> -----Original Message-----
> From:
> [email protected]
>
> [mailto:[email protected]
> illa.org] On Behalf Of Xu, Qiang (FXSGSC)
> Sent: Wednesday, April 15, 2009 12:19 PM
> To: Markus Moeller; [email protected]
> Subject: RE: SASL authentication
>
> Since SASL binding over SSL encryption shows a pingpong
> style, the strategy here is to make another binding try if it
> has failed once. The log shows it works. But the application crashes.
It was found that the crash is due to the immediate re-binding after the first
failure.
Originally, my walk-around is:
===============================================
static char *sasl_secprops = "maxssf=0";
......
if(sslEnabled)
{
......
ldapHandle = ldapssl_init(serverHost, serverPort, 1);
ldap_set_option(ldapHandle, LDAP_OPT_X_SASL_SECPROPS, (void
*)sasl_secprops);
}
......
ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
NULL,
NULL, sasl_flags,
example_sasl_interact, NULL, &responseControls);
if (TRUE == sslEnabled && LDAP_SUCCESS != ldapStatus)
{
LOGINFO("SASL binding over SSL failed, try again");
ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
NULL, NULL, sasl_flags,
example_sasl_interact, NULL,
&responseControls);
}
===============================================
Compared with the behavior and log before this walk-around was added (i.e.
there is no crash when there is no this re-binding immediately after the
failure), it seems after the binding failure, the init operation ldapssl_init()
should be called again before the next binding.
The is the revised version:
===============================================
static char *sasl_secprops = "maxssf=0";
......
if(sslEnabled)
{
......
ldapHandle = ldapssl_init(serverHost, serverPort, 1);
ldap_set_option(ldapHandle, LDAP_OPT_X_SASL_SECPROPS, (void
*)sasl_secprops);
}
......
ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
NULL,
NULL, sasl_flags,
example_sasl_interact, NULL, &responseControls);
if (TRUE == sslEnabled && LDAP_SUCCESS != ldapStatus)
{
LOGINFO("SASL binding over SSL failed, try again");
ldapHandle = ldapssl_init(serverHost, serverPort, 1);
ldap_set_option(ldapHandle, LDAP_OPT_X_SASL_SECPROPS, (void
*)sasl_secprops);
......
ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech,
NULL, NULL, sasl_flags,
example_sasl_interact, NULL,
&responseControls);
}
===============================================
Now it works. There is no crash anymore.
Based on these findings, I am almost sure the pingpong style of sasl binding
over ssl encryption is a bug in MozLDAP library. Any developer wants to have a
look into this problem?
Thanks,
Xu Qiang
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
