[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Connection failures from OS X, appears to be TLS-related

To: Ben Beuchler <insyte@gmail.com>
Subject: Re: Connection failures from OS X, appears to be TLS-related
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Fri, 5 May 2006 19:48:51 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <479b70ed0605050920y36c7c5bbn661085417f858b76@mail.gmail.com>
References: <479b70ed0605050920y36c7c5bbn661085417f858b76@mail.gmail.com>

> Note that the SASL failure is expected, as we have LDAPv3 enabled on
> the clients (as they won't let us turn on SSL otherwise) but we do not
> store plaintext passwords in the directory.  On the 2.2.26 build of
> slapd, a failed SASL bind was followed immediately by a successful
> simple bind.
>
> Any ideas what may be going wrong?

Well, google back for when this hit me (in the ITS), and I think I
discussed this on openldap-software at some point too. As I remember:
Until 2.3.mumble, there was a dangling pointer (read: leak) that had the
wonderful, and totally wrong, side effect of taking a failed SASL bind and
falling through to a simple bind, server side. The trick is to make OS X
do a simple bind (if that's what you want), which you do by either not
supporting SASL or pretending to not support SASL. One idea would be to
disable SASL in autoconf. I currently ACL out supportedSASLMechanisms. And
I think there are directives you can supply cyrus-sasl to suppress
mechanisms, although I'd be curious to hear if they work (or not) in this case.

Follow-Ups:
- Re: Connection failures from OS X, appears to be TLS-related
  - From: "Ben Beuchler" <insyte@gmail.com>

References:
- Connection failures from OS X, appears to be TLS-related
  - From: "Ben Beuchler" <insyte@gmail.com>

Prev by Date: Re: several LDAPServers working with one Database
Next by Date: Re: question about password policy
Index(es):
- Chronological
- Thread