[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] Proxy Authentication
Please note this list is intended for discussions regarding
standardization of LDAP extensions, such as the LDAP Proxied
Authorization control. While questions about the specification
of this control are welcomed here, it seems your post is
primarily in regards to the OpenLDAP Project's implementation
of this LDAP extension. Hence, you post should be redirected
there.
I do note that specification of this control requires the
controlValue to the an LDAP authzid, or empty, and your code
appears to violate this requirement by sending an LDAP DN in
RFC 2253 form. draft-weltman-ldapv3-proxy-13.txt:
The controlValue SHALL be present and contain either
an authzId [AUTH] representing the authorization
identity for the request or empty if an anonymous
association is to be used.
Kurt
At 12:45 PM 6/29/2005, Matt Yacobucci wrote:
>I am having significant problems with proxy auth. Please help.
>
>Openldap version: 2.2.17
>
>My slapd.conf has the sasl-authz-policy set to both
>
>I have a user uid=matt1
>dn: cn=matt1,dc=qa,dc=jabber,dc=com
>saslAuthzTo: ldap:///dc=qa,dc=jabber,dc=com??sub?(objectclass=*)
>
>When I run my sample program it fails and I get the below output in my
>logs:
>=> get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical)
>parseProxyAuthz: conn 1 authzid="cn=matt2,dc=qa,dc=jabber,dc=com"
>slap_sasl_getdn: id=cn=matt2,dc=qa,dc=jabber,dc=com [len=31]
><= get_ctrls: n=1 rc=47 err="authzId mapping failed"
>send_ldap_result: conn=1 op=0 p=3
>send_ldap_result: err=47 matched="" text="authzId mapping failed"
>
>SAMPLE CODE:
>#include <ldap.h>
>
>#include <stdio.h>
>#include <stdlib.h>
>#include <errno.h>
>#include <sys/time.h>
>#include <memory.h>
>
>int main()
>{
> int version;
> LDAP* ld;
> LDAPControl* requestctrls[2];
> LDAPControl* pactrl = NULL;
>
> int port = 7389;
> char* host = "sqaldap1.qa.jabber.com";
> char* baseDN = "dc=qa,dc=jabber,dc=com";
>
> char* proxyDN = "cn=matt2,dc=qa,dc=jabber,dc=com";
>
> char* bindDN = "cn=matt1,dc=qa,dc=jabber,dc=com";
> char* bindPW = "test";
>
> if ((ld = ldap_init(host, port)) == NULL)
> {
> printf("ldap_init did not return a conn handle.\n");
> return (-1);
> }
>
> version = LDAP_VERSION3;
> ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
>
> if (ldap_simple_bind_s(ld, bindDN, bindPW) != LDAP_SUCCESS)
> {
> printf("ldap_simple_bind_s failed");
> return (-1);
> }
>
> pactrl = (LDAPControl*)malloc(sizeof(LDAPControl));
> memset((void*)pactrl, 0, sizeof(LDAPControl));
> pactrl->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
> pactrl->ldctl_iscritical = 1;
> pactrl->ldctl_value.bv_val = proxyDN;
> pactrl->ldctl_value.bv_len = strlen(proxyDN);
>
> requestctrls[0] = pactrl;
> requestctrls[1] = NULL;
>
> /* Perform the search using the control */
> LDAPMessage* results;
> printf("Searching for %s with the proxy auth control.\n", proxyDN);
> int err;
> if ( (err = ldap_search_ext_s( ld, proxyDN, LDAP_SCOPE_SUBTREE,
> "(objectclass=*)",
> NULL, 0, requestctrls, NULL, NULL,
> LDAP_NO_LIMIT,
> &results )) != LDAP_SUCCESS ) {
> printf("%d, %s\n", err, ldap_err2string(err));
> printf("ldap_search_ext failed.\n");
> printf("Something is wrong with proxied auth.\n");
> } else {
> printf("ldap_search_ext didn't fail.\n");
> }
>
> return 0;
>}
>
>Thanks,
>--
>Matt Yacobucci <myacobucci@jabber.com>
>
>
>_______________________________________________
>Ldapext mailing list
>Ldapext@ietf.org
>https://www1.ietf.org/mailman/listinfo/ldapext
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext