Re: [Heimdal PATCH] LDAP backend support for OpenLDAP 2.1.x

[Alberto Patino <jalbertop@aranea.com.mx>]

On Sun, 2003-05-25 at 19:29, Luke Howard wrote:
> 
> You need to the SASL EXTERNAL bind patch to use with 2.1.x, and a 
> recent version of 2.1.x that supports EXTERNAL for ldapi://.
> 
> Here's an (untested) patch:
> 
> Index: hdb-ldap.c
> ===================================================================
> RCS file: /home/project/cvs/heimdal/lib/hdb/hdb-ldap.c,v
> retrieving revision 1.1.1.2
> retrieving revision 1.5
> diff -u -r1.1.1.2 -r1.5
> --- hdb-ldap.c  2002/09/11 03:30:03     1.1.1.2
> +++ hdb-ldap.c  2003/05/26 00:27:52     1.5
> @@ -32,7 +32,7 @@
>  
>  #include "hdb_locl.h"
>  
> -RCSID("$Id: hdb-ldap.c,v 1.1.1.2 2002/09/11 03:30:03 lukeh Exp $");
> +RCSID("$Id: hdb-ldap.c,v 1.5 2003/05/26 00:27:52 lukeh Exp $");
>  
>  #ifdef OPENLDAP
>  
> @@ -953,6 +953,7 @@
>  static krb5_error_code LDAP__connect(krb5_context context, HDB * db)
>  {
>      int rc, version = LDAP_VERSION3;
> +    struct berval authzid = { 0, NULL };
>  

Hi Luke!

Try your patch with OpenLDAP 2.1.17 or higher and you will have a SASL
bind in progress message from the kadmin console. 

The problem is that there was a change in OPENLDAP 2.1.17  in which the
berval structure you are filling is considered like a NULL credential.

So there will be 2 bytes missing in the SASL EXTERNAL request ( These
are the bytes 0x04 0x00) They stand for a empty octect string for the
SASL mechanism:

ldap_read: want=9, got=9
  0000:  30 18 02 01 01 60 13 02  01                        0....`...
ldap_read: want=17, got=17
  0000:  03 04 00 a3 0c 04 08 45  58 54 45 52 4e 41 4c 04   
  0010:  00                                                 .

.......EXTERNAL.

So SASL will complain about the credential info is not provided. So will
return a SASL bind in progress message!!!!

So you need to initialize the berval structure to this:

> +    struct berval authzid = { 0, "" };


Greetings.