Hello,
I am currently debugging some weird SASL login failures on Active Directory. I am using the function ldap_sasl_bind_s() to perform the SASL negociations. I know that ldap_sasl_bind_s() calls ldap_parse_sasl_bind_result() which sets the ld_error field of the 'LDAP' connection structure to the error string returned by the AD server when a login failure occurs. The content of this string is invaluable to debug the login issues. Yet, there seems to be no way to access the content of the ld_error field without bypassing the public interface of the openldap library.
Is there any other way to access the error string returned by the server?
Also, has someone ever encountered a situation where half of the users of an AD server can authenticate using SASL and the other half trigger an "invalid credentials" error? All those accounts are valid & working, and simple binds can be made without errors.
Thank you, Laurent Birtz
ldap_parse_result?
http://www.openldap.org/lists/openldap-software/200505/msg00093.html
On Tue, 16 Oct 2007, Laurent Birtz wrote:
Hello,
I am currently debugging some weird SASL login failures on Active Directory. I am using the function ldap_sasl_bind_s() to perform the SASL negociations. I know that ldap_sasl_bind_s() calls ldap_parse_sasl_bind_result() which sets the ld_error field of the 'LDAP' connection structure to the error string returned by the AD server when a login failure occurs. The content of this string is invaluable to debug the login issues. Yet, there seems to be no way to access the content of the ld_error field without bypassing the public interface of the openldap library.
Is there any other way to access the error string returned by the server?
Also, has someone ever encountered a situation where half of the users of an AD server can authenticate using SASL and the other half trigger an "invalid credentials" error? All those accounts are valid & working, and simple binds can be made without errors.
Thank you, Laurent Birtz
Aaron Richton wrote:
ldap_parse_result?
http://www.openldap.org/lists/openldap-software/200505/msg00093.html
Unfortunately, the variable 'LDAPMessage *result' which contains the message to parse is local to the function ldap_sasl_bind_s(), so I cannot access it either.
Thanks, Laurent Birtz
Laurent Birtz wrote:
Aaron Richton wrote:
ldap_parse_result?
http://www.openldap.org/lists/openldap-software/200505/msg00093.html
Unfortunately, the variable 'LDAPMessage *result' which contains the message to parse is local to the function ldap_sasl_bind_s(), so I cannot access it either.
http://www.openldap.org/software/man.cgi?query=ldap_get_option&apropos=0...
ldap_get_option(...LDAP_OPT_ERROR_STRING) (which has been renamed to LDAP_OPT_DIAGNOSTIC_MESSAGE in 2.4)
openldap-software@openldap.org
-
Aaron Richton -
Howard Chu -
Laurent Birtz