[PATCH] wldap32: log in with the authentication name instead of the authorization name - wine-devel - winehq.org

List overview All Threads

[PATCH] wldap32: log in with the authentication name instead of the authorization name

[PATCH 1/7] mf/tests: Use...

[PATCH v2 2/2] gdi32: Create a...

Damjan Jovanovic

27 Jan 2021 27 Jan '21

3:26 p.m.

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=50572 Signed-off-by: Damjan Jovanovic damjan.jov@gmail.com --- dlls/wldap32/bind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

Attachments:

0001-wldap32-log-in-with-the-authentication-name-instead-of.txt (text/plain — 535 bytes)

Show replies by date

Dmitry Timoshkov

27 Jan 27 Jan

4:22 p.m.

Damjan Jovanovic damjan.jov@gmail.com wrote:

At the time I wrote this code I also tested it, and the callback was called with SASL_CB_USER. Perhaps it depends on something else, I'd suggest to use both IDs to return user name instead of preferring one to another.

-- Dmitry.

Hans Leidekker

29 Jan 29 Jan

9:26 a.m.

On Wed, 2021-01-27 at 19:22 +0300, Dmitry Timoshkov wrote: Damjan Jovanovic damjan.jov@gmail.com wrote:

At the time I wrote this code I also tested it, and the callback was called with SASL_CB_USER. Perhaps it depends on something else, I'd suggest to use both IDs to return user name instead of preferring one to another.

Hans Leidekker

9:35 a.m.

On Wed, 2021-01-27 at 19:22 +0300, Dmitry Timoshkov wrote:

SASL_CB_USER is called (at least for the mechanisms I tested: GSSAPI and GSS-SPNEGO), but they depend on the callback returning an error. SASL_CB_USER is documented to specify a proxy username, which is only supported by the PLAIN mechanism AFAICT.

So I think Damjan's patch is correct.

Dmitry Timoshkov

10:11 a.m.

Hans Leidekker hans@codeweavers.com wrote:

The patch would definitely break the Kerberos authentication via GSSAPI, as I mentioned already I tested this when I wrote the code, and with GSSAPI SASL backend I got SASL_CB_USER in the callback, and returning failure from the callback breaks the AD authentication.

-- Dmitry.

Hans Leidekker

10:57 a.m.

Here it's the other way around. Without the patch:

0024:trace:adsldp:openobj_OpenDSObject host L"win-sk40a5tr70v.test.local", port 0, object L"rootDSE" 0024:trace:wldap32:ldap_initW (L"win-sk40a5tr70v.test.local", 0) 0024:trace:wldap32:ldap_set_optionW (0x1a4550, 0x00000011, 0x31b980) 0024:trace:wldap32:ldap_connect (0x1a4550, (nil)) 0024:trace:wldap32:ldap_bind_sW (0x1a4550, (null), 0x31b984, 0x00000486) 0024:trace:wldap32:sasl_interact 0x7d694cc0,00000002,0x31b8b8,0x7d68a6b0 0024:trace:wldap32:sasl_interact sasl->id = 4001 0024:trace:adsldp:openobj_OpenDSObject ldap_bind_sW error 0x31 0024:trace:wldap32:WLDAP32_ldap_unbind (0x1a4550)

With the patch:

0024:trace:adsldp:openobj_OpenDSObject host L"win-sk40a5tr70v.test.local", port 0, object L"rootDSE" 0024:trace:wldap32:ldap_initW (L"win-sk40a5tr70v.test.local", 0) 0024:trace:wldap32:ldap_set_optionW (0x1a4588, 0x00000011, 0x31b980) 0024:trace:wldap32:ldap_connect (0x1a4588, (nil)) 0024:trace:wldap32:ldap_bind_sW (0x1a4588, (null), 0x31b984, 0x00000486) 0024:trace:wldap32:sasl_interact 0x7d382980,00000002,0x31b8b8,0x7d378370 0024:trace:wldap32:sasl_interact sasl->id = 4001 0024:trace:wldap32:sasl_interact 0x7d382980,00000002,0x31b8b8,0x7d37ceb0 0024:trace:wldap32:sasl_interact sasl->id = 4001 0024:trace:wldap32:ldap_search_sW (0x1a4588, (null), 0x00000000, L"(objectClass=*)", 0x31b8f0, 0x00000000, 0x31b8e8)

Same results if I force it to use GSSAPI.

1569

Age (days ago)

1571

Last active (days ago)

wine-devel@winehq.org

5 comments

3 participants

tags (0)

participants (3)

Damjan Jovanovic
Dmitry Timoshkov
Hans Leidekker