PTS & LDAP Take 3

[Tim Pushor]

Igor Brezac wrote:

>You could use ldap_whoami() instead of the first query.
>
>  
>
Where does that come from?

>>>>        
>>>>
>>>You do not need to do anything with this.  The identifier is passed to pts
>>>for canonicalization, the group is not validated.
>>>
>>>
>>>
>>>      
>>>
>>I don't see this in ldap.c. The identifier group:xxx gets passed into
>>pts as the identifier and rejected by the canonicalizer because of the
>>colon. So the canonicalized identifer is null throughout the rest of the
>>code. I don't see a test for group: anywhere ( or in afskrb.c either ).
>>So assuming that we just want to make sure that the group name is valid,
>>and that the canonicalizer should be fixed to recognize group:xxx
>>syntax, what then am I suppose to do with it? Returning NULL seems to Do
>>Bad Things, and I don't see an entry for canonicalized group in the
>>auth_state struct..
>>
>>    
>>
>
>Have you tried to step through the program with gdb or other debugger?
>
>  
>
No, ldap.c doesn't work for me at all. If there are no memberOf 
attributes, it dies and user authentication fails (!). I guess I could 
setup a test user and step through it, but I did see what was happening 
at least in my adaptation of ldap.c. Canonicalization (of a group) was 
returning null because of the colon. So what use is it? There are enough 
unknowns that I would like to get cleared up if at all possible. I was 
hoping someone from CMU would be able to help advise.

Thanks,
Tim