[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL EXTERNAL via ldapi



On Tue, 22 Nov 2005 13:56:54 -0500
"James F. Hranicky" <jfh@cise.ufl.edu> wrote:

> I just realized I never mentioned my platform:
> 
> 	OS		:	Sol 10 x86
> 	openldap	:	2.3.12
> 	sasl		:	2.1.21
> 	BDB		:	4.2.52+patches
> 	compiler	:	SUNWspro, gcc 3.4.4

Another data point: 2.3.6 works properly, 2.3.7 fails as 2.3.12 does. I've
done a recursive diff between the two but nothing obvious jumps out at
me. However, looking at the output of slapd running with "-d 1 -d 4 -d 256"
shows what's going on (edited for readability: doubly indented lines are 
continuations).

Here's 2.3.6:

    do_sasl_bind: dn () mech EXTERNAL
    conn=0 op=1 BIND dn="" method=163
    ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
    SASL Canonicalize [conn=0]: 
        authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
    slap_sasl_getdn: conn 0 
        id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55]
    ==>slap_sasl2dn: converting SASL name 
        gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN
    slap_authz_regexp: converting SASL name 
        gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    <==slap_sasl2dn: Converted SASL name to <nothing>
    SASL Canonicalize [conn=0]: 
        slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
    SASL proxy authorize [conn=0]:
        authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth@CISE.UFL.EDU"
        authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth@CISE.UFL.EDU"
    conn=0 op=1 BIND 
        authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth@CISE.UFL.EDU"
        authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth@CISE.UFL.EDU"
    SASL Authorize [conn=0]:  proxy authorization allowed authzDN=""
    send_ldap_sasl: err=0 len=-1
    send_ldap_response: msgid=1 tag=97 err=0
    ber_flush: 14 bytes to sd 10
    conn=0 op=1 RESULT tag=97 err=0 text=
    <== slap_sasl_bind: rc=0
    conn=0 op=1 BIND 
        dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL ssf=0
    do_bind: SASL/EXTERNAL bind: 
        dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" ssf=0

Here's 2.3.7:

    do_sasl_bind: dn () mech EXTERNAL
    conn=0 op=0 BIND dn="" method=163
    ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
    send_ldap_result: conn=0 op=0 p=3
    send_ldap_result: err=7 matched="" text="SASL(-4): no mechanism available: "
    send_ldap_response: msgid=1 tag=97 err=7
    ber_flush: 48 bytes to sd 11
    
For some reason, slap_sasl_canonicalize() doesn't appear to get called. 

I can probably work on it some more tomorrow, but if anyone has any ideas that'd
be great.

Jim