HI!
Disclaimer: I'm not a C programmer.
I'd like to evaluate response controls (e.g. ppolicy) also when doing a SASL bind. I'm using python-ldap which in turn uses OpenLDAP C API's function ldap_sasl_interactive_bind_s(). But currently there's no way to extract the server's response controls. The server I'm testing with is returning the ppolicy response control and others.
I looked at clients/tools/common.c but it seems to me it also uses ldap_sasl_interactive_bind_s() and no response controls are extracted.
Do I have to use ldap_get_option(ld,LDAP_OPT_SERVER_CONTROLS) separately? Does that work?
Ciao, Michael.
HI!
Disclaimer: I'm not a C programmer.
I'd like to evaluate response controls (e.g. ppolicy) also when doing a SASL bind. I'm using python-ldap which in turn uses OpenLDAP C API's function ldap_sasl_interactive_bind_s(). But currently there's no way to extract the server's response controls. The server I'm testing with is returning the ppolicy response control and others.
I looked at clients/tools/common.c but it seems to me it also uses ldap_sasl_interactive_bind_s() and no response controls are extracted.
Do I have to use ldap_get_option(ld,LDAP_OPT_SERVER_CONTROLS) separately? Does that work?
Not sure about that. In clients/tools/common.c there is an example of using ldap_sasl_interactive_bind() asynchronously that purposely allows to extract controls information from the (last) response (e.g. related to ppolicy) since it gives access to the result of calling ldap_result(). Not sure about how this could be integrated in python-ldap; my suggestion, without looking at the code, would be to add/modify python-ldap's call to ldap_sasl_interactive_bind_s() to optionally give access to all results (resultCode, diagnostics, controls).
p.
masarati@aero.polimi.it wrote:
Disclaimer: I'm not a C programmer.
I'd like to evaluate response controls (e.g. ppolicy) also when doing a SASL bind. I'm using python-ldap which in turn uses OpenLDAP C API's function ldap_sasl_interactive_bind_s().
Not sure about that. In clients/tools/common.c there is an example of using ldap_sasl_interactive_bind() asynchronously that purposely allows to extract controls information from the (last) response
I'm staring at line 1473 in clients/tools/common.c of RE24 but I simply don't get it: IMHO in opposite to later call of ldap_sasl_bind() (in a separate else clause starting at line 1490) a msgid is not returned by the API and therefore it seems to me that ldap_result() is not and cannot be called in the SASL part.
But as said numerous times: I'm quite ignorant regarding C and I might overlook something.
Not sure about how this could be integrated in python-ldap; my suggestion, without looking at the code, would be to add/modify python-ldap's call to ldap_sasl_interactive_bind_s() to optionally give access to all results (resultCode, diagnostics, controls).
I'd happily do but I'm not sure how...
You can see the call in line 674 here:
http://python-ldap.cvs.sourceforge.net/viewvc/python-ldap/python-ldap/Module...
The var name msgid was a misunderstanding taken over from the code submitted by another contributer years ago. Should be called rc or similar instead.
Ciao, Michael.
Michael Ströder wrote:
masarati@aero.polimi.it wrote:
Disclaimer: I'm not a C programmer.
I'd like to evaluate response controls (e.g. ppolicy) also when doing a SASL bind. I'm using python-ldap which in turn uses OpenLDAP C API's function ldap_sasl_interactive_bind_s().
Not sure about that. In clients/tools/common.c there is an example of using ldap_sasl_interactive_bind() asynchronously that purposely allows to extract controls information from the (last) response
I'm staring at line 1473 in clients/tools/common.c of RE24 but I simply don't get it: IMHO in opposite to later call of ldap_sasl_bind() (in a separate else clause starting at line 1490) a msgid is not returned by the API and therefore it seems to me that ldap_result() is not and cannot be called in the SASL part.
Is the ppolicy control supported by the command-line tools if SASL is used? The code does not look like that and using ldapsearch also seems to lead to different results when using SASL and simple bind:
$ ldapsearch -H ldap://server -Y DIGEST-MD5 -e ppolicy -U test -w test -LL -b"" -s base SASL/DIGEST-MD5 authentication started SASL username: test SASL SSF: 128 SASL data security layer installed. version: 1
Server is unwilling to perform (53)
$ ldapsearch -x -H ldap://server -e ppolicy -D "uid=test,dc=example,dc=com" -w test -LL -b"" -s base ldap_bind: Success (0); Password must be changed (Password expires in 0 seconds) version: 1
Server is unwilling to perform (53)
Ciao, michael.
Michael Ströder wrote:
Michael Ströder wrote:
masarati@aero.polimi.it wrote:
Disclaimer: I'm not a C programmer.
I'd like to evaluate response controls (e.g. ppolicy) also when doing a SASL bind. I'm using python-ldap which in turn uses OpenLDAP C API's function ldap_sasl_interactive_bind_s().
Not sure about that. In clients/tools/common.c there is an example of using ldap_sasl_interactive_bind() asynchronously that purposely allows to extract controls information from the (last) response
I'm staring at line 1473 in clients/tools/common.c of RE24 but I simply don't get it: IMHO in opposite to later call of ldap_sasl_bind() (in a separate else clause starting at line 1490) a msgid is not returned by the API and therefore it seems to me that ldap_result() is not and cannot be called in the SASL part.
Is the ppolicy control supported by the command-line tools if SASL is used?
It seems I would have to use ldap_sasl_interactive_bind() like done in ./servers/slapd/back-ldap/bind.c:1448
Ciao, Michael.
Is the ppolicy control supported by the command-line tools if SASL is used?
It seems I would have to use ldap_sasl_interactive_bind() like done in ./servers/slapd/back-ldap/bind.c:1448
Sorry, my fault: I was looking at HEAD code, where the client tool uses ldap_sasl_interactive_bind() exactly in that way. In any case, that's exactly what needs to be done: recursively call ldap_sasl_interactive_bind() and ldap_result(), and extract the control response from the last result.
p.
openldap-technical@openldap.org
-
masarati@aero.polimi.it -
Michael Ströder