[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4102) ITS 4064 seems to break sasl/gssapi binds to AD

At 04:51 PM 10/19/2005, hyc@symas.com wrote:
>This appears to be a standards conformance issue, see ITS#2994. I don't 
>know if the issue has been resolved in the IETF yet, Kurt would have a 
>better idea. 

In SASL, a mechanism may send additional data of any
length (including zero) with the message that indicates
successful outcome of the exchange.  If the result code
is not success, no additional data should be present.
If the result is success, whatever data is present
(including that of zero length) must be valid per
the mechanism.

SASL requires protocols supporting additional data with
the successful outcome of the exchange messages, such as
LDAP, to distinguish between empty and no additional
data.  LDAP distinguishes these cases by use of
absent serverSaslCreds and zero-length serverSaslCred
in the bind response, respectively.

IIRC, in the GSSAPI mechanism, the additional data should not
be zero length.

Also, Cyrus SASL should not be in SASL_OK (as that would
indicate that the additional data was sent as a final
challenge and responded to with an empty final response
(or that the mechanism doesn't support such additional data).

So, I suspect AD is sending an empty serverSaslCreds
when it should have sent no serverSaslCreds in the
last bind response.  Their bad.