On 29 Jun 2015, at 04:56, Michael Ströder <michael@stroeder.com> wrote:
Michael Ströder wrote:
Arran Cudbard-Bell wrote:
Any progress on the testing?
I'll have to remove the code unless it's confirmed to be working.
I was pretty busy during the last days. Please give me two more days.
I'm testing git v3.1.x 36e1b02e926df5cd75d4d548694401535c607ca9.
I'm simply using PAP with hashed passwords in LDAP attribute 'userPassword' (EAP-TTLS with PAP in real life, simple PAP here).
Good, the search requests (conn=1044) contain the Session Tracking Control (OpenLDAP logs):
2015-06-29T10:47:05.316040+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1 [IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SRCH base="cn=radiusd,ou=services,dc=stroeder,dc=local" scope=2 deref=0 filter="(uid=michael-homelan)" 2015-06-29T10:47:05.316051+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1 [IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SRCH attr=userPassword radiusControlAttribute radiusRequestAttribute radiusReplyAttribute 2015-06-29T10:47:05.316244+02:00 nb2 slapd-stroeder-de[5510]: conn=1044 op=1 [IP=10.1.1.5 NAME=radiusd USERNAME=michael-homelan] SEARCH RESULT tag=101 err=0 nentries=1 text=
It seems an additional LDAP connection conn=1045 is opened:
2015-06-29T10:47:05.317153+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 fd=23 ACCEPT from IP=127.0.0.1:53074 (IP=0.0.0.0:1390) 2015-06-29T10:47:05.317219+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0 BIND dn="uid=radiusd,ou=sys,dc=stroeder,dc=local" method=128 2015-06-29T10:47:05.324982+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0 BIND dn="uid=radiusd,ou=sys,dc=stroeder,dc=local" mech=SIMPLE ssf=0 2015-06-29T10:47:05.325582+02:00 nb2 slapd-stroeder-de[5510]: conn=1045 op=0 RESULT tag=97 err=0 text=
But now for checking the password there is no Session Tracking Control sent along with the bind request (conn=1044, err=49 is ok because I deliberately used a wrong password):
int ldap_bind(LDAP *ld, const char *who, const char *cred, int method); int ldap_bind_s(LDAP *ld, const char *who, const char *cred, int method); int ldap_simple_bind(LDAP *ld, const char *who, const char *passwd); int ldap_simple_bind_s(LDAP *ld, const char *who, const char *passwd); int ldap_sasl_bind(LDAP *ld, const char *dn, const char *mechanism, struct berval *cred, LDAPControl *sctrls[], LDAPControl *cctrls[], int *msgidp); Because there's no libldap bind function which takes client or server controls, ug I guess we should set them on the handle and then remove them again. It's hacky but it should work. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2