Hi,
I hope some one can answer this query regarding LDAP
and GSSAPI as i really dint find substantial info for this on the net
for what i was trying to accomplish.
I have some
limitations on using OpenLDAP with Cyrus SASL and hence have to
manufacture my own GSSAPI client to use with LDAP. However i have run
into some technical issues here with my implementation and MS AD.
Here's my problem in short:
I am using the kerberos mechanism with GSSAPI, i first use kerberos
API's to get a TGT for SPN that i have obtained a keytab for
previously. I then use GSSAPI gss_init_sec_context to obtain a service
ticket for the ldap server. I then call ldap_init and then subsequently
call ldap_sasl_bind_s with mech as GSS-SPNEGO and supplying the GSSAPI
token ( obtained from gss_init_sec_context ) as credential ( i set the
DN in the ldap_sasl_bind_s to NULL ).
From the network traces and the return code i see that the bind was
successful. The bind result shows success (0x00) and negTokenTarg
shows negResult as accept-completed. This shows that Bind was indeed a
success also to note here the krb-blob that comes with the bind result
is successfully consumed by subsequent calls to gss_init_sec_context to
complete context establishment.
The issue that im facing now is that when i pass GSS wraped search
request ( i.e. i build a search request and pass it to gss_wrap API to
get a token ) token to the ldap_search_ext api. From the network
traces i see that the search request has been received by the ldap
server properly. However the LDAP server ( MS AD LDAP server ) responds
with the following message :
LdapErr: DSID-0C09062.27 comment: In order to perform this operation a successful bind must be completed on the connection.
Can
some one please throw some light on as to why the search query is
getting back with an error that there was no bind done in spite of the
server responding success for the LDAP bind prior to sending the search
request ?? Any help will be greatly appreciated...
Thanks,
Austin.