[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP bind using ldap_sasl_interactive_bind_s and DIGEST-MD5 fails the second time
- To: openldap-bugs@openldap.org
- Subject: LDAP bind using ldap_sasl_interactive_bind_s and DIGEST-MD5 fails the second time
- From: James Bong <jbong16@gmail.com>
- Date: Wed, 31 Mar 2010 22:36:15 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:received:message-id :subject:from:to:content-type; bh=IWy3tzR1Cs1u6y7k/fUsE9WCz+pxH2Fsy+U2Jt2pxuM=; b=PMwZvnO+f9i6LaCbCHIw592o6eFqmG8Frsliu7F0gQUuPJyF1DzNoWotr7Wm/AxfaJ 6WYwJKcsNn3JMR1v2pQCPeeXCEIxB1wfzMop6PC7MpHUvQcBB6gLPIW8yFD5O11lOtPi isPl+UDuSbJ0gNbszeU6DsaOwGzwnQZRcushE=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=hohRx19+/SHnT2PWOn5p6vjHexoGxzLGBtxmNY0puEVUMYks3WJazvGgTqVs8agYmr ljP6cXKaa10zuxMigJjTT9IyP8m6Wur8JCXN63M/KXdha041EpfF22NXOGBRfat+c4pU wqjWbduOmCzQo8bBbxdQ1SJelMJurc3NwHW2M=
I am currently using Mac OS X 10.6.2 and am attempting to use the ldap_sasl_interactive_bind_s API to do a digest-md5 authentication against Active Directory (2008, though I don't think it matters what flavor of AD is used). The bind works fine the first time. However, if I unbind and attempt to rebind as the same user, it fails with ldap_sasl_interactive_bind_s: Invalid credentials (49). If I bind with a different user, then unbind, and bind as the original user, it works. I created a simple program that illustrates the issue. When run, it binds correctly, unbinds, and then fails on the second bind:
trying
ldap_sasl_interactive_bind_s
callback
callback done
ldap_sasl_interactive_bind_s Done
Unbinding
Unbound.
ldap_sasl_interactive_bind_s
callback
callback done
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 57, v1772
Any idea why it is not possible to use the same credentials twice?
Here is the test program. I tried reinitializing the sasl library with sasl_done and sasl_client_init, but that doesn't seem to make a difference.
#include <ldap.h>
#include <sasl/sasl.h>
#include <stdio.h>
typedef struct sasl_defaults {
char *mech;
char *realm;
char *authcid;
char *passwd;
char *authzid;
} sasl_defaults;
int callback(LDAP *ld, unsigned flags, void* defaults, void *interact ) {
printf("callback\n");
sasl_interact_t *in_out=(sasl_interact_t *)interact;
sasl_defaults *in_defaults=(sasl_defaults *)defaults;
while (in_out->id !=SASL_CB_LIST_END) {
switch (in_out->id) {
case SASL_CB_USER:
in_out->result=in_defaults->authcid;
in_out->len=strlen(in_defaults->authcid);
break;
case SASL_CB_AUTHNAME:
in_out->result=in_defaults->authcid;
in_out->len=strlen(in_defaults->authcid);
break;
case SASL_CB_PASS:
in_out->result=in_defaults->passwd;
in_out->len=strlen(in_defaults->passwd);
break;
case SASL_CB_GETREALM:
in_out->result="";
in_out->len=strlen("");
break;
}
in_out++;
}
printf("callback done\n");
return 0;
}
int main (int argv, char ** argc) {
printf("trying\n");
for (;;) {
LDAP *ld;
ldap_set_option(ld,LDAP_OPT_REFERRALS,LDAP_OPT_OFF);
int version=3;
ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
int timelimit=5;
if (ldap_set_option( ld, LDAP_OPT_TIMELIMIT, (void *) &timelimit ) != LDAP_OPT_SUCCESS )
{
printf("err\n");
return -1;
}
sasl_defaults defaults;
defaults.mech = "DIGEST-MD5";
defaults.passwd="password";
defaults.authcid="user";
defaults.authzid="user";
printf("ldap_sasl_interactive_bind_s\n");
int rc=ldap_sasl_interactive_bind_s( ld, NULL,defaults.mech, NULL, NULL, LDAP_SASL_QUIET, callback, &defaults );
if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
ldap_unbind(ld);
return -1;
}
printf("ldap_sasl_interactive_bind_s Done\n");
printf("Unbinding\n");
ldap_unbind(ld);
printf("Unbound.\n");
sleep(5);
}
}