Unable to bind twice with the same user using DIGEST-MD5 mech

Bernardo Pastorelli berpast at hotmail.com
Thu Apr 18 16:46:44 EDT 2013


I created an openldap client that connects to a Microsoft Active Directory server.

The client uses  ldap_sasl_interactive_bind_s to verify a user name and password. The mechanisms used is DIGEST-MD5.

My client could bind multiple users before unbinding them. If it binds twice the same user, the second bind request fails with a message of invalid credentials.

Looking into the code, I'm under the impression that the problem is related to the reauth_cache.

More in details, when binding a user for the first time, the digestmd5_client_mech_step function is called once for executing the step 1, that does nothing (simply sets the next step as the step 2). Then the function is called the second time to execute the step two and finally called to execute the step 3.

When performing the binding the second time for the same user, the digestmd5_client_mech_step is again called to execute the step 1. Because the user is cached in the reauth_cache, the step 1 executes the function digestmd5_client_mech_step1 (that was not executed in the previous run). This makes the second attempt fail with a message of "invalid credentials".

If I "remove" the cache, also the second attempt works fine.

Does anybody have an idea of why the cache make the second attempt fail when working with Active Directory?
Is there any way to disable the cache?

Thanks in advance for you help. Regards,
Bernardo
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20130418/f52cf0f1/attachment.html 


More information about the Cyrus-sasl mailing list