> -----Original Message----- > From: > [email protected] > > [mailto:[email protected] > illa.org] On Behalf Of Kashif Ali Siddiqui > Sent: Wednesday, November 05, 2008 11:34 PM > To: Rich Megginson > Cc: [email protected] > Subject: Re: SASL authentication > > With GSSAPI, after a successful kinit execution, the > ldap_sasl_interactive_bind_ext_s() will only ask for the > authname, whereas the user name is taken from the kerberos > credential cache. The authorization name is required to tell > the SASL layer that which user's authorization you required > for this LDAP session. It can be the same as the kerberos > user in credential cache. If you supplied "" (NULL) to the > authname, then this means that you asking authorization of an > anonymous user (which can be none in most of the cases). Thus > in order to have an definite authorization, you do need to > supplied a correct distinguished name of the user in ADS. The > format for the authname value is > > dn:<distinguishedName of the user in ADS)
Kashif and all: Using kinit, I have done the authentication against the Kerberos server successfully, and have a ticket or "service principal": ========================================= MBC113:/ <515> /tmp/dlms/kerberos/apps/klist -k Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 03/17/09 17:36:50 03/18/09 03:37:35 krbtgt/[email protected] renew until 03/18/09 17:36:50 ========================================= Up to now, it seems all is OK. But, ldap_sasl_interactive_bind_ext_s() gives me a "82 Local error": ========================================= <apManager> (Tue Mar 17 2009 17:37:15.641) <p387,t3078495136,aba_ldap_interface.c,2373> INFO>> SASL Login <apManager> (Tue Mar 17 2009 17:38:02.375) <p387,t3078495136,aba_ldap_interface.c,2388> INFO>> SASL LDAP BIND with GSSAPI: Value of ldapStatus 82 <apManager> (Tue Mar 17 2009 17:38:02.375) <p387,t3078495136,aba_ldap_interface.c,2459> ERROR>> LDAP BIND: Value of ldap failure status and text 82 Local error ========================================= As long as I have a ticket, and the ticket hasn't expired (shown by the feedback of klist command), what else can cause this problem? The core part of the code is as follows: ========================================= static int sasl_flags = LDAP_SASL_QUIET; static char *sasl_mech = "GSSAPI"; /* warning! - the following requires intimate knowledge of sasl.h */ static char *default_values[] = { "", /* SASL_CB_USER 0x4001 */ "dn:CN=qxu,CN=Users,DC=sesswin2003,DC=com", /* SASL_CB_AUTHNAME 0x4002 */ "", /* SASL_CB_LANGUAGE 0x4003 */ /* not used */ "", /* SASL_CB_PASS 0x4004 */ "", /* SASL_CB_ECHOPROMPT 0x4005 */ "", /* SASL_CB_NOECHOPROMPT 0x4006 */ "", /* SASL_CB_CNONCE 0x4007 */ "" /* SASL_CB_GETREALM 0x4008 */ }; /* this is so we can use SASL_CB_USER etc. to index into default_values */ #define VALIDVAL(n) ((n >= SASL_CB_USER) && (n <= SASL_CB_GETREALM)) #define VAL(n) default_values[n-0x4001] ... static int example_sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *prompts) { sasl_interact_t *interact = NULL; if (prompts == NULL) { return (LDAP_PARAM_ERROR); } for (interact = prompts; interact->id != SASL_CB_LIST_END; interact++) { if (VALIDVAL(interact->id)) { interact->result = VAL(interact->id); interact->len = strlen((char *)interact->result); } } return (LDAP_SUCCESS); } ... ldapStatus = ldap_sasl_interactive_bind_ext_s(ldapHandle, "", sasl_mech, NULL, NULL, sasl_flags, example_sasl_interact, NULL, &responseControls); if (responseControls != NULL) { LOGINFO("SASL binding finished, will destroy responseControls"); ldap_controls_free(responseControls); responseControls = NULL; } LOGINFO("SASL LDAP BIND with GSSAPI: Value of ldapStatus %d", ldapStatus); ========================================= Please note that I have changed the authname as you suggested. Would you go over the code and point out what I have missed? Thanks, Xu Qiang _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
