Now, I can use SASL/GSSAPI encryption to search AD successfully, though this may
not be a fine resolution.
I'm a tyro of PERL, and I'm not very familiar with PERL MODULE, so I can't explain
the problems
and resolve it really. I'll decribe my modifications and hope someone can't explain it
and resolve it;
In Net::LDAP::Bind::decode, use $sasl->tiesocket replace $sasl->securesocket,
then the connection
will not be closed when BIND completed.
But after BIND success, the Net::LDAP module will complain the socket handle
($ldap->socket)
not a GLOB reference when it try to write data to the socket. finally, I find I can
use $socket->{fh}.
But the new problem appear.
All the func call in Authen::SASL::Cyrus::Security will recur infinitely and the
stack will overflow finally.
I have to use IO::Socket's send and recv funcs replace print and sysread call in READ
and WRITE funcs
in Authen::SASL::Cyrus::Security .
I hope someone can upgade the Cyrus or LDAP modules to resolve this problems?
----- Original Message -----
From: "Ziya Suzen" <[EMAIL PROTECTED]>
To: "Zhang Liquan" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, October 16, 2003 7:46 PM
Subject: Re: [PERL-LDAP-DEV] perl-ldap AD authentication with SASL/GSSAPI
> I had exactly the same problem. With same software you have on the
> client side except on Linux and OpenLDAP on the server side.
>
> I has been a while, IIRC I had to set ssf to 0 ('zero' which is no
> encryption) on OpenLDAP to get it working (You should be able to turn
> it of from the client side as well. But I think that didn't work for
> me for some reason). I can remember I suspected Authen-SASL-Cyrus
> security classes for some reason, but I have no solid proof. In the
> end I gave up. Lack of time! (I can hear everyone whispering "Tell me
> about it!":)
>
> Although I am not sure if you can get AD to work with no encryption at
> all, if you can and it works, I will be happy to know that.
>
> Please forgive the vagueness of the above descriptions. If you have
> any questions I would be happy to provide more info on the issue. For
> now I am just happy to know I am not the only one who had this
> problem :)
>
> Ziya.
>
>
> On 2003-10-16 17:57:25 +0000, Zhang Liquan wrote:
> > I have spent a week try to search AD with Net::LDAP, if I use simple
> > authentication,it seems work fine.But I found this method sends the user's
> > password over the network in plaintext, which is not secure enough for my needs.
> > Then I download the Authen::SASL::Cyrus module.But it don't work!
> >
> > when my client send BIND request,the AD response with SASL_BIND_IN_PROGRESS,but
> > the client don't continue the authentication.
> >
> > By debug the scrpits??I found if I remove Net::LDAP::Bind::decode func's following
> > statement:
> > Net::LDAP::Bind
> > 43 $self->set_error(LDAP_DECODING_ERROR,"LDAP decode error"), return
> > 44 unless defined $resp;
> >
> > Then the client restart the BIND request,AD response SASL_BIND_IN_PROGRESS, the
> > client send BIND request,then AD response SUCCESS.
> >
> > But when the Net::LDAP::bind call compelete, the connection was closed imediately.
> >
> > Can anyone help me?
> >
> > All the module I use:
> > perl 5.8.0 for win32
> > SASL 2.02
> > Authen-SASL-Cyrus-0.07
> > Cryus-sasl-2.15
> > krb5-1.3.1
> >
> >
