[Date Prev][Date Next]
RE: fixes for SASL KERBEROS_V4 mechanism (ITS#829)
-----BEGIN PGP SIGNED MESSAGE-----
| We had a bit of prior discussion regarding this issue. In
| particular, please review:
| Basically, we suggest compiling Cyrus SASL with
| KRB4_IGNORE_IP_ADDRESS. This works fine unless you desire
| to use security layers.
I didn't see that, I'll give it a try. What will be the impact
if I don't use security layers with SASL?
| If you want to use security layers, than, yes, both -lldap
| and slapd need patching. However, as OpenLDAP supports
| multiple protocol families and Cyrus SASL only supports
| AF_INET, special care must be taken.
I tried ldapi:/// and it was working fine:
% ldapsearch -H ldapi:/// -Y KERBEROS_V4 -b "ou=Accounts,o=DESY,c=DE"
SASL/KERBEROS_V4 authentication started
SASL username: kuenne
SASL SSF: 56
SASL installing layers
Which other protocol families does OpenLDAP support? Probably IPv6 which
I can't test because Sol 7 doesn't have it. But, anyway, I'll recompile
SASL as you suggested and see how this works.
BTW: GSSAPI does NOT work with ldapi:/// (with and without my changes), it
always ends up with ("-d -1" given):
ldap_sasl_interactive_bind_s: Unknown authentication method
The -15 is SASL_TOOWEAK which confuses me a little bit.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
Comment: A Comment
-----END PGP SIGNATURE-----