I've been looking into this for a few days now, and I have a few
questions about the code that aren't directly SASL related, but do
affect it:

Within the startSASL function in ds_ldap.php, I have modified the code
to check the SASL mechanism, and call ldap_start_sasl in a different
way if the mechanism is the GSSAPI. With my LDAP server, the
translation of a kerberos pricncipal to a bind DN is done server-side,
meaning that the ldap_sasl_bind call is done without a bind DN or
password. All I pass in is the authc_id out of the cache, and
ldap_sasl_bind brabs the kerberos pricipal that I get via apache auth,
passes that to the LDAP server, and the LDAP server does the rest.

This works for me. debug output shows a successful bind, and a query
for the tree structure for the LDAP server, and all looks well on the
interface.

But, any subsequent action that requires another LDAP query causes an
infinite redirect, and the debug output indicates that the
successfully bound connection is not located in the cache, and it
tries to build a new connection with an invalid DN of 'user'.

It seems like the application has a dependence on a bind_dn existing,
and if it doesn't then it starts to behave erratically. I've dug
through the code trying to find and correct any areas where a bind_dn
being null leads to undesired behaviour, and have found a few cases in
the connect function in ds_ldap.php, but the problem still persists.

My question is: Am I correct in my suggestion that not having a
bind_dn causes bad behavior...and if so, where are these checks
implemented, or where are there assumptions that a bind_dn exists? Is
the bind_dn used as a key for pulling a bound LDAP resource out of the
cache (and where in the code is that, because I cannot locate it)?


Adam


On Tue, Jun 14, 2011 at 12:02 AM, Deon George
<wur...@users.sourceforge.net> wrote:
> In PLA 1.2.x, there is code for SASL connections, however the code wasnt
> written by me.
>
> As I dont have an SASL environment, it hasnt been tested or bug fixed
> (if it doesnt work).
>
> I'll gladly accept patches to fix it up if its not working.
>
> ...deon
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> phpldapadmin-users mailing list
> phpldapadmin-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpldapadmin-users
>

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
phpldapadmin-users mailing list
phpldapadmin-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/phpldapadmin-users

Reply via email to