[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Strange error, only w/ gssapi

> I have a server (with a pretty large DB), that has worked fine for
> a long time.  Just the other day it started giving errors like:
> sjh@lokar% ldapsearch -h ldap cn=guest 
> SASL/GSSAPI authentication started
> SASL username: sjh@UNIX.CORP
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: cn=guest
> # requesting: ALL
> #
> ldap_result: Can't contact LDAP server (81)
> If I turn off gssapi (and use annon, or plain password) it works fine.
> It's only 2 groups, the largest 2 in the dir) that do this.  Also,
> searches with very big replies will do it also, so it seems to
> be a result len problem.  Looking at strace:


> It writes out ~13k of ~65k, then tries to write the rest and gets 
> EAGAIN for some reason.
> This is on linux, with both 2.2.5 and 2.1.22
> I can see how you might hit a bug with large return results, but I
> can't imagine how GSSAPI would factor into this.  Any ideas?

So, I found the problem, I think.

On the ldapsearch I see:
sb_sasl_pkt_length: received illegal packet length of 65692 bytes
sb_sasl_read: failed to decode packet: generic failure

In the code:
ldap-int.h:#define SASL_MAX_BUFF_SIZE   65536

So, I assume there is a good reason for all the IO to go through the 
SASL library, and SASL needs to only get data 65536 bytes at a time..
So, should the client only read 65536 bytes at a time? I assume
it's just a byte stream, so the server can't break it up or anything.

If someone sees the problem and can send me a patch to test that
would be great, or I'll probably take a stab at it this weekend.