[Date Prev][Date Next]
some help required LDAP - GSSAPI issue.
- To: firstname.lastname@example.org
- Subject: some help required LDAP - GSSAPI issue.
- From: "Austin Cherian" <email@example.com>
- Date: Wed, 9 Apr 2008 00:16:02 +0530
- Content-disposition: inline
- In-reply-to: <firstname.lastname@example.org>
- References: <email@example.com>
I hope some one can answer this query regarding LDAP and GSSAPI as i
really dint find substantial info for this on the net for what i was trying
I have some limitations on using OpenLDAP with Cyrus SASL and hence
have to manufacture my own GSSAPI client to use with LDAP. However i have
run into some technical issues here with my implementation and MS AD. Here's
my problem in short:
I am using the kerberos mechanism with GSSAPI, i first use kerberos API's to
get a TGT for SPN that i have obtained a keytab for previously. I then use
GSSAPI gss_init_sec_context to obtain a service ticket for the ldap server.
I then call ldap_init and then subsequently call ldap_sasl_bind_s with mech
as GSS-SPNEGO and supplying the GSSAPI token ( obtained from
gss_init_sec_context ) as credential ( i set the DN in the ldap_sasl_bind_s
to NULL ).
>From the network traces and the return code i see that the bind was
successful. The bind result shows success (0x00) and negTokenTarg shows
negResult as accept-completed. This shows that Bind was indeed a success
also to note here the krb-blob that comes with the bind result is
successfully consumed by subsequent calls to gss_init_sec_context to
complete context establishment.
The issue that im facing now is that when i pass GSS wraped search request (
i.e. i build a search request and pass it to gss_wrap API to get a token )
token to the ldap_search_ext api. From the network traces i see that the
search request has been received by the ldap server properly. However the
LDAP server ( MS AD LDAP server ) responds with the following message :
LdapErr: DSID-0C09062.27 comment: In order to perform this operation a
successful bind must be completed on the connection.
Can some one please throw some light on as to why the search query is
getting back with an error that there was no bind done in spite of the
server responding success for the LDAP bind prior to sending the search
request ?? Any help will be greatly appreciated...