[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4102) ITS 4064 seems to break sasl/gssapi binds to AD

Full_Name: kyle chapman
Version: 2.3.11
OS: hpux 11iv1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

cyrus sasl 2.1.21
heimdal 0.7.1 or mit 1.3.6/1.4.2 (wasnt sure what the problem was at first so i
tried both heimdal and mit)

changes for cyrus.c to (from ITS #4064) break sasl/gssapi
binds to AD (vers 2.3.8 and up, at least for me).  if i roll back to
in 2.3.11, everything builds ok and ldapsearch/sasl/gssapi to AD work.  i tried
this on solaris 9, hpux 11iv1, aix 5.2, all with the same results.  looking at
the diff, there is memory cleanup as well as some changes to checking the values
provided by scred following a call to ldap_sasl_bind_s.  adding back in the mem
cleanup and the first reorder of the if statements and rebuilding, sasl/gssapi
still works.  
changing the second if statement results in (this change is after seeing if the
rc and saslrc are OK):

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)

in the older if statement, (scred && scred->bv_len) evaluates to false, and
LDAP_LOCAL_ERROR is not returned.
with the change, (scred) evals to true and LDAP_LOCAL_ERROR is set, which is why
i see the failure.

debug output from ldapsearch (for working/non-working runs) is available, but
has some names/ip's i would need to edit if needed...