[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4102) ITS 4064 seems to break sasl/gssapi binds to AD
This appears to be a standards conformance issue, see ITS#2994. I don't
know if the issue has been resolved in the IETF yet, Kurt would have a
better idea.
kyle_chapman@G1.com wrote:
> Full_Name: kyle chapman
> Version: 2.3.11
> OS: hpux 11iv1
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (69.251.220.181)
>
>
> cyrus sasl 2.1.21
> heimdal 0.7.1 or mit 1.3.6/1.4.2 (wasnt sure what the problem was at first so i
> tried both heimdal and mit)
>
> changes for cyrus.c 1.112.2.6 to 1.112.2.7 (from ITS #4064) break sasl/gssapi
> binds to AD (vers 2.3.8 and up, at least for me). if i roll back to 1.112.2.6
> in 2.3.11, everything builds ok and ldapsearch/sasl/gssapi to AD work. i tried
> this on solaris 9, hpux 11iv1, aix 5.2, all with the same results. looking at
> the diff, there is memory cleanup as well as some changes to checking the values
> provided by scred following a call to ldap_sasl_bind_s. adding back in the mem
> cleanup and the first reorder of the if statements and rebuilding, sasl/gssapi
> still works.
> changing the second if statement results in (this change is after seeing if the
> rc and saslrc are OK):
>
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>
> in the older if statement, (scred && scred->bv_len) evaluates to false, and
> LDAP_LOCAL_ERROR is not returned.
> with the change, (scred) evals to true and LDAP_LOCAL_ERROR is set, which is why
> i see the failure.
>
> debug output from ldapsearch (for working/non-working runs) is available, but
> has some names/ip's i would need to edit if needed...
>
>
>
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/