> -----Original Message-----
> From:
> [EMAIL PROTECTED]
>
> [mailto:[EMAIL PROTECTED]
> illa.org] On Behalf Of Kashif Ali Siddiqui
> Sent: Wednesday, November 05, 2008 11:34 PM
> To: Rich Megginson
> Cc: [email protected]
> Subject: Re: SASL authentication
>
> With GSSAPI, after a successful kinit execution, the
> ldap_sasl_interactive_bind_ext_s() will only ask for the
> authname, whereas the user name is taken from the kerberos
> credential cache. The authorization name is required to tell
> the SASL layer that which user's authorization you required
> for this LDAP session. It can be the same as the kerberos
> user in credential cache. If you supplied "" (NULL) to the
> authname, then this means that you asking authorization of an
> anonymous user (which can be none in most of the cases). Thus
> in order to have an definite authorization, you do need to
> supplied a correct distinguished name of the user in ADS. The
> format for the authname value is
>
> dn:<distinguishedName of the user in ADS)
You mean if I put "" for authname, it will do an anonymous binding? I put it as
"" yesterday in my testing, and no outward LDAP traffic to the server. But the
return value is 0 (LDAP_SUCCES). Very weird. Even as I change the second value
of the array to the user's dn, as you suggested, I still can't see any LDAP
packet from the client to the server.
Would you kindly have a look of my code?
==========================================
static int sasl_flags = LDAP_SASL_QUIET;
static char *sasl_mech = "GSSAPI";
/* warning! - the following requires intimate knowledge of sasl.h */
static char *default_values[] = {
"", /* SASL_CB_USER 0x4001 */
"dn:CN=xuan,CN=Users,DC=sesswin2003,DC=com", /* SASL_CB_AUTHNAME 0x4002
*/
"", /* SASL_CB_LANGUAGE 0x4003 */ /* not used */
"", /* SASL_CB_PASS 0x4004 */
"", /* SASL_CB_ECHOPROMPT 0x4005 */
"", /* SASL_CB_NOECHOPROMPT 0x4006 */
"", /* SASL_CB_CNONCE 0x4007 */
"" /* SASL_CB_GETREALM 0x4008 */
};
/* this is so we can use SASL_CB_USER etc. to index into default_values */
#define VALIDVAL(n) ((n >= SASL_CB_USER) && (n <= SASL_CB_GETREALM))
#define VAL(n) default_values[n-0x4001]
...
static int example_sasl_interact(LDAP *ld, unsigned flags, void *defaults, void
*prompts)
{
sasl_interact_t *interact = NULL;
if (prompts == NULL)
{
return (LDAP_PARAM_ERROR);
}
for (interact = prompts; interact->id != SASL_CB_LIST_END; interact++)
{
if (VALIDVAL(interact->id))
{
interact->result = VAL(interact->id);
interact->len = strlen((char *)interact->result);
}
}
return (LDAP_SUCCESS);
}
...
ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
NULL, NULL, sasl_flags,
example_sasl_interact, NULL,
&responseControls);
if (responseControls != NULL)
{
LOGINFO("SASL binding finished, will destroy responseControls");
ldap_controls_free(responseControls);
responseControls = NULL;
}
LOGINFO("SASL LDAP BIND with GSSAPI: Value of ldapStatus %d", ldapStatus);
==========================================
I just can't understand why it can return 0 when it does not send the binding
request to the server.
And Richard, do you have any idea on my code above? I am sort of stuck here.
> Kindly confirm that whether we can use UPN in place of the DN
> in the authname value.
>
> Kashif Ali Siddiqui
> Tech Lead Folio3
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
