RE: SASL authentication

[Xu, Qiang (FXSGSC)]

> -----Original Message-----
> From: 
> dev-tech-ldap-bounces+qiang.xu=fujixerox....@lists.mozilla.org
>  
> [mailto:dev-tech-ldap-bounces+qiang.xu=fujixerox....@lists.moz
> illa.org] On Behalf Of Kashif Ali Siddiqui
> Sent: Wednesday, November 05, 2008 11:34 PM
> To: Rich Megginson
> Cc: dev-tech-ldap@lists.mozilla.org
> Subject: Re: SASL authentication
> 
> With GSSAPI, after a successful kinit execution, the
> ldap_sasl_interactive_bind_ext_s() will only ask for the 
> authname, whereas the user name is taken from the kerberos 
> credential cache. The authorization name is required to tell 
> the SASL layer that which user's authorization you required 
> for this LDAP session. It can be the same as the kerberos 
> user in credential cache. If you supplied "" (NULL) to the 
> authname, then this means that you asking authorization of an 
> anonymous user (which can be none in most of the cases). Thus 
> in order to have an definite authorization, you do need to 
> supplied a correct distinguished name of the user in ADS. The 
> format for the authname value is
> 
> dn:<distinguishedName of the user in ADS)
> 
> Kindly confirm that whether we can use UPN in place of the DN 
> in the authname value.

>From my experience, Rich is right on that we should leave it blank for the 
>authorization name.
=============================================
static int sasl_flags = LDAP_SASL_QUIET; 
static char *sasl_mech = "GSSAPI"; 
......
static char *default_values[] = {
    "", /* SASL_CB_USER         0x4001 */
    "", /* SASL_CB_AUTHNAME     0x4002 */
    "", /* SASL_CB_LANGUAGE     0x4003 */ /* not used */
    "", /* SASL_CB_PASS         0x4004 */
    "", /* SASL_CB_ECHOPROMPT   0x4005 */
    "", /* SASL_CB_NOECHOPROMPT 0x4006 */
    "", /* SASL_CB_CNONCE       0x4007 */
    ""  /* SASL_CB_GETREALM     0x4008 */
};
=============================================
This is the correct set, and ldap sasl binding succeeds. 

If we supply a value to the authname parameter, that will not do good: 
=============================================
static int sasl_flags = LDAP_SASL_QUIET; 
static char *sasl_mech = "GSSAPI"; 
......
static char *default_values[] = {
    "", /* SASL_CB_USER         0x4001 */
    "dn:CN=xuan,CN=Users,DC=sesswin2003,DC=com", /* SASL_CB_AUTHNAME     0x4002 
*/
    "", /* SASL_CB_LANGUAGE     0x4003 */ /* not used */
    "", /* SASL_CB_PASS         0x4004 */
    "", /* SASL_CB_ECHOPROMPT   0x4005 */
    "", /* SASL_CB_NOECHOPROMPT 0x4006 */
    "", /* SASL_CB_CNONCE       0x4007 */
    ""  /* SASL_CB_GETREALM     0x4008 */
};
=============================================
It will fail.

Regards,
Xu Qiang
_______________________________________________
dev-tech-ldap mailing list
dev-tech-ldap@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-ldap