Re: OpenLDAP, SASL and TLS

[Kristof Takacs <kristof.takacs@gmail.com>]

Dan,

Thanks for the quick response.

I tried your suggestion like this:

        //GSSAPI and TLS fails to AD.  This was a suggestion for the workaround:

        //https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480

        sasl_ssf_t max_ssf = 0;

        ldrc = ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);

        if (ldrc != LDAP_SUCCESS) {

            logError("ldap_set_option() for LDAP_OPT_X_SASL_SSF_MAX failure: ldrc = %d", ldrc);

            return;

        }

But with that change I can't bind any longer, I get a "Local error(-2)"

I get the same for Kerberos with no TLS with this setting.

Is the usecase of SASL authentication with Kerberos to the LDAP server and TLS to the LDAP server for all other communication a valid one?

Thanks,

Kris

On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite@olp.net> wrote:

On 10/06/14 13:24 -0500, Dan White wrote:

There is a known bug in Cyrus SASL which triggers this problem:

https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480

If adding "-O maxssf=0" to your ldapsearch command, when using both
Kerberos and TLS, works then that's likely the culprit.

Apparently I can't read my own bug reports. This may or may not be your
issue.

--
Dan White