I've been looking into this for a few days now, and I have a few questions about the code that aren't directly SASL related, but do affect it:
Within the startSASL function in ds_ldap.php, I have modified the code to check the SASL mechanism, and call ldap_start_sasl in a different way if the mechanism is the GSSAPI. With my LDAP server, the translation of a kerberos pricncipal to a bind DN is done server-side, meaning that the ldap_sasl_bind call is done without a bind DN or password. All I pass in is the authc_id out of the cache, and ldap_sasl_bind brabs the kerberos pricipal that I get via apache auth, passes that to the LDAP server, and the LDAP server does the rest. This works for me. debug output shows a successful bind, and a query for the tree structure for the LDAP server, and all looks well on the interface. But, any subsequent action that requires another LDAP query causes an infinite redirect, and the debug output indicates that the successfully bound connection is not located in the cache, and it tries to build a new connection with an invalid DN of 'user'. It seems like the application has a dependence on a bind_dn existing, and if it doesn't then it starts to behave erratically. I've dug through the code trying to find and correct any areas where a bind_dn being null leads to undesired behaviour, and have found a few cases in the connect function in ds_ldap.php, but the problem still persists. My question is: Am I correct in my suggestion that not having a bind_dn causes bad behavior...and if so, where are these checks implemented, or where are there assumptions that a bind_dn exists? Is the bind_dn used as a key for pulling a bound LDAP resource out of the cache (and where in the code is that, because I cannot locate it)? Adam On Tue, Jun 14, 2011 at 12:02 AM, Deon George <wur...@users.sourceforge.net> wrote: > In PLA 1.2.x, there is code for SASL connections, however the code wasnt > written by me. > > As I dont have an SASL environment, it hasnt been tested or bug fixed > (if it doesnt work). > > I'll gladly accept patches to fix it up if its not working. > > ...deon > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > phpldapadmin-users mailing list > phpldapadmin-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/phpldapadmin-users > ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ phpldapadmin-users mailing list phpldapadmin-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpldapadmin-users
