[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x

To: Love <lha@stacken.kth.se>
Subject: Re: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
From: Alberto Patino <jalbertop@aranea.com.mx>
Date: 26 May 2003 12:59:53 -0500
Cc: heimdal-discuss@sics.se
In-Reply-To: <amptm7qmav.fsf@nutcracker.stacken.kth.se>
References: <001701c315dc$ca3894c0$0e01a8c0@CELLO><1052511670.1966.69.camel@newton> <amptm7qmav.fsf@nutcracker.stacken.kth.se>
Sender: owner-heimdal-discuss@sics.se

> 
> 
> Alberto Patino <jalbertop@aranea.com.mx> writes:
> 
> > In conclusion, you both are right guys, is not needed to replace the
> > person objectclass with the OpenLDAPperson objectclass. The hdb-ldap
> > interfase works with no changes to the objectclass attribute.
> 
> So, if I understand this correctly, I don't have to do anything, right ?
> 
Well, you do need to patch the hdb-ldap.c file because it has a new call
to do a EXTERNAL SASL mechanism to use the local IPC LDAPI interfase
between the kadmin tool and the slapd backend. (The old OpenLDAP release
2.0.x didn't required any bind mechanism to access the LDAP server). It
was tested with the last OpenLDAP realease to the time of this writing
(OpenLDAP 2.1.19). It doesn't work with OpenLDAP 2.1.17 because I think
there was something incorrect in the BER encode/decode routines from
OpenLDAP (ber_get_next() function.
Moreover this patch is important because people trying to use the LDAP
backend with the latest OpenLDAP releases won't be able to use this
functionality because they wouldn't bind to the OpenLDAP Server. 

This is the real good patch. It has the original person objectclass and
just added changes to the LDAP__connect funtion:



--- heimdal-0.5.2/lib/hdb/hdb-ldap.c	2002-09-04 13:42:22.000000000 -0500
+++ heimdal/lib/hdb/hdb-ldap.c	2003-05-26 12:56:46.000000000 -0500
@@ -32,7 +32,7 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: hdb-ldap.c,v 1.10 2002/09/04 18:42:22 joda Exp $");
+RCSID("$Id: hdb-ldap.c,v 1.2 2003/01/21 18:58:28 albertop Exp $");
 
 #ifdef OPENLDAP
 
@@ -953,6 +953,12 @@
 static krb5_error_code LDAP__connect(krb5_context context, HDB * db)
 {
     int rc, version = LDAP_VERSION3;
+    /* Empty credentials to do a SASL bind with LDAP */
+    /* Note that empty different to NULL credentials */
+    /* If you provide NULL credentials instead of empty */
+    /* credentials you will get a SASL bind in progress message! */
+
+    struct berval bv = {0, ""};
 
     if (db->db != NULL) {
 	/* connection has been opened. ping server. */
@@ -986,6 +992,14 @@
 	return HDB_ERR_BADVERSION;
     }
 
+    rc = ldap_sasl_bind_s((LDAP *) db->db, NULL, "EXTERNAL", &bv, NULL, NULL, NULL );
+    if (rc != LDAP_SUCCESS) {
+	krb5_set_error_string(context, "ldap_sasl_bind_s: %s", ldap_err2string(rc));
+	ldap_unbind_ext((LDAP *) db->db, NULL, NULL);
+	db->db = NULL;
+	return HDB_ERR_BADVERSION;
+    }
+
     return 0;
 }
 
@@ -1104,7 +1118,7 @@
 	    ret = asprintf(&dn, "cn=%s,%s", name, db->name);
 	} else {
 	    /* A bit bogus, but we don't have a search base */
-	    ret = asprintf(&dn, "cn=%s", name, db->name);
+	    ret = asprintf(&dn, "cn=%s", name);
 	}
 	if (ret < 0) {
 	    krb5_set_error_string(context, "asprintf: out of memory");

Follow-Ups:
- Re: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
  - From: Luke Howard <lukeh@PADL.COM>

References:
- RE: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
  - From: "Howard Chu" <hyc@highlandsun.com>
- RE: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
  - From: Alberto Patino <jalbertop@aranea.com.mx>
- Re: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
  - From: Love <lha@stacken.kth.se>

Prev by Date: Re: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
Next by Date: Re: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
Prev by thread: Re: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
Next by thread: Re: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x
Index(es):
- Date
- Thread