Menu
▾
▴
failed custom bind to Netscape Directory Server
|
From: <Hea...@dr...> - 2000-09-08 09:58:10
|
> A bit off topic but still worth a try. > > Has anyone had problems with binds to Netscape LDAP servers when upgrading > from 4.0 to 4.1? > > I use PKCS#7 encapsulated signed tokens to bind to a Netscape LDAP server > with Net::LDAP (non SSL connections) using a custom preop bind plugin. > The bind operation passes the PKCS#7 object as the binddn (containing a > digitally signed token and the signing certificate and the base DN of the > server) and the plaintext token as password. The plugin then uses the > cert serial no. to find the LDAP entry and cert stored there, decodes the > signed token, compares it to the plaintext, if all matches then binds as > that account. Whew! > > After upgrading to 4.1 the bind operations fail if there is a Netscape > console bound to the server and succeed otherwise. I repeat it only > happens when a console is bound to the server (it took me three days to > track that down as it was intermittent with no apparent rhyme or reason, > great when you have 5-6 developers using the same box hey?) > > Debug logs show that the bind operation is "lost" by the slapd process and > the plugin is never called. I'm guessing it is being interpreted as an > attempt at an SSL connection but thrown away because it doesn't match the > format expected. There is no error returned. > > Only Net::LDAP connections are lost, the same general process with JAVA > based binding works fine and is accepted by the slapd process as a bind > and passed to the preop plugin. > > Has anyone else come across similar problems? I'm guessing it comes down > to Netscape enabling SSL connections from their console that has never > worked properly anyway and is probably using an undocumented interface > that is screwing this up. > > Sorry there is no code with this, the bind is dead simple Net::LDAP bind > with odd dn=> and password=> fields, so no point. The plugin is C code > and kind of proprietary so can't post that either... > > Thanks in advance, > > Heath. -------------------------------------------------------------------------------- This email and any files transmitted with it are intended solely for the addressee(s) and may be legally privileged and/or confidential. If you have received this email in error please destroy it and contact the sender, via our switchboard on +44 (0)20 7623 8000 or via return e-mail. You should not copy, forward or use the contents, attachments or information in any way. Any unauthorised use or disclosure may be unlawful. Dresdner Kleinwort Benson gives no warranty as to the accuracy or completeness of this email after it is sent over the Internet and accepts no responsibility for changes made after it was sent. Any opinion expressed in this email may be personal to the author and may not necessarily reflect the opinions of the Bank or its affiliates. They may also be subject to change without notice. -------------------------------------------------------------------------------- |
