Re: setting max ssf with ldap_set_option

[Howard Chu <hyc@symas.com>]

Ken Dreyer wrote:
> I have a small LDAP utility (msktutil) that talks to Active Directory
> using GSSAPI over TLS. I'm trying to set the SASL parameter "maxssf"
> to "0" in the code.
>
> I've found that in a recent version of OpenLDAP (2.4.24), modifying
> LDAP_OPT_X_SASL_SSF_MAX with ldap_set_option() has no effect. The
> basic code is
>
> sasl_ssf_t max_ssf = 0;
> printf( "setting max ssf to %d\n", max_ssf );
> ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX,&max_ssf)
>
> Subsequent ldap_get_option() calls show that the value is not
> changing, as does the output when I bind with
> ldap_sasl_interactive_bind_s(). I would at the very least expect
> ldap_set_option() to return something other than LDAP_OPT_SUCCESS
> here. Am I hitting a bug in OpenLDAP, or am I really off track ?  :)

Read the ldap_get_option(3) manpage. You're using the wrong variable type.

> I've attached a small test case (gcc -o test test.c  -lldap -llber).
> This works as I expect in both 2.3.43 and 2.4.23, and fails in 2.4.24.
>
> RHEL5: openldap-2.3.43-12.el5_6.7
> ./test
> LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647
> setting max ssf to 0
> LDAP_OPT_X_SASL_SSF_MAX after setting = 0
>
>
> RHEL6: openldap-2.4.23-15.el6_1.1.x86_64
> ./test
> LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647
> setting max ssf to 0
> LDAP_OPT_X_SASL_SSF_MAX after setting = 0
>
>
> Fedora 15: openldap-2.4.24-3.fc15.i686
> ./test
> LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647
> setting max ssf to 0
> LDAP_OPT_X_SASL_SSF_MAX after setting = 2147483647


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/