Thank you very much for your email. It worked for me (I passed GSSAPI as
the string), dn as NULL and I could now see in the packet capture that an
sasl bind request is being sent out using GSSAPI. Below is the snapshot.
Lightweight Directory Access Protocol
LDAPMessage bindRequest(1) "<ROOT>" sasl
protocolOp: bindRequest (0)
authentication: sasl (3)
GSS-API Generic Security Service Application
Unknown header (class=1, pc=1, tag=13)
Why unknown ?
[Expert Info (Warn/Protocol): Unknown
header (class=1, pc=1, tag=13)]
[Unknown header (class=1, pc=1, tag=13)]
[Severity level: Warn]
I was getting something like this above where there is a part of the packet
shown as unknown header. I am suspecting that wireshark is not recognizing
this or this is again a different problem. Look forward to your feedback.
On Mon, Jul 10, 2017 at 11:23 PM, Quanah Gibson-Mount <quanah(a)symas.com>
--On Monday, July 10, 2017 9:02 PM +0530 Nishanth Nagendra <
> From the openldap source code, I notice that sasl.c file has a constant
> LDAP_SASL_SIMPLE as a constant for mechanism which is a NULL value. I
> tried to pass a non NULL value in my function call to ldap_sasl_bind in
> the third parameter expecting it to hit the other code path to initiate
> SASL bind with credentials but the library does not seem to allow it and
> returns error from sasl bind.
As clearly noted in the source code comments, the third argument is the
MECHANISM to use:
* ldap_sasl_bind - bind to the ldap server (and X.500).
* The dn (usually NULL), mechanism, and credentials are provided.
* The message id of the request initiated is provided upon successful
* (LDAP_SUCCESS) return.
* ldap_sasl_bind( ld, NULL, "mechanism",
* cred, NULL, NULL, &msgid )
I.e., you would pass in "GSSAPI" for a SASl/GSSAPI bind, etc.
It is also generally better form to use ldap_sasl_interactive_bind_s, as
noted in the man page. In that case, as noted by the manual page:
The mechs parameter should contain
a space-separated list of candidate mechanisms to use. If
parameter is NULL or empty the library will query the
supportedSASLMechanisms attribute from the server's rootDSE for
list of SASL mechanisms the server supports.
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: