I should note that the long term support for Kerberos will be based upon SASL/GSSAPI mechanisms. The LDAPv2 Kerberos bind methods should quitely fade away. Kurt At 11:41 AM 1/27/00 -0800, Booker Bense wrote: >On Thu, 27 Jan 2000, Mark Adamson wrote: >> Hello all. >> >> I am working on getting OpenLDAP 2.0 working for the CMU campus >> here. I CVS downloaded the source in early December and have it >> compiled and running on my desktop machine. >> >> I am working on getting Kerberos authentication working, and ran >> into what I'd have to call a bug. It has to do with a client such as >> ldapsearch uses ldap_kerberos_bind_s() and how the server binds your >> DN using do_bind(). >> >> When a client uses ldap_kerberos_bind_s() it first binds with an >> authmethod LDAP_AUTH_KRBV41 (the "ldapserver" ticket), and then again >> with LDAP_AUTH_KRBV42 (the "x500dsa" ticket). On the server, in the >> function >> >> servers/slapd/back-ldbm/bind.c >> ldbm_back_bind() >> >> the first bind does all of the leg work of checking the krbName and >> returns 0 to the calling function >> >> servers/slapd/bind.c >> do_bind() >> >> The second bind on the server simply sends a SUCCESS message back to >> the client and returns a non-zero code back to do_bind(), with the >> comment "stop front end from sending result". >> >> When do_bind() was called, it first cleared any previous bindings and >> then if the backend bind returns 0 it will store the requested DN in >> the connection. >> >> The bug is that the second (LDAP_AUTH_KRBV42) binding in >> ldbm_back_bind() always returns a non-zero code to do_bind(), so the >> DN binding from the first binding was erased and not stored the second >> time. The result is a connection that has NO binding: you are >> unauthenticated. >> >> >> I am curious as to why the second binding wants to send the SUCCESS >> message itself and return !0, instead of returning 0 and letting >> do_bind() return SUCCESS (and set the DN binding). > > >- The whole double-bind thing is a hack from the Umich code when >ldap was more integrated into the whole X500 environment. If you >are running slapd, there is really no point to doing anything >besides LDAP_AUTH_KRBV41. It's my understanding that the original >idea was to authenticate to both the ldap server and the X500 >DSA. I have no idea why this was done, but since X500 DSA's have >gone the way of the dodo, there is really no point in doing it >now. > >- Booker C. Bense > >
changed notes changed state Open to Closed
comment not issue.