[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with using OpenLDAP with GSSAPI-Kerberos against an MS AD Domain Controller


     I hope some one can answer this query regarding LDAP and GSSAPI as i really dint find substantial info for this on the net for what i was trying to accomplish.
     I have some limitations on using OpenLDAP with Cyrus SASL and hence have to manufacture my own GSSAPI client to use with LDAP. However i have run into some technical issues here with my implementation and MS AD. Here's my problem in short:

I am using the kerberos mechanism with GSSAPI, i first use kerberos API's to get a TGT for SPN that i have obtained a keytab for previously. I then use GSSAPI gss_init_sec_context to obtain a service ticket for the ldap server. I then call ldap_init and then subsequently call ldap_sasl_bind_s with mech as GSS-SPNEGO and supplying the GSSAPI token ( obtained from gss_init_sec_context ) as credential ( i set the DN in the ldap_sasl_bind_s to NULL ).

From the network traces and the return code i see that the bind was successful.  The bind result shows success (0x00) and negTokenTarg shows negResult as accept-completed. This shows that Bind was indeed a success also to note here the krb-blob that comes with the bind result is successfully consumed by subsequent calls to gss_init_sec_context to complete context establishment.

The issue that im facing now is that when i pass GSS wraped search request ( i.e. i build a search request and pass it to gss_wrap API to get a  token ) token to the ldap_search_ext api. From the network traces i see that the search request has been received by the ldap server properly. However the LDAP server ( MS AD LDAP server ) responds with the following message :

LdapErr: DSID-0C09062.27 comment: In order to perform this operation a successful bind must be completed on the connection.

Can some one please throw some light on as to why the search query is getting back with an error that there was no bind done in spite of the server responding success for the LDAP bind prior to sending the search request ?? Any help will be greatly appreciated...