[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL/Kerberos V4 & openldap





--On Thursday, October 31, 2002 2:30 PM -0800 Howard Chu <hyc@highlandsun.com> wrote:

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]

> From this page:

http://www.hut.fi/cc/docs/kerberos/nss_ldap.html

it seems that Openldap is not using the negotiated SASL buffer size
correctly.

You should read more carefully. That page states:

    This is also a feature with Active Directory: large queries with SASL
will fail because Active Directory is not using the negotiated buffer size
correctly.
<<<
The problem is with Active Directory, not OpenLDAP. Active Directory
completely ignores the negotiated buffer size and writes as much as it
wants into a single SASL buffer. This is a well known problem. There are
no workarounds, go complain to Microsoft for a fix. Older versions of
Cyrus SASL have a related bug that exacerbates the problem; they restrict
the buffer size to 0xffff max when the SASL protocol dictates a max of
0xffffff. I believe this has been fixed as of Cyrus 2.1.7.

Howard,

I read what it said about active directory. However, I'm using openldap's ldapsearch, with openldap's slapd, and I'm getting the same error that that particular page reported with active directory. I'm also using cyrus sasl 2.1.9, so if it was fixed in 2.1.7, then it definately isn't something I need to worry about. So, any thoughts on what else I might want to try? Again, using sasl's sample server & client, I can do K4 authentication just fine, so this definately seem to be something with the interaction between slapd & ldapsearch.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html