Authenticate to LDAP with GSSAPI

Arran Cudbard-Bell a.cudbardb at freeradius.org
Sun Jun 21 21:37:28 CEST 2015 

> Ok, I got it to actually work (including the encryption / sealing part).
> Here is the working diff (LDAP_SASL_BIND_IN_PROGRESS = 14):
> 
> diff --git a/src/modules/rlm_ldap/sasl.c b/src/modules/rlm_ldap/sasl.c
> index 5686f2b..2d61107 100644
> --- a/src/modules/rlm_ldap/sasl.c
> +++ b/src/modules/rlm_ldap/sasl.c
> @@ -125,6 +125,7 @@ ldap_rcode_t rlm_ldap_sasl_interactive(rlm_ldap_t
> const *inst, REQUEST *request,
>                                                 NULL, NULL,
> LDAP_SASL_AUTOMATIC,
>                                                 _sasl_interact,
> &sasl_ctx, result,
>                                                 &mech, &msgid);
> +               if(ret != 14) break;


>                ldap_msgfree(result);   /* We always need to free the
> old message */
>                if (ret >= 0) MOD_ROPTIONAL(RDEBUG3, DEBUG3,
> "Continuing SASL mech %s...", mech);
> 
> @@ -145,7 +146,7 @@ ldap_rcode_t rlm_ldap_sasl_interactive(rlm_ldap_t
> const *inst, REQUEST *request,
>                                ldap_memfree(srv_cred);
>                        }
>                }
> -       } while (status == LDAP_PROC_CONTINUE);
> +       } while (ret == 14);
>        ldap_msgfree(result);
> 
>        return status;
> 
> Need some polishing etc but this works :)

Not really correct, but does give a clue to what might be going on. With your patch status wouldn't get set on the final round of SASL auth, so rlm_ldap_sasl_interactive would return the wrong ldap_rcode_t value.

rlm_ldap_result should be used to get the result via ldap_result, and check it for errors with ldap_parse_result. I can see that possibly ldap_parse_result is giving bad return codes, which is causing the loop to terminate.

I can't really claim that, that's a bug in the libldap code, because the man pages don't explicitly mention ldap_result being able to parse SASL bind results.

I'm guessing previously you were getting an error message starting with 'LDAP lib error:' could you post that to the list so we can see what ldap_parse_result was returning and determine if it was something innocuous being miscategorised as an error.

I saw one potential issue and fixed it, so you may want to try with current v3.0.x HEAD.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150621/e6237972/attachment.sig>

More information about the Freeradius-Users mailing list