[Date Prev][Date Next]
RE: (ITS#4102) ITS 4064 seems to break sasl/gssapi binds to AD
interesting read on ITS#2994...
- Active Directory returns serverSaslCreds with length zero
which fits to why the change causes an AD bind to die. AD is doing something a bit different as i feared, but perhaps other implementations behave the same...
From: Howard Chu [mailto:firstname.lastname@example.org]
Sent: Wednesday, October 19, 2005 7:51 PM
To: Chapman, Kyle
Subject: Re: (ITS#4102) ITS 4064 seems to break sasl/gssapi binds to AD
This appears to be a standards conformance issue, see ITS#2994. I don't
know if the issue has been resolved in the IETF yet, Kurt would have a
> Full_Name: kyle chapman
> Version: 2.3.11
> OS: hpux 11iv1
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (22.214.171.124)
> cyrus sasl 2.1.21
> heimdal 0.7.1 or mit 1.3.6/1.4.2 (wasnt sure what the problem was at first so i
> tried both heimdal and mit)
> changes for cyrus.c 126.96.36.199 to 188.8.131.52 (from ITS #4064) break sasl/gssapi
> binds to AD (vers 2.3.8 and up, at least for me). if i roll back to 184.108.40.206
> in 2.3.11, everything builds ok and ldapsearch/sasl/gssapi to AD work. i tried
> this on solaris 9, hpux 11iv1, aix 5.2, all with the same results. looking at
> the diff, there is memory cleanup as well as some changes to checking the values
> provided by scred following a call to ldap_sasl_bind_s. adding back in the mem
> cleanup and the first reorder of the if statements and rebuilding, sasl/gssapi
> still works.
> changing the second if statement results in (this change is after seeing if the
> rc and saslrc are OK):
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> in the older if statement, (scred && scred->bv_len) evaluates to false, and
> LDAP_LOCAL_ERROR is not returned.
> with the change, (scred) evals to true and LDAP_LOCAL_ERROR is set, which is why
> i see the failure.
> debug output from ldapsearch (for working/non-working runs) is available, but
> has some names/ip's i would need to edit if needed...
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
NOTICE: This E-mail may contain confidential information. If you are not
the addressee or the intended recipient please do not read this E-mail
and please immediately delete this e-mail message and any attachments
from your workstation or network mail system. If you are the addressee
or the intended recipient and you save or print a copy of this E-mail,
please place it in an appropriate file, depending on whether
confidential information is contained in the message.