LDAP SASL bind works with FILE: cache type but not with MEMORY: cache type

0
votes

Using C code I am trying to bind to an LDAP server using GSSAPI/SASL on a Debian stretch server.

I initialize a kerberos credentials cache and then make the location of that cache known to the LDAP calls using the environment variable KRB5CCNAME. Here is the code:

#include <ldap.h>
#include <krb5.h>
#define CACHE_NAME "MEMORY:ldapconnect"

/* Set up Kerberos credentials cache in CACHE_NAME */
[... omitted to save space ...]

/* Create LDAP object */
char *ldapuri = "ldap://ldap.example.com";
LDAP *ld = NULL;
code = ldap_initialize(&ld, ldapuri);

/* Make the LDAP object be version 3 */
int option = LDAP_VERSION3;
code = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &option);

/* Set the environment variable KRB5CCNAME to CACHE_NAME */ 
putenv((char *) "KRB5CCNAME=" CACHE_NAME);

/* Do the LDAP bind using SASL */
code = ldap_sasl_interactive_bind_s(ld, NULL, "GSSAPI", NULL, NULL,
                                    LDAP_SASL_QUIET, ad_interact_sasl,
                                    NULL);

If I change CACHE_NAME to FILE:/tmp/ldapconnect it works. It is only when CACHE_NAME uses MEMORY: that it fails.

For reasons including security and simplicity I want to use a MEMORY: cache type, but I can't get the above to work except with a FILE: cache type.

The relevant libraries I am using:

# debian stretch
libldap-2.4-2      2.4.44+dfsg-5+deb9u2
libsasl2-2         2.1.27~101-g0780600+dfsg-3
libkrb5-26-heimdal 7.5.0+dfsg-2.1
1
ldapkerberossaslgssapidebian-stretch
Perhaps the value is being over-ridden by the system default credential cache variable. You need to find it and comment it out. This may be of use to you: web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.htmlT-Heron
Looks like you are using a "Heimdal" implementation of Kerberos -- does it support the same types of cache as the "MIT" implementation? and the same syntax?Samson Scharfrichter

1 Answers

0
votes

It turns out that the code I am using calls a library from the libsasl2-modules-gssapi-heimdal package. However, in Debian stretch, this package is broken: it was built against the MIT libraries rather than the Heimdal libraries thereby defeating the package's purpose.

To get around this issue I built a local version of libsasl2-modules-gssapi-heimdal using the solution at Debian Bug #880393: libsasl2-modules-gssapi-heimdal seems built against MIT.