Re: Query on ldap sasl bind

[Quanah Gibson-Mount <quanah@symas.com>]

--On Monday, July 10, 2017 9:02 PM +0530 Nishanth Nagendra 
<nishanth.amogh@gmail.com> wrote:
> From the openldap source code, I notice that sasl.c file has a constant
> LDAP_SASL_SIMPLE as a constant for mechanism which is a NULL value. I
> tried to pass a non NULL value in my function call to ldap_sasl_bind in
> the third parameter expecting it to hit the other code path to initiate
> SASL bind with credentials but the library does not seem to allow it and
> returns error from sasl bind.

As clearly noted in the source code comments, the third argument is the 
MECHANISM to use:

/*
* ldap_sasl_bind - bind to the ldap server (and X.500).
* The dn (usually NULL), mechanism, and credentials are provided.
* The message id of the request initiated is provided upon successful
* (LDAP_SUCCESS) return.
*
* Example:
*      ldap_sasl_bind( ld, NULL, "mechanism",
*              cred, NULL, NULL, &msgid )
*/


I.e., you would pass in "GSSAPI" for a SASl/GSSAPI bind, etc.

It is also generally better form to use ldap_sasl_interactive_bind_s, as 
noted in the man page.  In that case, as noted by the manual page:

      The mechs parameter should contain
      a  space-separated  list  of  candidate  mechanisms  to  use.  If 
this
      parameter   is   NULL   or   empty   the   library   will   query 
the
      supportedSASLMechanisms  attribute  from  the  server's rootDSE for 
the
      list of SASL  mechanisms  the  server  supports.



--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>