[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Strange error, only w/ gssapi
> I have a server (with a pretty large DB), that has worked fine for
> a long time. Just the other day it started giving errors like:
>
> sjh@lokar% ldapsearch -h ldap cn=guest
> SASL/GSSAPI authentication started
> SASL username: sjh@UNIX.CORP
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: cn=guest
> # requesting: ALL
> #
> ldap_result: Can't contact LDAP server (81)
>
>
> If I turn off gssapi (and use annon, or plain password) it works fine.
> It's only 2 groups, the largest 2 in the dir) that do this. Also,
> searches with very big replies will do it also, so it seems to
> be a result len problem. Looking at strace:
[...]
> It writes out ~13k of ~65k, then tries to write the rest and gets
> EAGAIN for some reason.
>
>
> This is on linux, with both 2.2.5 and 2.1.22
>
> I can see how you might hit a bug with large return results, but I
> can't imagine how GSSAPI would factor into this. Any ideas?
So, I found the problem, I think.
On the ldapsearch I see:
sb_sasl_pkt_length: received illegal packet length of 65692 bytes
sb_sasl_read: failed to decode packet: generic failure
In the code:
ldap-int.h:#define SASL_MAX_BUFF_SIZE 65536
So, I assume there is a good reason for all the IO to go through the
SASL library, and SASL needs to only get data 65536 bytes at a time..
So, should the client only read 65536 bytes at a time? I assume
it's just a byte stream, so the server can't break it up or anything.
If someone sees the problem and can send me a patch to test that
would be great, or I'll probably take a stab at it this weekend.
-Seth