Xu, Qiang (FXSGSC) wrote:
Hi, all:
The following is from MozLDAP document
(http://www.mozilla.org/directory/csdk-docs/sasl.htm):
=========================================
Code Example 13-1 - Authenticating over SASL
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include "ldap.h"
int
main( int argc, char **argv )
{
LDAP *ld;
LDAPMod mod0;
LDAPMod mod1;
LDAPMod *mods[ 3 ];
char *vals0[ 2 ];
char *vals1[ 2 ];
time_t now;
char buf[ 128 ];
struct berval cred;
struct berval *servcred;
int version;
/* get a handle to an LDAP connection */
......
/* Set the LDAP protocol version supported by the client
to 3. (By default, this is set to 2. SASL authentication
is part of version 3 of the LDAP protocol.) */
......
/* authenticate */
cred.bv_val = "magic";
cred.bv_len = sizeof( "magic" ) - 1;
if ( ldap_sasl_bind_s( ld, "uid=bjensen,ou=people,dc=example,dc=com", \
"babsmechanism", &cred, NULL, NULL, &servcred ) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_bind_s" );
return( 1 );
}
......
}
=========================================
My questions are:
This is a very bad example for using SASL/GSSAPI. Please refer to the
actual source code. There is an example file -
http://mxr.mozilla.org/mozilla/source/directory/c-sdk/ldap/examples/saslsearch.c
1. The variable "cred" is set to "magic" in this example. What should it be in the real world? The
user to be authenticated is already provided through the second parameter. So what is this "cred" for? Can I
leave it as "magic", just like what is used in the example?
For GSSAPI, it doesn't matter, because the real credentials will come
from the TGT
2. If I want to use GSSAPI to bind to the server, is the 3rd parameter to be passed as
"GSSAPI"?
Yes, but no, because you should not use ldap_sasl_bind_s, you should use
ldap_sasl_interactive_bind_ext_s instead - see saslsearch.c above.
Thanks,
Xu Qiang
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
