> -----Original Message-----
> From:
> [email protected]
>
> [mailto:[email protected]
> illa.org] On Behalf Of Markus Moeller
> Sent: Tuesday, April 14, 2009 3:35 PM
> To: [email protected]
> Subject: Re: SASL authentication
>
> What port do you use ? You need to differentiate between
> starttls on port
> 389 and ssl on port 636.
Yes, I am using 636. And I understand that if I use port 389 on ssl connection,
the error "81 Can't contact LDAP server" is expected. But it seems not to be
the case.
Previously I made a mistake:
==============================================
static char *sasl_secprops = "maxssf=0";
......
if(sslEnabled)
{
if (ldap_set_option(ldapHandle, LDAP_OPT_X_SASL_SECPROPS, (void
*)sasl_secprops) != 0)
{
/*
** unbind ldap handle.
*/
if (ldapHandle != (LDAP *)NULL)
{
LOGINFO("ldap_unbind_s3");
ldap_unbind_s(ldapHandle);
ldapHandle = (LDAP *)NULL;
}
LOGERROR("Failed to set maxssf to 0");
return(ABA_LDAP_SET_UNABLE_TO_SET_PREFS);
}
if ( (ldapHandle = ldapssl_init(serverHost,
serverPort, 1 )) == NULL)
{
LOGERROR("Failed to do ldapssl_init...");
return(ABA_LDAP_INIT_CALL_FAILED);
}
LOGINFO("LDAP SSL CONNECTION SUCCESSFUL to %s",
ldapServerConfigData.hostnames);
}
......
ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
NULL,
NULL, sasl_flags,
example_sasl_interact, NULL, &responseControls);
==============================================
As you can see, I set the option's value before the handle is created. That is
ridiculous.
It has been corrected as:
==============================================
static char *sasl_secprops = "maxssf=0";
......
if(sslEnabled)
{
if ( (ldapHandle = ldapssl_init(serverHost,
serverPort, 1 )) == NULL)
{
LOGERROR("Failed to do ldapssl_init...");
return(ABA_LDAP_INIT_CALL_FAILED);
}
LOGINFO("LDAP SSL CONNECTION SUCCESSFUL to %s",
ldapServerConfigData.hostnames);
if (ldap_set_option(ldapHandle, LDAP_OPT_X_SASL_SECPROPS, (void
*)sasl_secprops) != 0)
{
/*
** unbind ldap handle.
*/
if (ldapHandle != (LDAP *)NULL)
{
LOGINFO("ldap_unbind_s3");
ldap_unbind_s(ldapHandle);
ldapHandle = (LDAP *)NULL;
}
LOGERROR("Failed to set maxssf to 0");
return(ABA_LDAP_SET_UNABLE_TO_SET_PREFS);
}
}
......
ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
NULL,
NULL, sasl_flags,
example_sasl_interact, NULL, &responseControls);
==============================================
The change is just to swap the locations of ldapssl_init() and
ldap_set_option().
To my dismay, I still get the error "81 Can't contact LDAP server":
==============================================
<apManager> (Tue Apr 14 2009 17:02:08.484)
<p11077,t3079416736,aba_ldap_interface.c,1453>
INFO>> serverHost is [13.198.98.35]
<apManager> (Tue Apr 14 2009 17:02:08.484)
<p11077,t3079416736,aba_ldap_interface.c,1454>
INFO>> serverPort is [636]
......
<apManager> (Tue Apr 14 2009 17:02:08.902)
<p11077,t3079416736,aba_ldap_interface.c,1664>
INFO>> SASL LDAP BIND with GSSAPI: Value of ldapStatus 0
<apManager> (Tue Apr 14 2009 17:02:08.902)
<p11077,t3079416736,aba_ldap_interface.c,1727>
INFO>> ldap_unbind_s6
......
<apManager> (Tue Apr 14 2009 17:02:08.910)
<p11077,t3079416736,aba_ldap_interface.c,1650>
INFO>> SASL Login
<apManager> (Tue Apr 14 2009 17:02:08.916)
<p11077,t3079416736,aba_ldap_interface.c,1664>
INFO>> SASL LDAP BIND with GSSAPI: Value of ldapStatus 81
<apManager> (Tue Apr 14 2009 17:02:08.916)
<p11077,t3079416736,aba_ldap_interface.c,1671>
ERROR>> LDAP BIND: Value of ldap failure status and text 81 Can't contact
LDAP server
==============================================
The same pattern can repeat many times. I am really confused why the first
binding is successful, while the second fails. And then the 3rd succeeds, while
the 4th fails. Hmmm, I have a feeling that the core part has nothing wrong.
Maybe something is not quite right in the caller (in the module "apManager") of
LDAP interface.
I will look into the code more carefully, and keep you posted.
Thanks,
Xu Qiang
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
