LDAP draft-wahl-ldap-session

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Jun 29 14:42:29 CEST 2015 

> On 29 Jun 2015, at 04:56, Michael Ströder <michael at stroeder.com> wrote:
> 
> Michael Ströder wrote:
>> Arran Cudbard-Bell wrote:
>>> Any progress on the testing?
>>> 
>>> I'll have to remove the code unless it's confirmed to be working.
>> 
>> I was pretty busy during the last days. Please give me two more days.
> 
> I'm testing git v3.1.x 36e1b02e926df5cd75d4d548694401535c607ca9.
> 
> I'm simply using PAP with hashed passwords in LDAP attribute 'userPassword'
> (EAP-TTLS with PAP in real life, simple PAP here).
> 
> Good, the search requests (conn=1044) contain the Session Tracking Control
> (OpenLDAP logs):
> 
> 2015-06-29T10:47:05.316040+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1
> [IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SRCH
> base="cn=radiusd,ou=services,dc=stroeder,dc=local" scope=2 deref=0
> filter="(uid=michael-homelan)"
> 2015-06-29T10:47:05.316051+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1
> [IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SRCH attr=userPassword
> radiusControlAttribute radiusRequestAttribute radiusReplyAttribute
> 2015-06-29T10:47:05.316244+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1
> [IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SEARCH RESULT tag=101
> err=0 nentries=1 text=
> 
> It seems an additional LDAP connection conn=1045 is opened:
> 
> 2015-06-29T10:47:05.317153+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 fd=23
> ACCEPT from IP=127.0.0.1:53074 (IP=0.0.0.0:1390)
> 2015-06-29T10:47:05.317219+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0
> BIND dn="uid=radiusd,ou=sys,dc=stroeder,dc=local" method=128
> 2015-06-29T10:47:05.324982+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0
> BIND dn="uid=radiusd,ou=sys,dc=stroeder,dc=local" mech=SIMPLE ssf=0
> 2015-06-29T10:47:05.325582+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0
> RESULT tag=97 err=0 text=
> 
> But now for checking the password there is no Session Tracking Control sent
> along with the bind request (conn=1044, err=49 is ok because I deliberately
> used a wrong password):

       int ldap_bind(LDAP *ld, const char *who, const char *cred,
              int method);

       int ldap_bind_s(LDAP *ld, const char *who, const char *cred,
              int method);

       int ldap_simple_bind(LDAP *ld, const char *who, const char *passwd);

       int ldap_simple_bind_s(LDAP *ld, const char *who, const char *passwd);

       int ldap_sasl_bind(LDAP *ld, const char *dn, const char *mechanism,
              struct berval *cred, LDAPControl *sctrls[],
              LDAPControl *cctrls[], int *msgidp);


Because there's no libldap bind function which takes client or server controls,
ug I guess we should set them on the handle and then remove them again.

It's hacky but it should work.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150629/42f42b50/attachment.sig>

More information about the Freeradius-Users mailing list