HI!
what is returned by
ldap_get_options(LDAP_OPT_X_SASL_AUTHCID,[..]) ldap_get_options(LDAP_OPT_X_SASL_AUTHZID,[..])
I'm getting results with python-ldap which look strange to me after doing a SASL bind. But I'm not sure what should be returned.
Ciao, Michael.
Michael Ströder wrote:
HI!
what is returned by
ldap_get_options(LDAP_OPT_X_SASL_AUTHCID,[..]) ldap_get_options(LDAP_OPT_X_SASL_AUTHZID,[..])
I'm getting results with python-ldap which look strange to me after doing a SASL bind. But I'm not sure what should be returned.
For AUTHCID, it is initialized to the first non-null environment variable of USER / USERNAME / LOGNAME. AUTHZID is empty.
Both of them can be overriden by .ldaprc or LDAP_SASL env variables.
Howard Chu wrote:
Michael Ströder wrote:
what is returned by
ldap_get_options(LDAP_OPT_X_SASL_AUTHCID,[..]) ldap_get_options(LDAP_OPT_X_SASL_AUTHZID,[..])
I'm getting results with python-ldap which look strange to me after doing a SASL bind. But I'm not sure what should be returned.
For AUTHCID, it is initialized to the first non-null environment variable of USER / USERNAME / LOGNAME. AUTHZID is empty.
Both of them can be overriden by .ldaprc or LDAP_SASL env variables.
So these are rather meant to be set by the client as defaults (instead of the call-back vars)?
I was hoping to find a SASL option to query the Kerberbos principal name actually used after a successful SASL/GSSAPI bind.
Ciao, Michael.
On Sat, 15 Aug 2009, Michael Ströder wrote: ...
I was hoping to find a SASL option to query the Kerberbos principal name actually used after a successful SASL/GSSAPI bind.
Are you trying to ask a purely local question or is the server's opinion of what authorization ID you actually ended up with relevant?
For the latter, try ldap_whoami() or ldap_whoami_s().
For the former, I suspect you'll have to add a new LDAP option to get the underlying sasl context handle and then peel it out of there yourself. Does cyrus-sasl even provide a means to get the authentication ID used?
Philip Guenther
Philip Guenther wrote:
On Sat, 15 Aug 2009, Michael Ströder wrote: ...
I was hoping to find a SASL option to query the Kerberbos principal name actually used after a successful SASL/GSSAPI bind.
Are you trying to ask a purely local question or is the server's opinion of what authorization ID you actually ended up with relevant?
Local.
For the latter, try ldap_whoami() or ldap_whoami_s().
Yes, that's already used in web2ldap for servers which implement it.
But if that's not available (e.g. on MS AD W2K3 and it's almost useless in W2K8) I'm conducting a reverse lookup with a search request. So if bound by SASL/GSSAPI I'd search with a filter template like this:
(|(userPrincipalName=%s)(krb5PrincipalName=%s)(krbPrincipalName=%s))
For other SASL methods other filters are used.
Does cyrus-sasl even provide a means to get the authentication ID used?
That's exactly the question...
Ciao, Michael.
Michael Ströder wrote:
Philip Guenther wrote:
Does cyrus-sasl even provide a means to get the authentication ID used?
That's exactly the question...
Yes. sasl_getprop( sasl_context, SASL_USERNAME, ... )
libldap will already display this on stderr if you don't specify the LDAP_SASL_QUIET option.
Howard Chu wrote:
Michael Ströder wrote:
Philip Guenther wrote:
Does cyrus-sasl even provide a means to get the authentication ID used?
That's exactly the question...
Yes. sasl_getprop( sasl_context, SASL_USERNAME, ... )
libldap will already display this on stderr if you don't specify the LDAP_SASL_QUIET option.
Is the SASL context reachable through libldap?
Ciao, Michael.
Michael Ströder wrote:
Howard Chu wrote:
Michael Ströder wrote:
Philip Guenther wrote:
Does cyrus-sasl even provide a means to get the authentication ID used?
That's exactly the question...
Yes. sasl_getprop( sasl_context, SASL_USERNAME, ... )
libldap will already display this on stderr if you don't specify the LDAP_SASL_QUIET option.
Is the SASL context reachable through libldap?
Looks like not. And judging from what we've gone thru with TLS, it's probably a bad idea to expose it. Perhaps you should file an enhancement request for a getopt flag to return the SASL username.
Howard Chu wrote:
Michael Ströder wrote:
Howard Chu wrote:
Michael Ströder wrote:
Philip Guenther wrote:
Does cyrus-sasl even provide a means to get the authentication ID used?
That's exactly the question...
Yes. sasl_getprop( sasl_context, SASL_USERNAME, ... )
libldap will already display this on stderr if you don't specify the LDAP_SASL_QUIET option.
Is the SASL context reachable through libldap?
Looks like not. And judging from what we've gone thru with TLS, it's probably a bad idea to expose it. Perhaps you should file an enhancement request for a getopt flag to return the SASL username.
See ITS#6257
Ciao, Michael.
openldap-software@openldap.org
-
Howard Chu -
Michael Ströder -
Philip Guenther