[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL mechanisms that return no data in last leg



We have noticed an interoperability issue with clients that
assume that saslServerCreds will be present, but zero length,
when a SASL mechanism returns no data for the last leg of an
authentication. (An example of such a mechanism is GSSAPI.)

OpenLDAP and PADL GSS-SASL both omit saslServerCreds in this
case, whereas Active Directory returns it with a zero-length
octet. It seems to me that the Active Directory behaviour
actually makes more sense, and the OpenLDAP client (which
uses Cyrus SASL) accepts both behaviours. However, we have
noticed that some proprietary GSSAPI SASL clients fail if
saslServerCreds is not present.

See:

  http://www.openldap.org/its/index.cgi/Incoming?id=2994

RFC 2222 doesn't really distinguished between not present and
zero length; it merely says that after the server receives the
last client response the "authentication process is complete". 

-- Luke