP server base DN: dc=win2003r2,dc=home > Step#4) Enter LDAP authentication method; 1) Simple [default] 2) GSSAPI-Krb5 > : 2 > Step#5) Entering LDAP SASL authentication phase > --[Start]--------------------------------------- > >> Prompt: [4001|USER] Please enter your authorization name: dn:CN=Markus > Moeller,CN=Users,DC=win2003r2,DC=home > --[End]----------------------------------------- > Bind successful, security level is 56 > Step#6) Enter search DN: dc=win2003r2,dc=home > Step#7) Enter search filter: (cn=markus*) > Step#8) LDAP search results > --[Start]--------------------------------------- > => dn: CN=Markus Moeller,CN=Users,DC=win2003r2,DC=home > --- objectClass: top > --- objectClass: person > --- objectClass: organizationalPerson > --- objectClass: user > --- cn: Markus Moeller > --- sn: Moeller > --- givenName: Markus > --- distinguishedName: CN=Markus Moeller,CN=Users,DC=win2003r2,DC=home > --- instanceType: 4 > --- whenCreated: 20071221213740.0Z > --- whenChanged: 20071226183848.0Z > --- displayName: Markus Moeller > --- uSNCreated: 20500 > --- uSNChanged: 32984 > --- name: Markus Moeller > --- objectGUID: ùW \C~Nwe$ > --- userAccountControl: 66048 > --- badPwdCount: 0 > --- codePage: 0 > --- countryCode: 0 > --- employeeID: 500 > --- badPasswordTime: 128436841317493750 > --- lastLogoff: 0 > --- lastLogon: 128437604944212500 > --- pwdLastSet: 128427466604375000 > --- primaryGroupID: 513 > --- objectSid: > --- accountExpires: 9223372036854775807 > --- logonCount: 3 > --- sAMAccountName: mm > --- sAMAccountType: 805306368 > --- userPrincipalName: [EMAIL PROTECTED] > --- objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=win2003r2,DC=home > --- lastLogonTimestamp: 128431679281250000 > --- uid: mm > --- msSFU30Name: mm > --- msSFU30NisDomain: win2003r2 > --- msSFU30PosixMemberOf: CN=SuseGroup,CN=Users,DC=win2003r2,DC=home > --- msSFU30PosixMemberOf: CN=SolarisGroup,CN=Users,DC=win2003r2,DC=home > --- uidNumber: 10000 > --- gidNumber: 10000 > --- unixHomeDirectory: /export/home/mm > --- loginShell: /bin/ksh > . > --[End]----------------------------------------- > > Terminating ... > > "Kashif Ali Siddiqui" <[EMAIL PROTECTED]> wrote in messagenews:[EMAIL > PROTECTED] > > >I have tried with empty authorization name, and the sasl bind > > succeeded with just first step, but the code get crashed on the > > ldap_search_s call with segmentation fault. The fault occurs in the > > ldap_search_s call trace. Besides that I need to authenticate the user > > just as to verify their credentials, so I can't use empty > > authorization name. > > > Any other solution please. > > > On Jan 2, 7:54 pm, "Markus Moeller" <[EMAIL PROTECTED]> wrote: > >> Can you try with an empty authorization name. I compiled your test > >> program > >> on Opensolaris with minor modification (no DEBUG and no bind_ext > >> available > >> in Sun's ldap release which is based on mozilla) and it works fine > >> against > >> my w2k3 AD. > > >> Markus > > >> "Kashif Ali Siddiqui" <[EMAIL PROTECTED]> wrote in > >> messagenews:[EMAIL PROTECTED] > > >> > Hi all, > > >> > I am experiencing a problem in ldap user authentication over SASL > >> > +GSSAPI with a Microsoft AD 2003. After doing the "kinit", I have get > >> > the first user ticket. But when I try to do a SASL bind with mechanism > >> > GSSAPI, and try to give the same user principal that I gave to kinit > >> > in the first SASL step that asks "Please enter your authorization > >> > name" (code 0x4001), I get the service ticket (as shown by the klist > >> > command), but my ldap sasl bind fails with the message > > >> > "LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data > >> > 7a, vece" > > >> > with LDAP return code 49 means Invalid Credentials. I am using a > >> > custom client here. The code is pasted after the environment details. > >> > Please go through the code. By the way, I am getting the user and > >> > service tickets from the AD server, its just the bind which is failing > >> > in the SASL. In normal (simple bind), it is succeeding. > > >> > Here is the environment details > > >> > Server > >> > ======= > >> > Microsoft Server 2003 > > >> > Client > >> > ====== > >> > RedHat ES 3 > >> > MozillaLDAP 6.0.4 > >> > Cyrus-sasl 2.1.22 > > >> > Client code > >> > ==================================================================== > > >> > #include <stdio.h> > >> > #include <stdlib.h> > >> > #include <errno.h> > >> > #include <string.h> > >> > #include <time.h> > > >> > #include <sasl.h> > >> > #include <ldap.h> > > >> > static char progname[50]; > > >> > //static int sasl_flags = LDAP_SASL_QUIET; > >> > static int sasl_flags = LDAP_SASL_INTERACTIVE; > >> > static char *sasl_mech = "GSSAPI"; > > >> > static char buf[1024]; > > >> > #define VALIDVAL(n) ((n >= SASL_CB_USER) && (n <= SASL_CB_GETREALM)) > > >> > static char* getCString(char *strPtr, size_t sizeStrPtr, size_t > >> > *strLength) > >> > { > >> > int len = 0; > > >> > if (strLength != NULL) *strLength = 0; > > >> > if (strPtr && (strPtr = fgets(strPtr, sizeStrPtr, stdin)) != NULL) > >> > { > >> > len = strlen(strPtr); > > >> > if ((len > 0) && (strPtr[len - 1] == '\n')) > >> > { > >> > strPtr[len - 1] = '\0'; > >> > len--; > >> > } > >> > if (strLength != NULL) *strLength = len; > >> > } > >> > return strPtr; > >> > } > > >> > static int > >> > example_sasl_interact( LDAP *ld, unsigned flags, void *defaults, void > >> > *prompts ) > >> > { > >> > //static times = 0; > >> > //printf(" -- Enter times : #%d\n", ++times); > > >> > char *promptStrings[9] = { > >> > "USER", > >> > "AUTHNAME", > >> > "LANGUAGE", > >> > "PASS", > >> > "ECHOPROMPT", > >> > "NOECHOPROMPT", > >> > "CNONCE", > >> > "GETREALM", > >> > NULL > >> > }; > > >> > sasl_interact_t *interact = NULL; > >> > int rc; > > >> > if (prompts == NULL) { > >> > return (LDAP_PARAM_ERROR); > >> > } > > >> > int promptId = ((sasl_interact_t *)prompts)->id; > >> > int promptStringId = promptId - 0x4001; > > >> > for (interact = prompts; interact->id != SASL_CB_LIST_END; interact+ > >> > +) > >> > { > >> > if (VALIDVAL(interact->id)) > >> > { > >> > printf(" >> Prompt: [%x|%s] %s: ", promptId, (promptStringId >=0 > >> > && promptStringId < 9 ? promptStrings[promptId-0x4001] : "N/A"), > >> > interact->prompt?interact->prompt:"N/A"); > >> > getCString(buf, sizeof buf, NULL); > >> > interact->result = buf; > >> > interact->len = strlen(buf); > >> > } > >> > } > >> > return (LDAP_SUCCESS); > >> > } > > >> > static int > >> > usage(char *progname) > >> > { > >> > fprintf(stderr, "Usage: %s [ debuglevel ]\n", progname); > >> > return 1; > >> > } > > >> > int > >> > main(int argc, char *argv[]) > >> > { > >> > int index; > >> > int rc; > >> > LDAP *ld; > >> > LDAPControl **ctrls = NULL; > >> > int ldversion = LDAP_VERSION3; > >> > int debuglevel = 0; > > >> > LDAPMessage *result, *e; > >> > BerElement *ber; > >> > char *a, *dn; > >> > char **vals; > >> > int i; > >> > int step = 1; > > >> > strncpy(progname, argv[0], sizeof progname); > > >> > if (argc == 2) > >> > debuglevel = atoi(argv[1]); > >> > /* set the default sasl args from the user input */ > >> > else if (argc > 2) > >> > return usage(argv[0]); > > >> > printf("============================================\n"); > >> > printf("Starting ...\n\n"); > > >> > ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debuglevel); > >> > /* get a handle to an LDAP connection */ > > >> > char serverName[100]; > >> > int serverPort=389; > >> > char serverBaseDN[512]; > >> > char searchDN[1024]; > >> > char searchFilter[512]; > > >> > printf("Step#%d) Enter LDAP server name|DNS|IP: ", step++); > >> > getCString(serverName, sizeof serverName, NULL); > >> > printf("Step#%d) Enter LDAP server port [389]: ", step++); > >> > getCString(buf, sizeof buf, NULL); > >> > serverPort=atoi(buf); > > >> > if ( (ld = ldap_init( serverName, serverPort )) == NULL ) > >> > { > >> > perror( "ldap_open" ); > >> > return( 1 ); > >> > } > > >> > ldap_set_option( ld, > > ... > > read more » _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
