Re: ldap_sasl_bind_s() with DIGEST-MD5

Sat, 24 Jul 2010 08:51:34 -0700 

On Fri, Jul 23, 2010 at 9:43 AM, Shankar Anand R <[email protected]> wrote:
>
>
> On Fri, Jul 23, 2010 at 12:10 AM, Dan White <[email protected]> wrote:
>>
>> On 22/07/10 18:10 +0530, Shankar Anand R wrote:
>>>
>>> Hi,
>>>
>>> The problem explained below must be fairly straightforward or even look
>>> silly for folks on this mailing list. Sorry for the trouble but I hope
>>> one
>>> of you might be willing to help a newbie.
>>>
>>> I am implementing an simple application that finds out a user's
>>> attributes
>>> using OpenLDAP.
>>>
>>> This a snippet of my code.
>>> ...
>>> BerValue cred;
>>> cred.bv_len = 10;
>>> cred.bv_val = strdup("mypassword");
>>> ldap_sasl_bind_s(ld, "myuser", LDAP_SASL_SIMPLE /*NULL*/, &cred, NULL,
>>> NULL,
>>> NULL);
>>>
>>> This succeeds and I am able to proceed with my ldap_search_st() call.
>>>
>>> But since I don't want to send "mypassword" as plain text over the wire I
>>> opted for "DIGEST-MD5"
>>>
>>> ...
>>> BerValue cred;
>>> cred.bv_len = 10;
>>> cred.bv_val = strdup("mypassword");
>>> ldap_sasl_bind_s(ld, "myuser", "DIGEST-MD5", &cred, NULL, NULL, NULL);
>>>
>>> This fails with the error 49
>>> ldap_sasl_bind_s: Invalid credentials (49)
>>>       additional info: 80090326: LdapErr: DSID-0C0904D1, comment:
>>> AcceptSecurityContext error, data 57, v1772
>>>
>>>
>>> Note: I am using Active Directory. And I believe that my cyrus-sasl
>>> installation is good.
>>>
>>>
>>> I searched a lot but couldn't find the proper documentation for this. Do
>>> I
>>> have to fill up cred.bv_val differently while using DIGEST-MD5? Is there
>>> an
>>> OpenLDAP API to do that?
>>> Can someone explain or point me to the right documentation?
>>
>> See the man page for ldap_sasl_interactive_bind_s(), in which you provide
>> a
>> callback function for providing the sasl realm, authc identity, password,
>> and authz identity.
>>
>> Also see doc/programming.html in the cyrus sasl source for discussion of
>> interactions, and plugins/ldapdb.c for a working example.
>
> Thanks for your help. I will read the doc and the example.
>
> Meanwhile I want to check if I can avoid ldap_sasl_interactive_bind_s().
> Wouldn't ldap_sasl_bind_s() work for "DIGEST-MD5"? If it works, I would like
> to go with it. Can you point out a way to do that?

Can someone point me to a sample program which uses ldap_sasl_bind_s()
with "DIGEST-MD5"?

Thanks,
Shankar

Reply via email to