[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SASL/Kerberos V4 & openldap
> -----Original Message-----
> From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
> >From this page:
>
> http://www.hut.fi/cc/docs/kerberos/nss_ldap.html
>
> it seems that Openldap is not using the negotiated SASL buffer size
> correctly.
You should read more carefully. That page states:
>>>
This is also a feature with Active Directory: large queries with SASL
will fail because Active Directory is not using the negotiated buffer size
correctly.
<<<
The problem is with Active Directory, not OpenLDAP. Active Directory
completely ignores the negotiated buffer size and writes as much as it wants
into a single SASL buffer. This is a well known problem. There are no
workarounds, go complain to Microsoft for a fix. Older versions of Cyrus SASL
have a related bug that exacerbates the problem; they restrict the buffer
size to 0xffff max when the SASL protocol dictates a max of 0xffffff. I
believe this has been fixed as of Cyrus 2.1.7.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support