Using some rather old distribution of Perl-LDAP which includes Authen::SASL[1], and perl-cyrus-sasl-0.02[2], the following was working with the LDAP server (OpenLDAP 2.0.23 and Cyrus SASL 1.5.27):
use Net::LDAP;
use Authen::SASL;
$sasl = Authen::SASL->new('GSSAPI',
fqdn =>'[ldapserver fqdn]',
service =>'ldap',
user =>'astreib' );$ldap = Net::LDAP->new('[ldapserver fqdn]') or die "$@";
$mesg = $ldap->bind("",sasl => $sasl, version => 3); # a SASL bind
print "Message from bind is ",$mesg->error,"\n";$mesg = $ldap->start_tls(); print "Message from start_tls is ",$mesg->error,"\n";
The same code, but connecting to a 2.1.22 LDAP server w/Cyrus SASL 2.0.15, was printing the message: SASL(-14): authorization failure: Inappropriate authentication
IF I change the code so that user => 'u:astreib' I don't get that message, but I get only anonymous access. From the slapd logs:
Sep 12 14:36:32 slapd[19103]: conn=17 op=0 BIND dn="" method=163
Sep 12 14:36:32 slapd[19103]: conn=17 op=1 BIND dn="" method=163
Sep 12 14:36:32 slapd[19103]: conn=17 op=2 BIND dn="" method=163
Sep 12 14:36:32 slapd[19103]: conn=17 op=2 BIND authcid="[EMAIL PROTECTED]
"
Sep 12 14:36:32 slapd[19103]: conn=17 op=2 BIND dn="uid=astreib,cn=iu.e
du,cn=gssapi,cn=auth" mech=GSSAPI ssf=0
Sep 12 14:36:32 slapd[19103]: conn=17 op=3 AUTHZ anonymous mech=starttls ssf=0
Sep 12 14:36:32 tomahawk slapd[19103]: conn=17 op=4 UNBIND
If I eliminate the start_tls() call, I don't see the AUTHZ anonymous... messages in the ldap logs and I can subsequently execute queries with appropriate authorization.
Why would start_tls() have any impact on my authorization?
??
[1] http://search.cpan.org/author/GBARR/perl-ldap-0.25/ [2] http://www.sxw.org.uk/computing/software/
Allan
