Xu, Qiang (FXSGSC | 1 Jun 09:54 2009

RE: SASL authentication

Hi, all: 

Sorry to trouble you again, but this time, I have some new findings with Malformed Packet in MozLDAP network trace.

As you can see, the Malformed Packet is in the 2nd round of binding interaction with the server: 
========================================
32	17.839052	13.198.98.107	13.198.98.35	LDAP	bindRequest(1) "<ROOT>" sasl 
33	17.917608	13.198.98.35	13.198.98.107	LDAP	bindResponse(1) saslBindInProgress 
35	17.919333	13.198.98.107	13.198.98.35	LDAP	bindRequest(2) "<ROOT>" [Malformed Packet]
36	17.919637	13.198.98.35	13.198.98.107	LDAP	bindResponse(2) saslBindInProgress 
37	17.920316	13.198.98.107	13.198.98.35	LDAP	bindRequest(3) "<ROOT>" sasl 
38	17.920691	13.198.98.35	13.198.98.107	LDAP	bindResponse(3) success 
========================================
I am not sure if packet 35 is normal or not? After all, it says the packet is malformed.

In contrast, a trace captured with OpenLDAP ldapsearch utility does not have this malformat packet: 
========================================
22	24.805633	13.198.98.35	13.198.98.190	LDAP	bindResponse(1) saslBindInProgress 
28	26.616093	13.198.98.190	13.198.98.35	LDAP	bindRequest(2) "<ROOT>" sasl 
29	26.616459	13.198.98.35	13.198.98.190	LDAP	bindResponse(2) saslBindInProgress 
31	26.616705	13.198.98.190	13.198.98.35	LDAP	bindRequest(3) "<ROOT>" sasl 
32	26.633134	13.198.98.35	13.198.98.190	LDAP	bindResponse(3) success 
========================================
As you know, SASL connection relies on SASL library like libsasl2.so, which depends on OpenLDAP libraries
such as libldap-2.3.so and liblber-2.3.so (this can be verfified by "ldd libsasl2.so"). And I am not sure
whether there is some conflict between MozLDAP and OpenLDAP when MozLDAP calls SASL interfaces in
libsasl2.so to do SASL binding.

This aside, when I compare the content of packet 35 in MozLDAP trace and packet 29 in OpenLDAP trace, it is
noted that the MozLDAP packet has extra bytes "04 00" after "mechanism: GSSAPI". These extra bytes are
(Continue reading)

Rich Megginson | 1 Jun 20:30 2009
Picon

Re: SASL authentication

Xu, Qiang (FXSGSC) wrote:
> Hi, all: 
>
> Sorry to trouble you again, but this time, I have some new findings with Malformed Packet in MozLDAP
network trace.
>
> As you can see, the Malformed Packet is in the 2nd round of binding interaction with the server: 
> ========================================
> 32	17.839052	13.198.98.107	13.198.98.35	LDAP	bindRequest(1) "<ROOT>" sasl 
> 33	17.917608	13.198.98.35	13.198.98.107	LDAP	bindResponse(1) saslBindInProgress 
> 35	17.919333	13.198.98.107	13.198.98.35	LDAP	bindRequest(2) "<ROOT>" [Malformed Packet]
> 36	17.919637	13.198.98.35	13.198.98.107	LDAP	bindResponse(2) saslBindInProgress 
> 37	17.920316	13.198.98.107	13.198.98.35	LDAP	bindRequest(3) "<ROOT>" sasl 
> 38	17.920691	13.198.98.35	13.198.98.107	LDAP	bindResponse(3) success 
> ========================================
> I am not sure if packet 35 is normal or not? After all, it says the packet is malformed.
>
> In contrast, a trace captured with OpenLDAP ldapsearch utility does not have this malformat packet: 
> ========================================
> 22	24.805633	13.198.98.35	13.198.98.190	LDAP	bindResponse(1) saslBindInProgress 
> 28	26.616093	13.198.98.190	13.198.98.35	LDAP	bindRequest(2) "<ROOT>" sasl 
> 29	26.616459	13.198.98.35	13.198.98.190	LDAP	bindResponse(2) saslBindInProgress 
> 31	26.616705	13.198.98.190	13.198.98.35	LDAP	bindRequest(3) "<ROOT>" sasl 
> 32	26.633134	13.198.98.35	13.198.98.190	LDAP	bindResponse(3) success 
> ========================================
> As you know, SASL connection relies on SASL library like libsasl2.so, which depends on OpenLDAP
libraries such as libldap-2.3.so and liblber-2.3.so (this can be verfified by "ldd libsasl2.so"). And I
am not sure whether there is some conflict between MozLDAP and OpenLDAP when MozLDAP calls SASL
interfaces in libsasl2.so to do SASL binding.
>
(Continue reading)

Xu, Qiang (FXSGSC | 2 Jun 04:12 2009

RE: SASL authentication

> -----Original Message-----
> From: Rich Megginson [mailto:rich.megginson <at> gmail.com] 
> Sent: Tuesday, June 02, 2009 2:30 AM
> To: Xu, Qiang (FXSGSC)
> Cc: Markus Moeller; michael <at> stroeder.com; 
> dev-tech-ldap <at> lists.mozilla.org
> Subject: Re: SASL authentication
> 
> I don't know if it is necessary, but you could use a pastebin 
> to paste your traces, then just email a link to the traces.  
> Mozilla has a pastebin at http://pastebin.mozilla.org/

Just went there to have a look. It is a place to paste code snippet, not file attachments. :-(

Anyway, thanks for your info.
Xu Qiang
Xu, Qiang (FXSGSC | 3 Jun 09:16 2009

RE: SASL authentication

Hi, all: 

SASL binding is successful, but only for a fixed specific LDAP server. :-(

If the hostname is used for LDAP server, and the hostname is resolved by DNS server to a series of IP address
(usually serving as backup servers for the primary one), then there is a possibility of using a TGT for host
A to bind to host B.

For example, I have come across the following situation: 
==========================================================
1610 43.995272	157.55.143.63 157.54.14.162 DNS Standard query A ntdev.corp.test.com
1611 43.996618	157.54.14.162 157.55.143.63 DNS Standard query response A 157.54.80.10 A
172.31.79.153 
                        A 172.31.79.151 A 172.31.79.155 A 172.31.79.156 A 157.54.104.75 A 172.31.79.154
                        A 172.31.79.144 A 172.31.79.140 A 172.31.79.142 A 172.31.79.146 A 10.192.150.46
                        A 172.31.79.150 A 172.31.79.143
...
1615 43.999395 157.55.143.63 157.54.14.162 DNS Standard query A ntdev.corp.test.com
1617 44.001772 157.54.14.162 157.55.143.63 DNS Standard query response A 172.31.79.153 A 172.31.79.151
                        A 172.31.79.155 A 172.31.79.156 A 157.54.104.75 A 172.31.79.154 A 172.31.79.144
                        A 172.31.79.140 A 172.31.79.142 A 172.31.79.146 A 10.192.150.46 A 172.31.79.150
                        A 172.31.79.143 A 157.54.80.10
1618 44.002698 157.55.143.63 157.54.14.162 DNS Standard query PTR 75.104.54.157.in-addr.arpa
1619 44.004056 157.54.14.162 157.55.143.63 DNS Standard query response PTR ntdev-dc-04.ntdev.corp.test.com
...
1636 44.017783 157.55.143.63 157.54.80.10 LDAP bindRequest(1) "<ROOT>" sasl
    sasl
        Ticket
            Server Name (Service and Host): ldap/ntdev-dc-04.ntdev.corp.test.com
==========================================================
(Continue reading)

Rich Megginson | 4 Jun 00:45 2009

mozldap now supports MozillaBuild

I just committed changes to configure and configure.in to allow mozldap 
to be built with the MozillaBuild environment on Windows.  MozillaBuild 
greatly simplifies the task of setting up a reasonable Windows build 
environment including a shell, make, autotools, wget, CVS, ssh, and 
other useful tools, that can also use Windows cl and link, without 
having to cobble together cygwin+nsinstall.exe+other tools and hack the 
paths to make the compilation work.

I've tested this using the latest free Visual Studio on Win2k3 Server.

This page explains how to set up the Windows build environment
https://developer.mozilla.org/En/Developer_Guide/Build_Instructions/Windows_Prerequisites#MozillaBuild

Here is the link to MozillaBuild - 
http://ftp.mozilla.org/pub/mozilla.org/mozilla/libraries/win32/MozillaBuildSetup-1.3.exe
Anton Bobrov | 4 Jun 03:58 2009
Picon

Re: mozldap now supports MozillaBuild


MozillaBuild looked kewl so i wanted to give it a try but it fails to
setup the environment on my test instance of Windows Server 2008 Data
center x64 and VS 2005 (8) Pro. start script says that value of 5 is
not what it expects or something along these line, did not have time
to investigate it but if it rings a bell please let me know.

Rich Megginson wrote:
> I just committed changes to configure and configure.in to allow mozldap 
> to be built with the MozillaBuild environment on Windows.  MozillaBuild 
> greatly simplifies the task of setting up a reasonable Windows build 
> environment including a shell, make, autotools, wget, CVS, ssh, and 
> other useful tools, that can also use Windows cl and link, without 
> having to cobble together cygwin+nsinstall.exe+other tools and hack the 
> paths to make the compilation work.
> 
> I've tested this using the latest free Visual Studio on Win2k3 Server.
> 
> This page explains how to set up the Windows build environment
>
https://developer.mozilla.org/En/Developer_Guide/Build_Instructions/Windows_Prerequisites#MozillaBuild 
> 
> 
> Here is the link to MozillaBuild - 
> http://ftp.mozilla.org/pub/mozilla.org/mozilla/libraries/win32/MozillaBuildSetup-1.3.exe 
Rich Megginson | 4 Jun 04:12 2009

Re: mozldap now supports MozillaBuild

Anton Bobrov wrote:
> 
> MozillaBuild looked kewl so i wanted to give it a try but it fails to
> setup the environment on my test instance of Windows Server 2008 Data
> center x64 and VS 2005 (8) Pro. start script says that value of 5 is
> not what it expects or something along these line, did not have time
> to investigate it but if it rings a bell please let me know.

Are you using the start-msvc8.bat script?

I had to hack the start-msvc9.bat script so that it would work with the 
Visual Studio Express Edition (it worked fine with the Expensive 
Edition).  My script is attached.

> 
> Rich Megginson wrote:
>> I just committed changes to configure and configure.in to allow 
>> mozldap to be built with the MozillaBuild environment on Windows.  
>> MozillaBuild greatly simplifies the task of setting up a reasonable 
>> Windows build environment including a shell, make, autotools, wget, 
>> CVS, ssh, and other useful tools, that can also use Windows cl and 
>> link, without having to cobble together cygwin+nsinstall.exe+other 
>> tools and hack the paths to make the compilation work.
>>
>> I've tested this using the latest free Visual Studio on Win2k3 Server.
>>
>> This page explains how to set up the Windows build environment
>>
https://developer.mozilla.org/En/Developer_Guide/Build_Instructions/Windows_Prerequisites#MozillaBuild 
>>
(Continue reading)

Rich Megginson | 4 Jun 04:14 2009

Re: mozldap now supports MozillaBuild

Anton Bobrov wrote:
> 
> MozillaBuild looked kewl so i wanted to give it a try but it fails to
> setup the environment on my test instance of Windows Server 2008 Data
> center x64 and VS 2005 (8) Pro. start script says that value of 5 is
> not what it expects or something along these line, did not have time
> to investigate it but if it rings a bell please let me know.

Are you using the start-msvc8.bat script?

I had to hack the start-msvc9.bat script so that it would work with the 
Visual Studio Express Edition (it worked fine with the Expensive 
Edition).  My script is attached.
> 
> Rich Megginson wrote:
>> I just committed changes to configure and configure.in to allow 
>> mozldap to be built with the MozillaBuild environment on Windows.  
>> MozillaBuild greatly simplifies the task of setting up a reasonable 
>> Windows build environment including a shell, make, autotools, wget, 
>> CVS, ssh, and other useful tools, that can also use Windows cl and 
>> link, without having to cobble together cygwin+nsinstall.exe+other 
>> tools and hack the paths to make the compilation work.
>>
>> I've tested this using the latest free Visual Studio on Win2k3 Server.
>>
>> This page explains how to set up the Windows build environment
>>
https://developer.mozilla.org/En/Developer_Guide/Build_Instructions/Windows_Prerequisites#MozillaBuild 
>>
>>
(Continue reading)

Rich Megginson | 4 Jun 04:13 2009

Re: mozldap now supports MozillaBuild

Anton Bobrov wrote:
> 
> MozillaBuild looked kewl so i wanted to give it a try but it fails to
> setup the environment on my test instance of Windows Server 2008 Data
> center x64 and VS 2005 (8) Pro. start script says that value of 5 is
> not what it expects or something along these line, did not have time
> to investigate it but if it rings a bell please let me know.

Are you using the start-msvc8.bat script?

I had to hack the start-msvc9.bat script so that it would work with the 
Visual Studio Express Edition (it worked fine with the Expensive 
Edition).  My script is attached.

> 
> Rich Megginson wrote:
>> I just committed changes to configure and configure.in to allow 
>> mozldap to be built with the MozillaBuild environment on Windows.  
>> MozillaBuild greatly simplifies the task of setting up a reasonable 
>> Windows build environment including a shell, make, autotools, wget, 
>> CVS, ssh, and other useful tools, that can also use Windows cl and 
>> link, without having to cobble together cygwin+nsinstall.exe+other 
>> tools and hack the paths to make the compilation work.
>>
>> I've tested this using the latest free Visual Studio on Win2k3 Server.
>>
>> This page explains how to set up the Windows build environment
>>
https://developer.mozilla.org/En/Developer_Guide/Build_Instructions/Windows_Prerequisites#MozillaBuild 
>>
(Continue reading)

Anton Bobrov | 4 Jun 17:10 2009
Picon

Re: mozldap now supports MozillaBuild


i think i got it working ok now. had to hack guess / start scripts
[ found some helpful advise on mozillazine ] and also it turns out
that msys included with mozillabuild doesnt work with 2008 x64 but
there is rc1 available that works so i had to download and install
it directly under msys folder under mozilla-build. more info here:
http://wiki.mozilla-x86-64.com/MSYS_and_Cygwin_on_x64_(AMD64)

Rich Megginson wrote:
> Anton Bobrov wrote:
>>
>> MozillaBuild looked kewl so i wanted to give it a try but it fails to
>> setup the environment on my test instance of Windows Server 2008 Data
>> center x64 and VS 2005 (8) Pro. start script says that value of 5 is
>> not what it expects or something along these line, did not have time
>> to investigate it but if it rings a bell please let me know.
> 
> Are you using the start-msvc8.bat script?
> 
> I had to hack the start-msvc9.bat script so that it would work with the 
> Visual Studio Express Edition (it worked fine with the Expensive 
> Edition).  My script is attached.

Gmane