Hello,
I've found that Net::LDAP requires *the* bind DN of the entity binding when making a Cyrus::SASL bind. This is incorrect behavior in this case, as the bind DN is irrelevant, and could just as well be "". That is because the server actually determines what entity you are via SASL operations internally.
For example:
ldapsearch -h ldap-test3.stanford.edu -b"dc=stanford,dc=edu" -D "" uid=quanah uid
SASL/GSSAPI authentication started
SASL username: [EMAIL PROTECTED]
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <dc=stanford,dc=edu> with scope sub
# filter: uid=quanah
# requesting: uid
#
# quanah, Accounts, Stanford.edu dn: uid=quanah,cn=Accounts,dc=Stanford,dc=edu uid: quanah
From the server log:
Jun 10 22:17:56 ldap-test3.Stanford.EDU slapd[8451]: [ID 347666 local4.debug] conn=13 op=1 BIND dn="" method=163
Jun 10 22:17:56 ldap-test3.Stanford.EDU slapd[8451]: [ID 347666 local4.debug] conn=13 op=2 BIND dn="" method=163
Jun 10 22:17:56 ldap-test3.Stanford.EDU slapd[8451]: [ID 347666 local4.debug] conn=13 op=3 BIND dn="" method=163
Jun 10 22:17:56 ldap-test3.Stanford.EDU slapd[8451]: [ID 951063 local4.debug] conn=13 op=3 BIND authcid="[EMAIL PROTECTED]"
Jun 10 22:17:56 ldap-test3.Stanford.EDU slapd[8451]: [ID 996101 local4.debug] conn=13 op=3 BIND dn="uid=quanah,cn=accounts,dc=stanford,dc=edu" mech=GSSAPI ssf=56
As you can see, I didn't specify a valid bind dn, yet the server knows from my authentication identity who I am, and how to map me. This has allowed us to easily let our clients bind to our server, without ever having to have any knowledge of "DNs".
Is there an easy fix for this that I can apply to Net::LDAP?
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
