On Fri, Jul 23, 2010 at 12:10 AM, Dan White <dwhite@olp.net> wrote:
On 22/07/10 18:10 +0530, Shankar Anand R wrote:
Hi,

The problem explained below must be fairly straightforward or even look
silly for folks on this mailing list. Sorry for the trouble but I hope one
of you might be willing to help a newbie.

I am implementing an simple application that finds out a user's attributes
using OpenLDAP.

This a snippet of my code.
...
BerValue cred;
cred.bv_len = 10;
cred.bv_val = strdup("mypassword");
ldap_sasl_bind_s(ld, "myuser", LDAP_SASL_SIMPLE /*NULL*/, &cred, NULL, NULL,
NULL);

This succeeds and I am able to proceed with my ldap_search_st() call.

But since I don't want to send "mypassword" as plain text over the wire I
opted for "DIGEST-MD5"

...
BerValue cred;
cred.bv_len = 10;
cred.bv_val = strdup("mypassword");
ldap_sasl_bind_s(ld, "myuser", "DIGEST-MD5", &cred, NULL, NULL, NULL);

This fails with the error 49
ldap_sasl_bind_s: Invalid credentials (49)
      additional info: 80090326: LdapErr: DSID-0C0904D1, comment:
AcceptSecurityContext error, data 57, v1772


Note: I am using Active Directory. And I believe that my cyrus-sasl
installation is good.


I searched a lot but couldn't find the proper documentation for this. Do I
have to fill up cred.bv_val differently while using DIGEST-MD5? Is there an
OpenLDAP API to do that?
Can someone explain or point me to the right documentation?

See the man page for ldap_sasl_interactive_bind_s(), in which you provide a
callback function for providing the sasl realm, authc identity, password,
and authz identity.

Also see doc/programming.html in the cyrus sasl source for discussion of
interactions, and plugins/ldapdb.c for a working example.

Thanks for your help. I will read the doc and the example.

Meanwhile I want to check if I can avoid ldap_sasl_interactive_bind_s(). Wouldn't ldap_sasl_bind_s() work for "DIGEST-MD5"? If it works, I would like to go with it. Can you point out a way to do that?

Thanks and Regards,
Shankar