[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
setting max ssf with ldap_set_option
I have a small LDAP utility (msktutil) that talks to Active Directory
using GSSAPI over TLS. I'm trying to set the SASL parameter "maxssf"
to "0" in the code.
I've found that in a recent version of OpenLDAP (2.4.24), modifying
LDAP_OPT_X_SASL_SSF_MAX with ldap_set_option() has no effect. The
basic code is
sasl_ssf_t max_ssf = 0;
printf( "setting max ssf to %d\n", max_ssf );
ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf)
Subsequent ldap_get_option() calls show that the value is not
changing, as does the output when I bind with
ldap_sasl_interactive_bind_s(). I would at the very least expect
ldap_set_option() to return something other than LDAP_OPT_SUCCESS
here. Am I hitting a bug in OpenLDAP, or am I really off track ? :)
I've attached a small test case (gcc -o test test.c -lldap -llber).
This works as I expect in both 2.3.43 and 2.4.23, and fails in 2.4.24.
RHEL5: openldap-2.3.43-12.el5_6.7
./test
LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647
setting max ssf to 0
LDAP_OPT_X_SASL_SSF_MAX after setting = 0
RHEL6: openldap-2.4.23-15.el6_1.1.x86_64
./test
LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647
setting max ssf to 0
LDAP_OPT_X_SASL_SSF_MAX after setting = 0
Fedora 15: openldap-2.4.24-3.fc15.i686
./test
LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647
setting max ssf to 0
LDAP_OPT_X_SASL_SSF_MAX after setting = 2147483647
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <ldap.h>
#include <sasl/sasl.h>
int main(int argc, char **argv)
{
LDAP *ld;
int result;
int desired_version = LDAP_VERSION3;
char *ldap_uri = "ldap://ldap.example.com";
ldap_initialize(&ld, ldap_uri);
if ( ld == NULL ) {
perror( "ldap_init failed" );
exit( EXIT_FAILURE );
}
if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version) != LDAP_OPT_SUCCESS)
{
ldap_perror(ld, "ldap_set_option failed!");
exit(EXIT_FAILURE);
}
/* Check the current max_ssf parameter */
sasl_ssf_t before_ssf = -1; /* indicates we dont know what it is */
ldap_get_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &before_ssf);
printf( "LDAP_OPT_X_SASL_SSF_MAX before setting = %d\n", before_ssf );
/* Try to set ssf to 0 */
sasl_ssf_t max_ssf = 0;
printf( "setting max ssf to %d\n", max_ssf );
if (ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf) != LDAP_OPT_SUCCESS)
{
//ldap_perror(&ld, "ldap_set_option failed!");
perror( "ldap_set_option failed" );
int errno;
char *info;
ldap_get_option( ld, LDAP_OPT_ERROR_NUMBER, &errno);
// convert errno as a string
printf( "errno: %i\n", errno);
printf( "errno string: %s\n",
ldap_err2string(errno));
exit(EXIT_FAILURE);
}
/* Now check if max ssf is really 0 */
sasl_ssf_t after_ssf = -1; /* indicates we dont know what it is */
ldap_get_option(ld,LDAP_OPT_X_SASL_SSF_MAX, &after_ssf);
printf( "LDAP_OPT_X_SASL_SSF_MAX after setting = %d\n", after_ssf );
return 0;
}