Re: Query on ldap sasl bind

11 Jul 2017

      Hello Quanah,
Thank you very much for your email. It worked for me (I passed GSSAPI as
the string), dn as NULL and I could now see in the packet capture that an
sasl bind request is being sent out using GSSAPI. Below is the snapshot.
Lightweight Directory Access Protocol
    LDAPMessage bindRequest(1) "<ROOT>" sasl
        messageID: 1
        protocolOp: bindRequest (0)
            bindRequest
                version: 3
                name:
                authentication: sasl (3)
                    sasl
                        mechanism: GSSAPI
                        credentials: 6d797077
                        GSS-API Generic Security Service Application
Program Interface
                            Unknown header (class=1, pc=1, tag=13)
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Why unknown ?
                                [Expert Info (Warn/Protocol): Unknown
header (class=1, pc=1, tag=13)]
                                    [Unknown header (class=1, pc=1, tag=13)]
                                    [Severity level: Warn]
                                    [Group: Protocol]
I was getting something like this above where there is a part of the packet
shown as unknown header. I am suspecting that wireshark is not recognizing
this or this is again a different problem. Look forward to your feedback.
regards,
Nishanth
On Mon, Jul 10, 2017 at 11:23 PM, Quanah Gibson-Mount quanah@symas.com
wrote:
...
--On Monday, July 10, 2017 9:02 PM +0530 Nishanth Nagendra <
nishanth.amogh@gmail.com> wrote:
...
From the openldap source code, I notice that sasl.c file has a constant
LDAP_SASL_SIMPLE as a constant for mechanism which is a NULL value. I
tried to pass a non NULL value in my function call to ldap_sasl_bind in
the third parameter expecting it to hit the other code path to initiate
SASL bind with credentials but the library does not seem to allow it and
returns error from sasl bind.
As clearly noted in the source code comments, the third argument is the
MECHANISM to use:
/*

ldap_sasl_bind - bind to the ldap server (and X.500).
The dn (usually NULL), mechanism, and credentials are provided.
The message id of the request initiated is provided upon successful
(LDAP_SUCCESS) return.

Example:
 ldap_sasl_bind( ld, NULL, "mechanism",

         cred, NULL, NULL, &msgid )

*/
I.e., you would pass in "GSSAPI" for a SASl/GSSAPI bind, etc.
It is also generally better form to use ldap_sasl_interactive_bind_s, as
noted in the man page.  In that case, as noted by the manual page:
  The mechs parameter should contain
  a  space-separated  list  of  candidate  mechanisms  to  use.  If

this
      parameter   is   NULL   or   empty   the   library   will   query the
      supportedSASLMechanisms  attribute  from  the  server's rootDSE for
the
      list of SASL  mechanisms  the  server  supports.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
http://www.symas.com

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: Query on ldap sasl bind