[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos double binding creates no bindings (ITS#434)
I should note that the long term support for Kerberos will be
based upon SASL/GSSAPI mechanisms. The LDAPv2 Kerberos bind
methods should quitely fade away.
Kurt
At 11:41 AM 1/27/00 -0800, Booker Bense wrote:
>On Thu, 27 Jan 2000, Mark Adamson wrote:
>> Hello all.
>>
>> I am working on getting OpenLDAP 2.0 working for the CMU campus
>> here. I CVS downloaded the source in early December and have it
>> compiled and running on my desktop machine.
>>
>> I am working on getting Kerberos authentication working, and ran
>> into what I'd have to call a bug. It has to do with a client such as
>> ldapsearch uses ldap_kerberos_bind_s() and how the server binds your
>> DN using do_bind().
>>
>> When a client uses ldap_kerberos_bind_s() it first binds with an
>> authmethod LDAP_AUTH_KRBV41 (the "ldapserver" ticket), and then again
>> with LDAP_AUTH_KRBV42 (the "x500dsa" ticket). On the server, in the
>> function
>>
>> servers/slapd/back-ldbm/bind.c
>> ldbm_back_bind()
>>
>> the first bind does all of the leg work of checking the krbName and
>> returns 0 to the calling function
>>
>> servers/slapd/bind.c
>> do_bind()
>>
>> The second bind on the server simply sends a SUCCESS message back to
>> the client and returns a non-zero code back to do_bind(), with the
>> comment "stop front end from sending result".
>>
>> When do_bind() was called, it first cleared any previous bindings and
>> then if the backend bind returns 0 it will store the requested DN in
>> the connection.
>>
>> The bug is that the second (LDAP_AUTH_KRBV42) binding in
>> ldbm_back_bind() always returns a non-zero code to do_bind(), so the
>> DN binding from the first binding was erased and not stored the second
>> time. The result is a connection that has NO binding: you are
>> unauthenticated.
>>
>>
>> I am curious as to why the second binding wants to send the SUCCESS
>> message itself and return !0, instead of returning 0 and letting
>> do_bind() return SUCCESS (and set the DN binding).
>
>
>- The whole double-bind thing is a hack from the Umich code when
>ldap was more integrated into the whole X500 environment. If you
>are running slapd, there is really no point to doing anything
>besides LDAP_AUTH_KRBV41. It's my understanding that the original
>idea was to authenticate to both the ldap server and the X500
>DSA. I have no idea why this was done, but since X500 DSA's have
>gone the way of the dodo, there is really no point in doing it
>now.
>
>- Booker C. Bense
>
>