Hello Quanah,
Thank you very much for your email. It worked for me (I passed GSSAPI as the string), dn as NULL and I could now see in the packet capture that an sasl bind request is being sent out using GSSAPI. Below is the snapshot.
Lightweight Directory Access Protocol LDAPMessage bindRequest(1) "<ROOT>" sasl messageID: 1 protocolOp: bindRequest (0) bindRequest version: 3 name: authentication: sasl (3) sasl mechanism: GSSAPI credentials: 6d797077 GSS-API Generic Security Service Application Program Interface Unknown header (class=1, pc=1, tag=13) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Why unknown ? [Expert Info (Warn/Protocol): Unknown header (class=1, pc=1, tag=13)] [Unknown header (class=1, pc=1, tag=13)] [Severity level: Warn] [Group: Protocol]
I was getting something like this above where there is a part of the packet shown as unknown header. I am suspecting that wireshark is not recognizing this or this is again a different problem. Look forward to your feedback.
regards, Nishanth
On Mon, Jul 10, 2017 at 11:23 PM, Quanah Gibson-Mount quanah@symas.com wrote:
--On Monday, July 10, 2017 9:02 PM +0530 Nishanth Nagendra < nishanth.amogh@gmail.com> wrote:
From the openldap source code, I notice that sasl.c file has a constant LDAP_SASL_SIMPLE as a constant for mechanism which is a NULL value. I tried to pass a non NULL value in my function call to ldap_sasl_bind in the third parameter expecting it to hit the other code path to initiate SASL bind with credentials but the library does not seem to allow it and returns error from sasl bind.
As clearly noted in the source code comments, the third argument is the MECHANISM to use:
/*
- ldap_sasl_bind - bind to the ldap server (and X.500).
- The dn (usually NULL), mechanism, and credentials are provided.
- The message id of the request initiated is provided upon successful
- (LDAP_SUCCESS) return.
- Example:
ldap_sasl_bind( ld, NULL, "mechanism",
cred, NULL, NULL, &msgid )
*/
I.e., you would pass in "GSSAPI" for a SASl/GSSAPI bind, etc.
It is also generally better form to use ldap_sasl_interactive_bind_s, as noted in the man page. In that case, as noted by the manual page:
The mechs parameter should contain a space-separated list of candidate mechanisms to use. If
this parameter is NULL or empty the library will query the supportedSASLMechanisms attribute from the server's rootDSE for the list of SASL mechanisms the server supports.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org