[Date Prev][Date Next] [Chronological] [Thread] [Top]

setting max ssf with ldap_set_option



I have a small LDAP utility (msktutil) that talks to Active Directory
using GSSAPI over TLS. I'm trying to set the SASL parameter "maxssf"
to "0" in the code.

I've found that in a recent version of OpenLDAP (2.4.24), modifying
LDAP_OPT_X_SASL_SSF_MAX with ldap_set_option() has no effect. The
basic code is

sasl_ssf_t max_ssf = 0;
printf( "setting max ssf to %d\n", max_ssf );
ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf)

Subsequent ldap_get_option() calls show that the value is not
changing, as does the output when I bind with
ldap_sasl_interactive_bind_s(). I would at the very least expect
ldap_set_option() to return something other than LDAP_OPT_SUCCESS
here. Am I hitting a bug in OpenLDAP, or am I really off track ?  :)

I've attached a small test case (gcc -o test test.c  -lldap -llber).
This works as I expect in both 2.3.43 and 2.4.23, and fails in 2.4.24.

RHEL5: openldap-2.3.43-12.el5_6.7
./test
LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647
setting max ssf to 0
LDAP_OPT_X_SASL_SSF_MAX after setting = 0


RHEL6: openldap-2.4.23-15.el6_1.1.x86_64
./test
LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647
setting max ssf to 0
LDAP_OPT_X_SASL_SSF_MAX after setting = 0


Fedora 15: openldap-2.4.24-3.fc15.i686
./test
LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647
setting max ssf to 0
LDAP_OPT_X_SASL_SSF_MAX after setting = 2147483647
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <ldap.h>
#include <sasl/sasl.h>


int main(int argc, char **argv)
{
	LDAP *ld;
	int  result;
	int  desired_version = LDAP_VERSION3;
	char *ldap_uri      = "ldap://ldap.example.com";;

	ldap_initialize(&ld, ldap_uri);
	if ( ld == NULL ) {
		perror( "ldap_init failed" );
		exit( EXIT_FAILURE );
	}

	if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version) != LDAP_OPT_SUCCESS)
	{
		ldap_perror(ld, "ldap_set_option failed!");
		exit(EXIT_FAILURE);
	}

	/* Check the current max_ssf parameter */
	sasl_ssf_t before_ssf = -1; /* indicates we dont know what it is */
	ldap_get_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &before_ssf);
	printf( "LDAP_OPT_X_SASL_SSF_MAX before setting = %d\n", before_ssf );

	/* Try to set ssf to 0 */
	sasl_ssf_t max_ssf = 0;
	printf( "setting max ssf to %d\n", max_ssf );
	if (ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf) != LDAP_OPT_SUCCESS)
	{
		//ldap_perror(&ld, "ldap_set_option failed!");
		perror( "ldap_set_option failed" );

		int errno;
		char *info;
		ldap_get_option( ld, LDAP_OPT_ERROR_NUMBER, &errno);
		// convert errno as a string
		printf( "errno: %i\n", errno);
		printf( "errno string: %s\n",
			ldap_err2string(errno));
		exit(EXIT_FAILURE);
	}

	/* Now check if max ssf is really 0 */
	sasl_ssf_t after_ssf = -1; /* indicates we dont know what it is */
	ldap_get_option(ld,LDAP_OPT_X_SASL_SSF_MAX, &after_ssf);
	printf( "LDAP_OPT_X_SASL_SSF_MAX after setting = %d\n", after_ssf );

	return 0;
}