[pubcookie-users] Re: LDAP verifier weirdness

Jon Miner miner at doit.wisc.edu
Thu Feb 9 11:37:08 PST 2006 

That is (as far as I know) a bug in the (thoroughly undocumented)
OpenLDAP API.  There's nothing in the verifier code that would follow a
referral, and (of course) if there were, it would most definitely
attempt to bind.

You'll see exactly the same behavior with a commandline search using
OpenLDAP's ldapsearch.

jon

* Konstantin Ryabitsev (icon at fedoraproject.org) [060208 16:59]:
> Hi, everyone:
> 
> Wondering if anyone ran into this problem. I have figured out the way to 
> do LDAP-flavour authN against AD, but it seems that the way the query is 
> structured, openldap gets itself into a state of confusion over references.
> 
> Lemme explain:
> 
> 1. verify_ldap successfully binds to campus.mcgill.ca
> 2. verify_ldap issues a query for (cn=username)
> 3. our AD returns the data, but it also returns, after the results:
> # search reference
> ref: 
> ldap://DomainDnsZones.campus.MCGILL.CA/DC=DomainDnsZones,DC=campus,DC=MCG
>  ILL,DC=CA
> 4. openldap then tries to bind, *anonymously* to 
> DomainDnsZones.campus.mcgill.ca to perform the same (cn=username) query
> 5. DomainDnsZones returns "operation error" because it won't accept 
> anonymous binds
> 6. pubcookie gets the "operation error" and returns "authentication failed."
> 
> It seems that following the reference is what causes the authentication 
> to fail, even though all the data from (cn=username) is returned during 
> the first query.
> 
> Question: Is there a way to tell openldap not to follow the ref: 
> returned in the query, and just process the results returned?
> 
> 
> -- 
> Konstantin Ryabitsev
> McGill University WSG
> 
> Niska: "Do you know the writings of Shan Yu?"
> Mal: "You starting a book club."
> 				--Episode #10, "War Stories"
> _______________________________________________
> pubcookie-users mailing list
> pubcookie-users at u.washington.edu
> http://mailman1.u.washington.edu/mailman/listinfo/pubcookie-users

-- 
.Jonathan J. Miner------------------Division of Information Technology.
|miner at doit.wisc.edu                 University Of Wisconsin - Madison|
|608/262.9655                               Room 3146 Computer Science|
`---------------------------------------------------------------------'

As far as anyone knows we're a nice, normal family.
        -- Homer Simpson
           There's No Disgrace Like Home
                                                             (354/719)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2132 bytes
Desc: not available
Url : http://mailman1.u.washington.edu/pipermail/pubcookie-users/attachments/20060209/60156658/smime.bin

More information about the pubcookie-users mailing list