[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.0 and SASL w/ GSSAPI



At 10:00 AM 8/14/00 -0400, Paul R. Turgyan wrote:
>> At 12:18 PM 8/2/00 -0400, pturgyan@umich.edu wrote:
>> 
>> >I'm trying to use the latest Openldap 2.0 ldapsearch to talk
>> >w/ a Microsoft Active Directory server using SASL & GSSAPI.
>> >
>> >I'm running on a Solaris 2.6,
>> >the latest OpenLDAP 2.0 (from the HEAD branch of the repository),
>> >Cyrus SASL 1.5.24,
>> >Berkley DB 2.7.5,
>> >the latest MIT Kerberos libraries,
>> >built using gcc. 
>> >
>> >I keep getting the error: ldap_sasl_interactive_bind_s: Local error
>> 
>> Sorry, no better error code to return.
>> 
>> >The error actually gets generated in ldap_int_sasl_bind at line 569.
>> >Being new to SASL/ GSSAPI I have no idea what's going on.
>> 
>I got this to work,  but only after commenting out the code that
>returns the error in ldap_int_sasl_bind in libldap/cyrus.c.

I assume you referring to inner if statement at ~line 563.

        if( rc == LDAP_SUCCESS && saslrc == SASL_OK ) {
            /* we're done, no need to step */
            if( scred ) {
                /* but server provided us with data! */
                Debug( LDAP_DEBUG_TRACE,
                    "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
                    rc, saslrc, scred->bv_len );
                ber_bvfree( scred );
                return ld->ld_errno = LDAP_LOCAL_ERROR;
            }
            break;
        }


>Upon
>completion of the bind operation,   ldap_sasl_bind_s has set 'scred' to a
>non null, and 'scred' is pointing at a berval struct that has a length of zero
>and a pointer to a NULL string. (This is a Microsoft AD server I'm connecting
>to).  Not knowing what this means,  why is this an error?  

Because our SASL services library has already completed yet we've
gotten additional data that requires processing by the SASL
services library.  The responsible SASL plug-in should not have
returned SASL_OK on the previous step if further processing
may be necessary.  It is inappropriate for the application
to ignore/skip this final step.  That is, I think this is a
bug in Cyrus's GSSAPI plug in.


>In the Netscape SDK, this parameter to ldap_sasl_bind_s
>http://developer.netscape.com/docs/manuals/dirsdk/csdk30/functi96.htm#2036439
>can be set to any credentials returned by the server,  and the client 
>is responsible to free the berval.

Same in OpenLDAP... ldap_int_bind_s() is currently leaking it.