Igor Brezac wrote:
You could use ldap_whoami() instead of the first query.Where does that come from?
No, ldap.c doesn't work for me at all. If there are no memberOf attributes, it dies and user authentication fails (!). I guess I could setup a test user and step through it, but I did see what was happening at least in my adaptation of ldap.c. Canonicalization (of a group) was returning null because of the colon. So what use is it? There are enough unknowns that I would like to get cleared up if at all possible. I was hoping someone from CMU would be able to help advise.
You do not need to do anything with this. The identifier is passed to pts for canonicalization, the group is not validated.
I don't see this in ldap.c. The identifier group:xxx gets passed into pts as the identifier and rejected by the canonicalizer because of the colon. So the canonicalized identifer is null throughout the rest of the code. I don't see a test for group: anywhere ( or in afskrb.c either ). So assuming that we just want to make sure that the group name is valid, and that the canonicalizer should be fixed to recognize group:xxx syntax, what then am I suppose to do with it? Returning NULL seems to Do Bad Things, and I don't see an entry for canonicalized group in the auth_state struct..
Have you tried to step through the program with gdb or other debugger?
Thanks, Tim