Re: getting DN from client with GSSAPI bind?

["Kurt D. Zeilenga" <kurt@OpenLDAP.org>]

On Jan 24, 2007, at 7:50 AM, Kenneth Rogers wrote:

> Thanks,
>
> I guess I wasn't clear enough, I'm working on the client and need to
> get the DN from the server after performing a GSSAPI bind.
>
> ldap_whoami_s(...) looks like it should work, although right now I'm
> getting an LDAP_DECODING_ERROR (-4) from it, and I don't know why.

This error means the library was unable to decode the response PDU.

> Any ideas what causes that error.

Most likely a malformed response PDU.

> The client is using openldap 2.3.24
> on a linux system, and the server is Windows 2000 Active Directory.

You should verify the server in question supports the LDAP Whoami?
operation (RFC 4532).   If the server doesn't support this, you might  
see if the
server supports authorization identity controls (RFC 3829).    
Otherwise, you
might see if the server supports some other means for obtaining the
desired information.   A forum about AD would be an appropriate place
to ask such questions.

-- Kurt

> KR
>
> On 1/24/07, Dieter Klünter <dieter@dkluenter.de> wrote:
> > Am Dienstag, 23. Januar 2007 22:33 schrieb Kenneth Rogers:
> > > Hi,
> > >
> > > After a successful GSSAPI binding, is there an easy way to get  
> > the DN
> > > for that user from the server?
> >
> > sasl returns an authentication string something like
> > uid=<user>,cn=<realm>,cn=<mechanism>,cn=auth
> > this string can be mapped to an entry, see the authz-regexp  
> > directive in
> > slapd.conf(5).
> >
> > -Dieter
> >
> > --
> > Dieter Klünter | Systemberatung
> > http://www.dkluenter.de
> > GPG Key ID:8EF7B6C6
>
>
> --
> "Linux doesn't exist." -- Kieren O'Shaghnessy (Director of SCO  
> Australia)