Full_Name: Norbert Klasen Version: head OS: linux URL: Submission from: (NULL) (134.2.217.40) On GSSAPI binds AD sends the BindResponse indicating succes with an empty serverSaslCreds field: 0000 30 18: SEQUENCE { 0006 02 1: INTEGER = 4 0009 61 9: [APPLICATION 1] { 000F 0A 1: ENUM = 0 0012 04 0: STRING = '' 0014 04 0: STRING = '' 0016 87 0: [CONTEXT 7] 0018 : } 0018 : } However ldap_int_sasl_bind fails on this with LDAP_LOCAL_ERROR. I guess OpenLDAP expects serverSaslCreds to be absent since this field is optional. My patch checks if there really is some data in the last serverSaslCreds and only aborts then. --- libraries/libldap/cyrus.c.orig Fri Nov 10 11:16:31 2000 +++ libraries/libldap/cyrus.c Fri Nov 10 11:20:33 2000 @@ -576,7 +576,7 @@ if( rc == LDAP_SUCCESS && saslrc == SASL_OK ) { /* we're done, no need to step */ - if( scred ) { + if( scred && (scred->bv_len > 0) ) { /* but server provided us with data! */ Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
At 03:44 PM 11/10/00 +0000, klasen@zdv.uni-tuebingen.de wrote: >Full_Name: Norbert Klasen >Version: head >OS: linux >URL: >Submission from: (NULL) (134.2.217.40) > > >On GSSAPI binds AD sends the BindResponse indicating succes with an empty >serverSaslCreds field: > >0000 30 18: SEQUENCE { >0006 02 1: INTEGER = 4 >0009 61 9: [APPLICATION 1] { >000F 0A 1: ENUM = 0 >0012 04 0: STRING = '' >0014 04 0: STRING = '' >0016 87 0: [CONTEXT 7] >0018 : } >0018 : } > >However ldap_int_sasl_bind fails on this with LDAP_LOCAL_ERROR. I guess OpenLDAP > >expects serverSaslCreds to be absent since this field is optional. My patch >checks >if there really is some data in the last serverSaslCreds and only aborts then. Please note that the presence of an empty OPTIONAL field is not semantically the same as the absence of the field.
Hi Kurt, > >OpenLDAP > >expects serverSaslCreds to be absent since this field is optional. My patch > >checks > >if there really is some data in the last serverSaslCreds and only aborts then. > > Please note that the presence of an empty OPTIONAL field is not > semantically the same as the absence of the field. But is it wrong of AD to send empty serverSaslCreds along with SUCCESS, ie. why should OpenLDAP fail on receiving such a BindResponse? -- Norbert Klasen DFN Directory Services tel: +49 7071 29 70335 ZDV, Universität Tübingen fax: +49 7071 29 5912 Wächterstr. 76, 72074 Tübingen http://www.directory.dfn.de Germany norbert.klasen@zdv.uni-tuebingen.de
changed notes changed state Open to Test moved from Incoming to Software Bugs
I've applied a change to HEAD which should improve interoperability with MS AD. Please test. Thanks, Kurt
changed state Test to Release
changed notes
changed notes changed state Release to Closed
moved from Software Bugs to Archive.Software Bugs
fix applied to HEAD applied to re2.0