RE: SASL authentication

[Xu, Qiang (FXSGSC)]

> -----Original Message-----
> From: 
> dev-tech-ldap-bounces+qiang.xu=fujixerox....@lists.mozilla.org
>  
> [mailto:dev-tech-ldap-bounces+qiang.xu=fujixerox....@lists.moz
> illa.org] On Behalf Of Xu, Qiang (FXSGSC)
> Sent: Wednesday, April 15, 2009 10:32 AM
> To: Markus Moeller; dev-tech-ldap@lists.mozilla.org
> Subject: RE: SASL authentication
> 
> Hi, all: 
> 
> Just wonder if this is a bug in MozLDAP library? Is there any 
> developer of this library in this mailist? 
> 
> The problem here is, to use 
> ldap_sasl_interactive_bind_ext_s() do sasl binding over ssl 
> connection, while set maxssf=0 using ldap_set_option(), the 
> binding result is not stable. The result is good and bad 
> alternatively. The odd numbered tryings are successful, while 
> the even numbered all fail.
> 
> Any developer can look into this problem?

I can't solve the problem. Now, I am trying to find a walk-around: 
===============================================
static char *sasl_secprops = "maxssf=0"; 
...
  if(sslEnabled)
  {
    if (ldap_set_option(ldapHandle, LDAP_OPT_X_SASL_SECPROPS, (void 
*)sasl_secprops) != 0)
    {
      /*
      ** unbind ldap handle.
      */
      if (ldapHandle != (LDAP *)NULL)
      {
        LOGINFO("ldap_unbind_s3");
        ldap_unbind_s(ldapHandle);
        ldapHandle = (LDAP *)NULL;
      }

      LOGERROR("Failed to set maxssf to 0");
      return(ABA_LDAP_SET_UNABLE_TO_SET_PREFS);
    }

    if ( (ldapHandle = ldapssl_init(serverHost,
                                               serverPort, 1 )) == NULL)
    {
      LOGERROR("Failed to do ldapssl_init...");
      return(ABA_LDAP_INIT_CALL_FAILED);
    }

    LOGINFO("LDAP SSL CONNECTION SUCCESSFUL to %s",
               ldapServerConfigData.hostnames);
  }
......
  ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
                                                                      NULL, 
NULL, sasl_flags,
                                                                      
example_sasl_interact, NULL, &responseControls); 

  if (TRUE == sslEnabled && LDAP_SUCCESS != ldapStatus)
  {
    LOGINFO("SASL binding over SSL failed, try again");
    ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
                                                  NULL, NULL, sasl_flags,
                                                  example_sasl_interact, NULL, 
&responseControls);
  }

  if (responseControls != NULL)
  {
        LOGINFO("SASL binding finished, will destroy responseControls");
        ldap_controls_free(responseControls);
        responseControls = NULL;
  }

  LOGINFO("SASL LDAP BIND with GSSAPI: Value of ldapStatus %d", ldapStatus);
===============================================
Since SASL binding over SSL encryption shows a pingpong style, the strategy 
here is to make another binding try if it has failed once. The log shows it 
works. But the application crashes. 

The core file shows it occured in unbind operation: 
===============================================
MBC107:/var/log/nc/archive/save_20090415_115450 <90> gdb 
/usr/mart/bin/apManager apManager-17120-1239767584.core
...
Core was generated by `apManager'.
Program terminated with signal 11, Segmentation fault.
#0  0x080bc530 in ?? ()
(gdb) bt
#0  0x080bc530 in ?? ()
#1  0xb7db196a in ldapssl_close (s=1, socketarg=0x80bc448) at ldapsinit.c:235
#2  0xb7dd32d4 in nsldapi_close_connection (ld=0x1, sb=0x80ab130)
    at os-ip.c:770
#3  0xb7dd79fa in nsldapi_free_connection (ld=0x80a34a8, lc=0x80ab7d8, 
    serverctrls=0x1, clientctrls=0x1, force=1, unbind=1) at request.c:808
#4  0xb7de7f99 in ldap_ld_free (ld=0x80a34a8, serverctrls=0x0, 
    clientctrls=0x0, close=1) at unbind.c:109
#5  0xb7de8290 in ldap_unbind_s (ld=0x1) at unbind.c:68
#6  0xb7f2a916 in aba_ldap_init_sasl_p (ldapSearchHandle=0x1, testFlag=1, 
    username=0x0, password=0x0, sessionInformation=0x0)
    at aba_ldap_interface.c:1738
#7  0xb7f2a9ab in aba_ldap_init (ldapSearchHandle=0x80ab130, testFlag=1)
    at aba_ldap_interface.c:1777
#8  0xb7f23233 in ABA_Initialization (type=ABA_LDAP_SEARCH) at aba.c:144
#9  0x0804a8ef in doPersonalization (return_struct=0x80595c0, 
    username=0x80591d0 "qxu") at apManagerRequestThread.c:832
#10 0x08049e46 in readQueue () at apManagerRequestThread.c:414
#11 0x080499e6 in _internal_thread_start (arg=0x0)
    at apManagerRequestThread.c:183
#12 0xb7cbd439 in start_thread (arg=0xb78a9ba0) at pthread_create.c:274
#13 0x42d5307e in clone () from /lib/libc.so.6
===============================================
Besides this, the log also shows the crash occurs after ldap_unbind_s(). I 
don't know what the question marks stand for. Is it because my MozLDAP library 
is not compiled with debug support? 

Any way to avoid the crash?

Thanks,
Xu Qiang
_______________________________________________
dev-tech-ldap mailing list
dev-tech-ldap@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-ldap