[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: how to NOT use SASL

To: Frank Van Damme <frank.vandamme@gmail.com>
Subject: Re: how to NOT use SASL
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Tue, 11 May 2010 08:57:25 -0700
Cc: openldap-software@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sendmail.com; s=spork.dkim; t=1273593446; bh=Pnn1EjjDUIpms82EQm9ZBSto8mJbEj33DBF2 zeaEN3Y=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID: References:MIME-Version:Content-Type; b=CHIC3VG7LTLUl/wjR7WofQ5qkA gIes6GHZhoAIuABKj59gvV1DdN6XjwJ2bJ3xyzB/9JE1S2b8ZfgXnJzYyUpK5Ljsui3 OMt9pK4L+v6ScRm4cmARAaYLcS1jlQSNxQ8/ZDibMe+BR2nXkgifEP8pbWhnUJ4mx1/ /HBW8TtsKWo=
In-reply-to: <AANLkTil9bne7aMYzQdusycFDC7hTuLoayidwfI6XTXJw@mail.gmail.com>
References: <AANLkTil9bne7aMYzQdusycFDC7hTuLoayidwfI6XTXJw@mail.gmail.com>
User-agent: Alpine 2.00 (BSO 1167 2008-08-23)

On Tue, 11 May 2010, Frank Van Damme wrote:
> Now this is something I don't understand. TSL shouldn't require the use 
> of sasl, logically speaking, yet why am I getting this output?
> 
> frvdamme@osc1:~$ ldapsearch  -w dd -D
> 'cn=admin,dc=otec,dc=vub,dc=ac,dc=be' '(cn=admin)'  -H
> ldap://localhost -x

As a side-note, the above command-line is non-portable as it depends on a 
GNU-libc extension to the behavior of getopt() to parse option arguments 
after positional arguments.  (That behavior is a violation of the POSIX 
standard.)  The portable way to write that is to put the positional 
argument, the search filter in this case, after all of the option 
arguments, ala:

ldapsearch  -w dd -D 'cn=admin,dc=otec,dc=vub,dc=ac,dc=be' \
	-H ldap://localhost -x '(cn=admin)'  

That's not related to your issue, but you may bump into it later and may 
confuse others trying to reproduce your problem.

> ldap_bind: Invalid credentials (49)
> frvdamme@osc1:~$ ldapsearch  -w dd -D
> 'cn=admin,dc=otec,dc=vub,dc=ac,dc=be' '(cn=admin)' -x -H ldap://osc1
> -x
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> 
> So the only difference is how I specify the hostname and ldapsearch
> chooses to use sasl, even though I'm specifying -x. Why??

It's not actually doing SASL, but rather is doing a simple bind (see the 
"SIMPLE" there?).  ldap_sasl_bind() is the supported libldap entry point 
for *all* authentication, SASL, SIMPLE, or otherwise.  The old library 
entry points ldap_simple_bind(), ldap_bind(), and similar were deprecated 
at some point, largly because they didn't support passing controls or 
returning server creds, IIRC.

Philip Guenther

Follow-Ups:
- Re: how to NOT use SASL
  - From: Frank Van Damme <frank.vandamme@gmail.com>

References:
- how to NOT use SASL
  - From: Frank Van Damme <frank.vandamme@gmail.com>

Prev by Date: how to NOT use SASL
Next by Date: Re: pls help: performance tuning
Index(es):
- Chronological
- Thread