[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL/Kerberos V4 & openldap



> -----Original Message-----
> From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]

> >From this page:
>
> http://www.hut.fi/cc/docs/kerberos/nss_ldap.html
>
> it seems that Openldap is not using the negotiated SASL buffer size
> correctly.

You should read more carefully. That page states:
>>>
    This is also a feature with Active Directory: large queries with SASL
will fail because Active Directory is not using the negotiated buffer size
correctly.
<<<
The problem is with Active Directory, not OpenLDAP. Active Directory
completely ignores the negotiated buffer size and writes as much as it wants
into a single SASL buffer. This is a well known problem. There are no
workarounds, go complain to Microsoft for a fix. Older versions of Cyrus SASL
have a related bug that exacerbates the problem; they restrict the buffer
size to 0xffff max when the SASL protocol dictates a max of 0xffffff. I
believe this has been fixed as of Cyrus 2.1.7.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support