[Date Prev][Date Next]
Re: Confusion over MIT/Heimdal compatibility
On 15 Apr 2008, at 22:31, Howard Chu wrote:
ssh and GSSAPI may be analogous here. In that respect, these layers
should renegotiate keys transparently so that upper layers never
see it. The fact that SASL doesn't expose lifetime restrictions
either means (a) apps aren't supposed to have to worry about them
or (b) the SASL design is broken.
Personally, I think the GSSAPI SASL design is broken, in that it
doesn't attempt renegotiation. That's something that I know people
are working on fixing.
However, all of this is really by the by. The key issue is that
sasl_encode and sasl_decode are defined as returning an error code in
what passes for the Cyrus SASL API documentation. At the moment, the
OpenLDAP code doesn't handle those functions returning anything other