[prev in list] [next in list] [prev in thread] [next in thread]
List: cyrus-sasl
Subject: Unable to bind twice with the same user using DIGEST-MD5 mech
From: Bernardo Pastorelli <berpast () hotmail ! com>
Date: 2013-04-18 20:46:44
Message-ID: DUB116-W69C1D51AC61ED21DE9324DACCF0 () phx ! gbl
[Download RAW message or body]
I created an openldap client that connects to a Microsoft Active Directory =
server.
The client uses ldap_sasl_interactive_bind_s to verify a user name and pas=
sword. The mechanisms used is DIGEST-MD5.
My client could bind multiple users before unbinding them. If it binds twic=
e the same user=2C the second bind request fails with a message of invalid =
credentials.
Looking into the code=2C I'm under the impression that the problem is relat=
ed to the reauth_cache.
More in details=2C when binding a user for the first time=2C the digestmd5_=
client_mech_step function is called once for executing the step 1=2C that d=
oes nothing (simply sets the next step as the step 2). Then the function is=
called the second time to execute the step two and finally called to execu=
te the step 3.
When performing the binding the second time for the same user=2C the digest=
md5_client_mech_step is again called to execute the step 1. Because the use=
r is cached in the reauth_cache=2C the step 1 executes the function digestm=
d5_client_mech_step1 (that was not executed in the previous run). This make=
s the second attempt fail with a message of "invalid credentials".
If I "remove" the cache=2C also the second attempt works fine.
Does anybody have an idea of why the cache make the second attempt fail whe=
n working with Active Directory?
Is there any way to disable the cache?
Thanks in advance for you help. Regards=2C
Bernardo
=
[Attachment #3 (text/html)]
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>I created an openldap client that connects to \
a Microsoft Active Directory server.<br><br>The client uses \
ldap_sasl_interactive_bind_s to verify a user name and password. The mechanisms used \
is DIGEST-MD5.<br><br>My client could bind multiple users before unbinding them. If \
it binds twice the same user, the second bind request fails with a message of invalid \
credentials.<br><br>Looking into the code, I'm under the impression that the problem \
is related to the reauth_cache.<br><br>More in details, when binding a user for the \
first time, the digestmd5_client_mech_step function is called once for executing the \
step 1, that does nothing (simply sets the next step as the step 2). Then the \
function is called the second time to execute the step two and finally called to \
execute the step 3.<br><br>When performing the binding the second time for the same \
user, the digestmd5_client_mech_step is again called to execute the step 1. Because \
the user is cached in the reauth_cache, the step 1 executes the function \
digestmd5_client_mech_step1 (that was not executed in the previous run). This makes \
the second attempt fail with a message of "invalid credentials".<br><br>If I "remove" \
the cache, also the second attempt works fine.<br><br>Does anybody have an idea of \
why the cache make the second attempt fail when working with Active Directory?<br>Is \
there any way to disable the cache?<br><br>Thanks in advance for you help. \
Regards,<br>Bernardo<br> </div></body> </html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic