[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldapext] Proxy Authentication

To: ldapext@ietf.org
Subject: [ldapext] Proxy Authentication
From: Matt Yacobucci <myacobucci@jabber.com>
Date: Wed, 29 Jun 2005 13:45:26 -0600

I am having significant problems with proxy auth. Please help.

Openldap version: 2.2.17

My slapd.conf has the sasl-authz-policy set to both

I have a user uid=matt1
dn: cn=matt1,dc=qa,dc=jabber,dc=com
saslAuthzTo: ldap:///dc=qa,dc=jabber,dc=com??sub?(objectclass=*)

When I run my sample program it fails and I get the below output in my
logs:
=> get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical)
parseProxyAuthz: conn 1 authzid="cn=matt2,dc=qa,dc=jabber,dc=com"
slap_sasl_getdn: id=cn=matt2,dc=qa,dc=jabber,dc=com [len=31]
<= get_ctrls: n=1 rc=47 err="authzId mapping failed"
send_ldap_result: conn=1 op=0 p=3
send_ldap_result: err=47 matched="" text="authzId mapping failed"

SAMPLE CODE:
#include <ldap.h>

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/time.h>
#include <memory.h>

int main()
{
    int version;
    LDAP* ld;
    LDAPControl* requestctrls[2];
    LDAPControl* pactrl = NULL;

    int port = 7389;
    char* host = "sqaldap1.qa.jabber.com";
    char* baseDN = "dc=qa,dc=jabber,dc=com";

    char* proxyDN = "cn=matt2,dc=qa,dc=jabber,dc=com";

    char* bindDN = "cn=matt1,dc=qa,dc=jabber,dc=com";
    char* bindPW = "test";

    if ((ld = ldap_init(host, port)) == NULL)
    {
        printf("ldap_init did not return a conn handle.\n");
        return (-1);
    }

    version = LDAP_VERSION3;
    ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);

    if (ldap_simple_bind_s(ld, bindDN, bindPW) != LDAP_SUCCESS)
    {
        printf("ldap_simple_bind_s failed");
        return (-1);
    }

    pactrl = (LDAPControl*)malloc(sizeof(LDAPControl));
    memset((void*)pactrl, 0, sizeof(LDAPControl));
    pactrl->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
    pactrl->ldctl_iscritical = 1;
    pactrl->ldctl_value.bv_val = proxyDN;
    pactrl->ldctl_value.bv_len = strlen(proxyDN);

    requestctrls[0] = pactrl;
    requestctrls[1] = NULL;

    /* Perform the search using the control */
    LDAPMessage* results;
    printf("Searching for %s with the proxy auth control.\n", proxyDN);
    int err;
    if ( (err = ldap_search_ext_s( ld, proxyDN, LDAP_SCOPE_SUBTREE,
                                   "(objectclass=*)",
                                   NULL, 0, requestctrls, NULL, NULL,
                                   LDAP_NO_LIMIT,
                                   &results )) != LDAP_SUCCESS ) {
        printf("%d, %s\n", err, ldap_err2string(err));
        printf("ldap_search_ext failed.\n");
        printf("Something is wrong with proxied auth.\n");
    } else {
        printf("ldap_search_ext didn't fail.\n");
    }

    return 0;
}

Thanks,
-- 
Matt Yacobucci <myacobucci@jabber.com>


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Proxy Authentication
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: [ldapext] draft-zeilenga-ldap-dontusecopy & chaining
Next by Date: Re: [ldapext] Proxy Authentication
Index(es):
- Chronological
- Thread