RE: fixes for SASL KERBEROS_V4 mechanism (ITS#829)

[Karsten.Kuenne@desy.de]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| Karsten,
| | 
| We had a bit of prior discussion regarding this issue.  In
| particular, please review:
|   http://www.openldap.org/lists/openldap-devel/200007/msg00031.html
|   http://www.openldap.org/lists/openldap-devel/200007/msg00039.html
| 
| Basically, we suggest compiling Cyrus SASL with
| KRB4_IGNORE_IP_ADDRESS.  This works fine unless you desire
| to use security layers.
| 

I didn't see that, I'll give it a try. What will be the impact
if I don't use security layers with SASL?

| If you want to use security layers, than, yes, both -lldap
| and slapd need patching.  However, as OpenLDAP supports
| multiple protocol families and Cyrus SASL only supports
| AF_INET, special care must be taken.
| 

I tried ldapi:/// and it was working fine:

% ldapsearch -H ldapi:/// -Y KERBEROS_V4 -b "ou=Accounts,o=DESY,c=DE" 
"uid=martin" 
SASL/KERBEROS_V4 authentication started
SASL username: kuenne
SASL SSF: 56
SASL installing layers
version: 2
.....

Which other protocol families does OpenLDAP support? Probably IPv6 which
I can't test because Sol 7 doesn't have it. But, anyway, I'll recompile
SASL as you suggested and see how this works.

BTW: GSSAPI does NOT work with ldapi:/// (with and without my changes), it
always ends up with ("-d -1" given):

....
ldap_msgfree
sasl_client_start: -15
ldap_perror
ldap_sasl_interactive_bind_s: Unknown authentication method

The -15 is SASL_TOOWEAK which confuses me a little bit.

Karsten.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
Comment: A Comment

iQA/AwUBOeWuSmZXcs8ggResEQLsuwCgyUOyPR6m3/G3pp9hthoCwnUu2AgAoK0R
u9auh9P2VufztgWGJwBOT1km
=gObr
-----END PGP SIGNATURE-----