[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: several V2 kbind related issues (ITS#717)
Hi Kurt,
I have it complete now! The following works:
2.0.1-client against 1.2.11-server with "-k -P 2" options
1.2.11-client against 2.0.1-server with "-K" option
2.0.1-client against 2.0.1-server with "-K -P 2" options
The "-k" option against the 2.0.1-server gives:
ldap_bind: DSA is unwilling to perform
ldap_bind: additional info: Kerberos bind step 2 not supported
which is o.k. and shouldn't hurt (at least I don't care).
Following is the complete diff (I had to make a few more changes):
*** ./clients/ud/auth.c.orig Wed Sep 6 18:57:46 2000
--- ./clients/ud/auth.c Wed Sep 6 18:58:16 2000
***************
*** 163,169 ****
/* if we're running as a server (e.g., out of inetd) */
if ( ! isatty( 1 ) ) {
! strcpy( tktpath, LDAP_TMPDIR LDAP_DEFSEP "ud_tktXXXXXX"
);
mktemp( tktpath );
krb_set_tkt_string( tktpath );
}
--- 163,169 ----
/* if we're running as a server (e.g., out of inetd) */
if ( ! isatty( 1 ) ) {
! strcpy( tktpath, LDAP_TMPDIR LDAP_DIRSEP "ud_tktXXXXXX"
);
mktemp( tktpath );
krb_set_tkt_string( tktpath );
}
*** ./libraries/libldap/open.c.orig Wed Sep 6 18:59:13 2000
--- ./libraries/libldap/open.c Wed Sep 6 19:00:00 2000
***************
*** 322,331 ****
}
#endif
- if ( conn->lconn_krbinstance != NULL ) {
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
char *c;
! conn->lconn_krbinstance = ldap_host_connected_to( conn->sb );
if( conn->lconn_krbinstance != NULL &&
( c = strchr( conn->lconn_krbinstance, '.' )) != NULL ) {
--- 322,331 ----
}
#endif
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
+ if ( conn->lconn_krbinstance == NULL ) {
char *c;
! conn->lconn_krbinstance = ldap_host_connected_to( conn->lconn_sb
);
if( conn->lconn_krbinstance != NULL &&
( c = strchr( conn->lconn_krbinstance, '.' )) != NULL ) {
***************
*** 332,337 ****
--- 332,338 ----
*c = '\0';
}
#else /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
+ if ( conn->lconn_krbinstance != NULL ) {
conn->lconn_krbinstance = NULL;
#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
}
*** ./configure.in.orig Wed Sep 6 19:39:30 2000
--- ./configure.in Wed Sep 6 19:41:52 2000
***************
*** 801,806 ****
--- 801,810 ----
ol_link_kpasswd=yes;
fi
+ if test $ol_enable_kbind != no ; then
+ ol_link_kbind=yes;
+ fi
+
if test $ol_with_kerberos = k5only ; then
ol_with_kerberos=found
fi
***************
*** 901,906 ****
--- 905,914 ----
ol_link_kpasswd=yes;
fi
+ if test $ol_link_krb4 = yes -a $ol_enable_kbind != no ; then
+ ol_link_kbind=yes;
+ fi
+
if test $ol_link_krb4 = yes -o $ol_link_krb5 = yes ; then
AC_DEFINE(HAVE_KERBEROS, 1, [define if you have Kerberos])
*** ./servers/slapd/back-ldbm/bind.c.orig Wed Sep 6 19:01:39 2000
--- ./servers/slapd/back-ldbm/bind.c Thu Sep 7 21:13:24 2000
***************
*** 37,42 ****
--- 37,43 ----
Entry *matched;
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
char krbname[MAX_K_NAME_SZ + 1];
+ AttributeDescription *krbattrib = slap_schema.si_ad_krbName;
AUTH_DAT ad;
#endif
***************
*** 185,191 ****
}
if ( ! access_allowed( be, conn, op, e,
! "krbname", NULL, ACL_AUTH ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
--- 186,192 ----
}
if ( ! access_allowed( be, conn, op, e,
! krbattrib, NULL, ACL_AUTH ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
***************
*** 196,202 ****
sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
: "", ad.pinst, ad.prealm );
! if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
/*
* no krbname values present: check against DN
*/
--- 197,203 ----
sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
: "", ad.pinst, ad.prealm );
! if ( (a = attr_find( e->e_attrs, krbattrib )) == NULL ) {
/*
* no krbname values present: check against DN
*/
***************
*** 215,221 ****
krbval.bv_val = krbname;
krbval.bv_len = strlen( krbname );
! if ( value_find( a->a_vals, &krbval, a->a_syntax, 3 ) !=
0 ) {
send_ldap_result( conn, op,
LDAP_INVALID_CREDENTIALS,
NULL, NULL, NULL, NULL );
--- 216,222 ----
krbval.bv_val = krbname;
krbval.bv_len = strlen( krbname );
! if ( value_find( a->a_desc, a->a_vals, &krbval ) != 0 )
{
send_ldap_result( conn, op,
LDAP_INVALID_CREDENTIALS,
NULL, NULL, NULL, NULL );
Best regards,
Karsten.
| -----Original Message-----
| From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
| Sent: Wednesday, September 06, 2000 21:43
| To: karsten.kuenne@desy.de
| Cc: openldap-its@OpenLDAP.org
| Subject: Re: several V2 kbind related issues (ITS#717)
|
|
| Karsten,
|
| I made a number (to HEAD branch) of client-side only changes based
| upon your suggestions.
|
| At 06:33 PM 9/6/00 +0000, karsten.kuenne@desy.de wrote:
| >I didn't test the server side yet.
|
| Your patch is likely incomplete. I'll defer action pending
| your submission (as a separate issue) a tested patch.
|
| Kurt
|
|