Luke Howard wrote:
Actually might interpretation of RFC 2222 would be exactly the opposite.We have noticed an interoperability issue with clients that assume that saslServerCreds will be present, but zero length, when a SASL mechanism returns no data for the last leg of an authentication. (An example of such a mechanism is GSSAPI.)
OpenLDAP and PADL GSS-SASL both omit saslServerCreds in this case, whereas Active Directory returns it with a zero-length octet. It seems to me that the Active Directory behaviour actually makes more sense, and the OpenLDAP client (which uses Cyrus SASL) accepts both behaviours.
I guess the authmech document should say that clients should treat missing data in the last response from the server as if a zero length response was sent. And that for interoperability it is recommended to send zero length response.However, we have noticed that some proprietary GSSAPI SASL clients fail if saslServerCreds is not present.
See:
http://www.openldap.org/its/index.cgi/Incoming?id=2994
RFC 2222 doesn't really distinguished between not present and
zero length; it merely says that after the server receives the
last client response the "authentication process is complete".
Alexey