[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: (ITS#4102) ITS 4064 seems to break sasl/gssapi binds to AD

interesting read on ITS#2994...

- Active Directory returns serverSaslCreds with length zero

which fits to why the change causes an AD bind to die.  AD is doing something a bit different as i feared, but perhaps other implementations behave the same...

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Wednesday, October 19, 2005 7:51 PM
To: Chapman, Kyle
Cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4102) ITS 4064 seems to break sasl/gssapi binds to AD

This appears to be a standards conformance issue, see ITS#2994. I don't 
know if the issue has been resolved in the IETF yet, Kurt would have a 
better idea.

kyle_chapman@G1.com wrote:
> Full_Name: kyle chapman
> Version: 2.3.11
> OS: hpux 11iv1
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> cyrus sasl 2.1.21
> heimdal 0.7.1 or mit 1.3.6/1.4.2 (wasnt sure what the problem was at first so i
> tried both heimdal and mit)
> changes for cyrus.c to (from ITS #4064) break sasl/gssapi
> binds to AD (vers 2.3.8 and up, at least for me).  if i roll back to
> in 2.3.11, everything builds ok and ldapsearch/sasl/gssapi to AD work.  i tried
> this on solaris 9, hpux 11iv1, aix 5.2, all with the same results.  looking at
> the diff, there is memory cleanup as well as some changes to checking the values
> provided by scred following a call to ldap_sasl_bind_s.  adding back in the mem
> cleanup and the first reorder of the if statements and rebuilding, sasl/gssapi
> still works.  
> changing the second if statement results in (this change is after seeing if the
> rc and saslrc are OK):
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> in the older if statement, (scred && scred->bv_len) evaluates to false, and
> LDAP_LOCAL_ERROR is not returned.
> with the change, (scred) evals to true and LDAP_LOCAL_ERROR is set, which is why
> i see the failure.
> debug output from ldapsearch (for working/non-working runs) is available, but
> has some names/ip's i would need to edit if needed...

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/
NOTICE: This E-mail may contain confidential information. If you are not
the addressee or the intended recipient please do not read this E-mail
and please immediately delete this e-mail message and any attachments
from your workstation or network mail system. If you are the addressee
or the intended recipient and you save or print a copy of this E-mail,
please place it in an appropriate file, depending on whether
confidential information is contained in the message.