What port do you use ? You need to differentiate between starttls on port
389 and ssl on port 636.
Markus
"Xu, Qiang (FXSGSC)" <[email protected]> wrote in message
news:[email protected]...
-----Original Message-----
From:
[email protected]
[mailto:[email protected]
illa.org] On Behalf Of Markus Moeller
Sent: Monday, April 13, 2009 6:08 PM
To: [email protected]
Subject: Re: SASL authentication
something like this should work
sasl_secprops = (char *)"maxssf=0";
ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS, (void *)
sasl_secprops );
This works, but only partially. The first binding is successful, the later
ones all fail, citing the reason "81 Can't contact LDAP server". :-(
The code is like this:
==============================================
static char *sasl_secprops = "maxssf=0";
.....
if(sslEnabled)
{
if (ldap_set_option(ldapHandle, LDAP_OPT_X_SASL_SECPROPS, (void
*)sasl_secprops) != 0)
{
/*
** unbind ldap handle.
*/
if (ldapHandle != (LDAP *)NULL)
{
LOGINFO("ldap_unbind_s3");
ldap_unbind_s(ldapHandle);
ldapHandle = (LDAP *)NULL;
}
LOGERROR("Failed to set maxssf to 0");
return(ABA_LDAP_SET_UNABLE_TO_SET_PREFS);
}
if ( (ldapHandle = ldapssl_init(serverHost,
serverPort, 1 )) == NULL)
{
LOGERROR("Failed to do ldapssl_init...");
return(ABA_LDAP_INIT_CALL_FAILED);
}
LOGINFO("LDAP SSL CONNECTION SUCCESSFUL to %s",
ldapServerConfigData.hostnames);
}
else
{
if ((ldapHandle = prldap_init(serverHost,
serverPort, 0)) == NULL)
{
LOGERROR("prldap_init failed");
return(ABA_LDAP_INIT_CALL_FAILED);
}
LOGINFO("prldap_init succeeded");
}
......
ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
NULL, NULL,
sasl_flags,
example_sasl_interact,
NULL, &responseControls);
if (responseControls != NULL)
{
LOGINFO("SASL binding finished, will destroy responseControls");
ldap_controls_free(responseControls);
responseControls = NULL;
}
LOGINFO("SASL LDAP BIND with GSSAPI: Value of ldapStatus %d", ldapStatus);
==============================================
You can see that, compared to non-SSL binding with SASL/GSSAPI, there are
only two differences. One is to set the option of maxssf to be 0, the other
is ldapssl_init() versus prldap_init(). But the log shows ldapssl_init() is
always successful.
The log tells me:
==============================================
<apManager> (Tue Apr 14 2009 11:04:22.587)
<p25348,t3078937504,aba_ldap_interface.c,1625>
INFO>> SASL Login
<apManager> (Tue Apr 14 2009 11:04:23.186)
<p25348,t3078937504,aba_ldap_interface.c,1639>
INFO>> SASL LDAP BIND with GSSAPI: Value of ldapStatus 0
<apManager> (Tue Apr 14 2009 11:04:23.186)
<p25348,t3078937504,aba_ldap_interface.c,1702>
INFO>> ldap_unbind_s6
......
INFO>> SASL Login
<apManager> (Tue Apr 14 2009 11:04:23.223)
<p25348,t3078937504,aba_ldap_interface.c,1639>
INFO>> SASL LDAP BIND with GSSAPI: Value of ldapStatus 81
<apManager> (Tue Apr 14 2009 11:04:23.223)
<p25348,t3078937504,aba_ldap_interface.c,1646>
ERROR>> LDAP BIND: Value of ldap failure status and text 81 Can't
contact LDAP server
<apManager> (Tue Apr 14 2009 11:04:23.223)
<p25348,t3078937504,aba_ldap_interface.c,1659>
ERROR>> ABA_LDAP_BIND_SERVER_DOWN
==============================================
The server is confirmed to be alive all the time. In contrast, if SSL is not
enabled, then SASL binding is always successful, no matter how many bindings
are tried.
Any suggestions on this issue?
Thanks,
Xu Qiang=
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
