Hi guys,
Thanks for all the inputs I've got so far. And
I've figured out the reason behind it. The reason is that
in the last ldap_sasl_bind_s() step, AD 2000 accepts the
DN format like "[EMAIL PROTECTED]" however AD 2003 only
accepts format like "cn=Kent Wu,cn=Users,dc=blabla,dc=com".
Not sure why AD 2003 wants to change this criterion however
after I used the latter format it was working fine.
The error message "Invalid credentials" was
referring to the wrong DN instead of bad password/key.
I was thinking in the total opposite direction before and
all of sudden I came across this "wrong DN" idea!
Cheers.
-Kent
On Mon, 2005-08-29 at 19:13 -0700, Kent Wu wrote:
> Hi guys,
>
> I used to write a program to authenticate
> users against windows 2000 AD by using MIT
> Kerberos/GSSAPI SDK as well as SUN LDAP SDK. Basically
> what I did is to authenticate users against AD by
> using kerberos before doing LDAP search operations.
> It was working perfectly until I wanted to migrate the
> 2000 AD to 2003 a wk ago.
>
> While doing kerberos authentication against
> AD 2003, the last step of ldap_sasl_bind_s() always
> returns "invalid credentials" even though I've successfully
> got TGT as well as the service ticket for LDAP (AD 2003). If
> I type "klist" right before the last ldap_sasl_bind_s() step,
> I can see the followings and it's looking look.
>
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> Default principal: [EMAIL PROTECTED]
>
> Valid starting Expires Service principal
> 08/29/05 18:09:59 08/30/05 04:09:59 krbtgt/[EMAIL PROTECTED]
> renew until 08/30/05 18:09:59
> 08/29/05 18:10:01 08/30/05 04:09:59 ldap/[EMAIL PROTECTED]
> renew until 08/30/05 18:09:59
>
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> However it still fails in the last ldap_sasl_bind_s() call.
>
> My calling sequence is like this:
>
> 1. use Kerberos APIs to get/store TGT.
> 2. use GSS-API (gss_init_sec_context()) and LDAP SDK SASL
> (ldap_sasl_bind_s()) to engage kerberos authentication.
> Basically I pass "GSSAPI" to ldap_sasl_bind_s() call and it
> requires a loop (a couple of handshaking steps) to complete
> the whole authentication process. It was working all good until
> the last ldap_sasl_bind_s() call....
>
> I've looked high and low on the internet and tried variety of
> configurations in both client and server side however ended up
> nothing. It's so weird that it works fine with AD 2000 but not
> 2003....
>
> Can anyone help me out by sharing his/her own experience or
> pointing me to the right direction?
>
> Thanks a lot in advance !
>
> -Kent
>
>
>
>
>
--
Kent Wu <[EMAIL PROTECTED]>
XSIGO INC.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
