RE: SASL/Kerberos V4 & openldap

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Thursday, October 31, 2002 2:30 PM -0800 Howard Chu 
<hyc@highlandsun.com> wrote:

> > -----Original Message-----
> > From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
>
> > > From this page:
> >
> > http://www.hut.fi/cc/docs/kerberos/nss_ldap.html
> >
> > it seems that Openldap is not using the negotiated SASL buffer size
> > correctly.
>
> You should read more carefully. That page states:
> > > >
>     This is also a feature with Active Directory: large queries with SASL
> will fail because Active Directory is not using the negotiated buffer size
> correctly.
> <<<
> The problem is with Active Directory, not OpenLDAP. Active Directory
> completely ignores the negotiated buffer size and writes as much as it
> wants into a single SASL buffer. This is a well known problem. There are
> no workarounds, go complain to Microsoft for a fix. Older versions of
> Cyrus SASL have a related bug that exacerbates the problem; they restrict
> the buffer size to 0xffff max when the SASL protocol dictates a max of
> 0xffffff. I believe this has been fixed as of Cyrus 2.1.7.

Howard,

I read what it said about active directory.  However, I'm using openldap's 
ldapsearch, with openldap's slapd, and I'm getting the same error that that 
particular page reported with active directory.  I'm also using cyrus sasl 
2.1.9, so if it was fixed in 2.1.7, then it definately isn't something I 
need to worry about.  So, any thoughts on what else I might want to try? 
Again, using sasl's sample server & client, I can do K4 authentication just 
fine, so this definately seem to be something with the interaction between 
slapd & ldapsearch.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html