On 11 Dec 2009, at 04:58, vinay kumar mudgil wrote:
> Good evening every-one,
>
> Actually I don't have that much hands on experience in C programming [though
> I am very through in java/j2ee] but I have a task with me to be done in C
> language.
>
> I have a C utility which performs certain tasks. I have to incorporate a
> check that only valid users can run that utility. This I have to do by
> authenticating their user names and pwds in LDAP.
>
> Now, now I decided that I would break my problem in simple manageable
> tasks....
> step (1) => I decided to write a sample C program which connects to our ldap
> server and performs the validation
> step (2) => try include the above program in my utility.
>
> And I am at present on step1.
>
> I am using sunstudio 12 for this purpose running it on solaris 10.
>
> The LDAP authentication has to be done over SSL. I have the SSL certificates
> with me and I can connect to my ldap server using them but When i try to bind
> a particular user with it, the programe stucks there... it doesn't even give
> any error message or logs so I actually don't know how to proceed further.
>
> The approach that I have taken is ---
> STEP (1) bind annonmously with the ldap server to find out the user DN in
> ldap. This I have to do as I have the login ID and not the complete DN with
> me & because the port on which SSL is enabled dosn't allow annonymous log-in
> so I use a different port to get the DN and yes I didn't forget to unbind
> [the pointer].
>
> THIS is working fine.
> [for the sake of simplicity I would be removing this step and the code
> outlined below].
>
>
> STEP(2) make a connection to ldap server using the certificates using
> ldapssl_clientauth_init() and ldapssl_init() fucntions.
> THIS is also working fine.
>
> STEP(3) then I set the ldap version to version to version3 using
> ldap_set_option() funciton
> THIS is also working fine.
>
> STEP(4) bind to the ldap server over ssl server using the user DN using
> ldap_sasl_bind_s() function
> this is NOT working fine and programe hangs at this point [you might see a
> few extra variables used but these are just there as I was their trying out
> different things, I would for sure remove them]
>
> ************************************************See code snippet
> below.*****************************************************
>
> int main(int argc, char** argv) {
>
> LDAP ld;
> LDAPMessage *result, *e;
>
> struct berval *servcred , cred;
>
> BerElement *ber;
> int ret_val, search_ret_val, i, j;
> int b;
> int version;
>
> char *a, *dn;
> char **vals;
> char *userDN;
>
> char *pw = "users_passwd";
> char *dn1 = "cn=ABCD EFGH (123456),ou=people,dc=example,dc=com";
> //The above DN is absolutely correct and this I am using just for the sake of
> simplyfying things... as I explained in the desc above
>
> printf("\nstarting the sample program....\n");
>
> b = ldapssl_clientauth_init( "/home/XXXXXXXX/ldaplib/cert8.db", NULL, 1,
> "/home/XXXXXXXX/ldaplib/key3.db", NULL );
>
> printf("\n 11111111111 \n");
>
> // Get hold of a SSL LDAP connection.
>
> if ((ld = ldapssl_init("my_ldap_server_name", XXXX, 0)) == NULL ) {
> printf("\ncouldn't open SSL connection to the ldap server...\n");
> exit( 1 );
> }
> else {
> printf("\nSSL connection to ldap server is open...\n");
> }
>
>
> printf("\n 22222222222 \n");
>
> version = LDAP_VERSION3;
>
> ldap_set_option(ld,LDAP_OPT_PROTOCOL_VERSION,&version);
>
> printf("\n 33333333333 \n");
>
> cred.bv_val = "users_passwd";
> cred.bv_len = strlen(cred.bv_val);
>
> // Bind to the server. when we specify null, its an annonymous login
> ret_val =
> ldap_sasl_bind_s(ld,dn1,LDAP_SASL_EXTERNAL,&cred,NULL,NULL,&servcred);
> //ret_val = ldap_simple_bind_s( ld, dn1, pw );
> if ( ret_val != LDAP_SUCCESS ) {
> printf("\n COULD NOT BIND with annonymous log-in, return value is => %d ",
> ret_val);
> }
> else {
> printf("\nnow we are bind, with annonymous log-in, return value is => %d ",
> ret_val);
> printf("\nTHIS IS A VALID PASSWORD... USER CAN GO AHEAD TO PERFORM THE
> ACTION... \n");
> }
>
> ldap_unbind_s(ld);
>
> printf("\nfinally exiting....\n");
>
> return (EXIT_SUCCESS);
>
> }
>
> ****************************************************************************************************
> ************
>
> The output of the program is below...
> starting the sample program....
>
> 11111111111
>
> SSL connection to ldap server is open...
>
> 22222222222
>
> 33333333333
>
> and after this it hangs---- i mean no further statment gets prnted.
>
> So the problem is wth this function ----> ldap_sasl_bind_s() but what exactly
> it is I am not able to understand.
>
>
>
>
> Any pointers OR code snippet OR any help is much appreciated.
>
> Best Regards,
> Vinay Mudgil
I think your problem is more in understanding how LDAP authentication works,
and the LDAP client libraries you're using, rather than the actual tools
(compiler). So there's likely to be a better list for this.
Having said that, some hopefully helpful observations follow...
ldapssl_init does not connect to your LDAP server, judging from a quick scan of
the sources. It is lazy, so the next actual protocol operation (eg a bind) will
attempt to create the connection.
LDAP_SASL_EXTERNAL with TLS means that you have connected over TLS *and* your
client authenticates to the LDAP server using solely the client's *own* key and
certificate provided in the TLS connection.
You don't provide any other DN or password in a SASL EXTERNAL bind. ie pass ""
instead of dn and NULL instead of &cred.
The result of that SASL bind should be that you're authenticated as the DN from
the client certificate. *Not* as the comment suggests, authenticated
anonymously.
You can see the source for OpenSolaris's libldap at
<http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libldap5/>,
in case the documentation's not very clear.
Cheers,
Chris
