Hi,
The problem explained below must be fairly straightforward or even look silly for folks on this mailing list. Sorry for the trouble but I hope one of you might be willing to help a newbie.
I am implementing an simple application that finds out a user's attributes using OpenLDAP.
This a snippet of my code. ... BerValue cred; cred.bv_len = 10; cred.bv_val = strdup("mypassword"); ldap_sasl_bind_s(ld, "myuser", LDAP_SASL_SIMPLE /*NULL*/, &cred, NULL, NULL, NULL);
This succeeds and I am able to proceed with my ldap_search_st() call.
But since I don't want to send "mypassword" as plain text over the wire I opted for "DIGEST-MD5"
... BerValue cred; cred.bv_len = 10; cred.bv_val = strdup("mypassword"); ldap_sasl_bind_s(ld, "myuser", "DIGEST-MD5", &cred, NULL, NULL, NULL);
This fails with the error 49 ldap_sasl_bind_s: Invalid credentials (49) additional info: 80090326: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 57, v1772
Note: I am using Active Directory. And I believe that my cyrus-sasl installation is good.
I searched a lot but couldn't find the proper documentation for this. Do I have to fill up cred.bv_val differently while using DIGEST-MD5? Is there an OpenLDAP API to do that? Can someone explain or point me to the right documentation?
Thanks and Regards, Shankar
On 22/07/10 18:10 +0530, Shankar Anand R wrote:
Hi,
The problem explained below must be fairly straightforward or even look silly for folks on this mailing list. Sorry for the trouble but I hope one of you might be willing to help a newbie.
I am implementing an simple application that finds out a user's attributes using OpenLDAP.
This a snippet of my code. ... BerValue cred; cred.bv_len = 10; cred.bv_val = strdup("mypassword"); ldap_sasl_bind_s(ld, "myuser", LDAP_SASL_SIMPLE /*NULL*/, &cred, NULL, NULL, NULL);
This succeeds and I am able to proceed with my ldap_search_st() call.
But since I don't want to send "mypassword" as plain text over the wire I opted for "DIGEST-MD5"
... BerValue cred; cred.bv_len = 10; cred.bv_val = strdup("mypassword"); ldap_sasl_bind_s(ld, "myuser", "DIGEST-MD5", &cred, NULL, NULL, NULL);
This fails with the error 49 ldap_sasl_bind_s: Invalid credentials (49) additional info: 80090326: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 57, v1772
Note: I am using Active Directory. And I believe that my cyrus-sasl installation is good.
I searched a lot but couldn't find the proper documentation for this. Do I have to fill up cred.bv_val differently while using DIGEST-MD5? Is there an OpenLDAP API to do that? Can someone explain or point me to the right documentation?
See the man page for ldap_sasl_interactive_bind_s(), in which you provide a callback function for providing the sasl realm, authc identity, password, and authz identity.
Also see doc/programming.html in the cyrus sasl source for discussion of interactions, and plugins/ldapdb.c for a working example.
On Fri, Jul 23, 2010 at 12:10 AM, Dan White dwhite@olp.net wrote:
On 22/07/10 18:10 +0530, Shankar Anand R wrote:
Hi,
The problem explained below must be fairly straightforward or even look silly for folks on this mailing list. Sorry for the trouble but I hope one of you might be willing to help a newbie.
I am implementing an simple application that finds out a user's attributes using OpenLDAP.
This a snippet of my code. ... BerValue cred; cred.bv_len = 10; cred.bv_val = strdup("mypassword"); ldap_sasl_bind_s(ld, "myuser", LDAP_SASL_SIMPLE /*NULL*/, &cred, NULL, NULL, NULL);
This succeeds and I am able to proceed with my ldap_search_st() call.
But since I don't want to send "mypassword" as plain text over the wire I opted for "DIGEST-MD5"
... BerValue cred; cred.bv_len = 10; cred.bv_val = strdup("mypassword"); ldap_sasl_bind_s(ld, "myuser", "DIGEST-MD5", &cred, NULL, NULL, NULL);
This fails with the error 49 ldap_sasl_bind_s: Invalid credentials (49) additional info: 80090326: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 57, v1772
Note: I am using Active Directory. And I believe that my cyrus-sasl installation is good.
I searched a lot but couldn't find the proper documentation for this. Do I have to fill up cred.bv_val differently while using DIGEST-MD5? Is there an OpenLDAP API to do that? Can someone explain or point me to the right documentation?
See the man page for ldap_sasl_interactive_bind_s(), in which you provide a callback function for providing the sasl realm, authc identity, password, and authz identity.
Also see doc/programming.html in the cyrus sasl source for discussion of interactions, and plugins/ldapdb.c for a working example.
Thanks for your help. I will read the doc and the example.
Meanwhile I want to check if I can avoid ldap_sasl_interactive_bind_s(). Wouldn't ldap_sasl_bind_s() work for "DIGEST-MD5"? If it works, I would like to go with it. Can you point out a way to do that?
Thanks and Regards, Shankar
On Fri, Jul 23, 2010 at 9:43 AM, Shankar Anand R shankaranand@gmail.com wrote:
On Fri, Jul 23, 2010 at 12:10 AM, Dan White dwhite@olp.net wrote:
On 22/07/10 18:10 +0530, Shankar Anand R wrote:
Hi,
The problem explained below must be fairly straightforward or even look silly for folks on this mailing list. Sorry for the trouble but I hope one of you might be willing to help a newbie.
I am implementing an simple application that finds out a user's attributes using OpenLDAP.
This a snippet of my code. ... BerValue cred; cred.bv_len = 10; cred.bv_val = strdup("mypassword"); ldap_sasl_bind_s(ld, "myuser", LDAP_SASL_SIMPLE /*NULL*/, &cred, NULL, NULL, NULL);
This succeeds and I am able to proceed with my ldap_search_st() call.
But since I don't want to send "mypassword" as plain text over the wire I opted for "DIGEST-MD5"
... BerValue cred; cred.bv_len = 10; cred.bv_val = strdup("mypassword"); ldap_sasl_bind_s(ld, "myuser", "DIGEST-MD5", &cred, NULL, NULL, NULL);
This fails with the error 49 ldap_sasl_bind_s: Invalid credentials (49) additional info: 80090326: LdapErr: DSID-0C0904D1, comment: AcceptSecurityContext error, data 57, v1772
Note: I am using Active Directory. And I believe that my cyrus-sasl installation is good.
I searched a lot but couldn't find the proper documentation for this. Do I have to fill up cred.bv_val differently while using DIGEST-MD5? Is there an OpenLDAP API to do that? Can someone explain or point me to the right documentation?
See the man page for ldap_sasl_interactive_bind_s(), in which you provide a callback function for providing the sasl realm, authc identity, password, and authz identity.
Also see doc/programming.html in the cyrus sasl source for discussion of interactions, and plugins/ldapdb.c for a working example.
Thanks for your help. I will read the doc and the example.
Meanwhile I want to check if I can avoid ldap_sasl_interactive_bind_s(). Wouldn't ldap_sasl_bind_s() work for "DIGEST-MD5"? If it works, I would like to go with it. Can you point out a way to do that?
Can someone point me to a sample program which uses ldap_sasl_bind_s() with "DIGEST-MD5"?
Thanks, Shankar
On 24/07/10 21:18 +0530, Shankar Anand R wrote:
On Fri, Jul 23, 2010 at 9:43 AM, Shankar Anand R shankaranand@gmail.com wrote:
On Fri, Jul 23, 2010 at 12:10 AM, Dan White dwhite@olp.net wrote:
See the man page for ldap_sasl_interactive_bind_s(), in which you provide a callback function for providing the sasl realm, authc identity, password, and authz identity.
Also see doc/programming.html in the cyrus sasl source for discussion of interactions, and plugins/ldapdb.c for a working example.
Thanks for your help. I will read the doc and the example.
Meanwhile I want to check if I can avoid ldap_sasl_interactive_bind_s(). Wouldn't ldap_sasl_bind_s() work for "DIGEST-MD5"? If it works, I would like to go with it. Can you point out a way to do that?
Can someone point me to a sample program which uses ldap_sasl_bind_s() with "DIGEST-MD5"?
The ldapdb.c library that I referred to above is a good example. Any of the OpenLDAP client utilities are also good examples.
You'd do good to steer clear of writing an application which attempts to hard code a specific mechanism. One of the advantages of the sasl library is that it abstracts a lot of the mechanism specific details away.
If you write your code using an interactive callback function, then you'll have the ability to support any of the password based mechanisms, which could be selected at runtime.
I configured my squid.conf file to authenticate with openldap. but my browser always asking for the username and password though i put the correct username and password.
here is my squid.conf
http_port 3128
hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin ?
cache_mem 16 MB
cache_access_log /var/log/squid/access.log request_body_max_size 0 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 read_timeout 120 minutes
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=mycentos,dc=net" -f "uid=%s" -h 127.0.0.1 -D "cn=manager,dc=mycentos,dc=net" -w swi2010 -s one -v 3 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl webconfig_lan src 192.168.1.0/24 acl webconfig_to_lan dst 192.168.1.0/24 acl to_localhost dst 127.0.0.1/255.255.255.255 acl password proxy_auth REQUIRED
acl SSL_ports port 443 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT
http_access allow manager localhost http_access deny manager http_access deny CONNECT !SSL_ports http_access allow localhost password http_access allow webconfig_to_lan http_access allow webconfig_lan password http_access deny all
http_reply_access allow all icp_access allow all
if I run /usr/lib/squid/squid_ldap_auth -b "dc=mycentos,dc=net" -f "uid=%s" -h 127.0.0.1 -D "cn=manager,dc=mycentos,dc=net" -w swi2010 -s one -v 3 in command promt then it giving OK message.
On Mon, Jul 26, 2010 at 5:29 PM, OSHIM mhoshim@gmail.com wrote:
I configured my squid.conf file to authenticate with openldap. but my browser always asking for the username and password though i put the correct username and password.
here is my squid.conf
http_port 3128
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=mycentos,dc=net" -f "uid=%s" -h 127.0.0.1 -D "cn=manager,dc=mycentos,dc=net" -w swi2010 -s one -v 3 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl webconfig_lan src 192.168.1.0/24 acl webconfig_to_lan dst 192.168.1.0/24 acl to_localhost dst 127.0.0.1/255.255.255.255 acl password proxy_auth REQUIRED
http_access allow manager localhost http_access deny manager http_access deny CONNECT !SSL_ports http_access allow localhost password http_access allow webconfig_to_lan http_access allow webconfig_lan password http_access deny all
You have defined the acl named "password", but where have you used it ?
This is a squid question, not an openldap question.
Cheers Brett
On Mon, Jul 26, 2010 at 8:16 PM, Brett @Google brett.maxfield@gmail.comwrote:
On Mon, Jul 26, 2010 at 5:29 PM, OSHIM mhoshim@gmail.com wrote:
I configured my squid.conf file to authenticate with openldap. but my browser always asking for the username and password though i put the correct username and password.
here is my squid.conf
http_port 3128
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=mycentos,dc=net" -f "uid=%s" -h 127.0.0.1 -D "cn=manager,dc=mycentos,dc=net" -w swi2010 -s one -v 3 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl webconfig_lan src 192.168.1.0/24 acl webconfig_to_lan dst 192.168.1.0/24 acl to_localhost dst 127.0.0.1/255.255.255.255 acl password proxy_auth REQUIRED
http_access allow manager localhost http_access deny manager http_access deny CONNECT !SSL_ports http_access allow localhost password http_access allow webconfig_to_lan http_access allow webconfig_lan password http_access deny all
You have defined the acl named "password", but where have you used it ?
I would try :
http_access allow manager localhost http_access deny manager http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow webconfig_to_lan http_access allow webconfig_lan password http_access allow password http_access deny all
Cheers Brett
my configuration was ok. i solved the problem. it was permission issue.
On Jul 26, 2010, at 4:31 PM, Brett @Google wrote:
On Mon, Jul 26, 2010 at 8:16 PM, Brett @Google brett.maxfield@gmail.com wrote: On Mon, Jul 26, 2010 at 5:29 PM, OSHIM mhoshim@gmail.com wrote: I configured my squid.conf file to authenticate with openldap. but my browser always asking for the username and password though i put the correct username and password.
here is my squid.conf
http_port 3128
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=mycentos,dc=net" -f "uid=%s" -h 127.0.0.1 -D "cn=manager,dc=mycentos,dc=net" -w swi2010 -s one -v 3 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl webconfig_lan src 192.168.1.0/24 acl webconfig_to_lan dst 192.168.1.0/24 acl to_localhost dst 127.0.0.1/255.255.255.255 acl password proxy_auth REQUIRED
http_access allow manager localhost http_access deny manager http_access deny CONNECT !SSL_ports http_access allow localhost password http_access allow webconfig_to_lan http_access allow webconfig_lan password http_access deny all
You have defined the acl named "password", but where have you used it ?
I would try :
http_access allow manager localhost http_access deny manager http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow webconfig_to_lan http_access allow webconfig_lan password http_access allow password http_access deny all
Cheers Brett
On Jul 24, 2010, at 8:48 AM, Shankar Anand R wrote:
Can someone point me to a sample program which uses ldap_sasl_bind_s() with "DIGEST-MD5"?
Such a program would not be simple and hence is unavailable to the best of my knowledge.
ldap_sasl_bind_s() does not provide any SASL mechanism specific functionality. It is a low-level facility for sending initial and subsequent LDAP SASL bind requests to the server and obtaining back LDAP SASL bind responses. It is the callers responsibility to decode the SASL mechanism challenges and produce the SASL mechanism responses.
ldap_sasl_interactive_bind_s() is the high-level facility which does provide SASL mechanism specific functionality for a wide range of SASL mechanisms. If you only want it to do DIGEST-MD5, tell it so.
Note that interactivity implied by the function name is not necessarily with the user, but between the caller and the function. The function expects to be able to interact with the caller as might be required to perform the authentication. Whether the caller translates such interactions into user interactions or responds based on information it otherwise has is up to the caller.
-- Kurt
openldap-technical@openldap.org
-
Brett @Google -
Dan White -
Kurt Zeilenga -
OSHIM -
Shankar Anand R