[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Connection failures from OS X, appears to be TLS-related



> Note that the SASL failure is expected, as we have LDAPv3 enabled on
> the clients (as they won't let us turn on SSL otherwise) but we do not
> store plaintext passwords in the directory.  On the 2.2.26 build of
> slapd, a failed SASL bind was followed immediately by a successful
> simple bind.
>
> Any ideas what may be going wrong?

Well, google back for when this hit me (in the ITS), and I think I
discussed this on openldap-software at some point too. As I remember:
Until 2.3.mumble, there was a dangling pointer (read: leak) that had the
wonderful, and totally wrong, side effect of taking a failed SASL bind and
falling through to a simple bind, server side. The trick is to make OS X
do a simple bind (if that's what you want), which you do by either not
supporting SASL or pretending to not support SASL. One idea would be to
disable SASL in autoconf. I currently ACL out supportedSASLMechanisms. And
I think there are directives you can supply cyrus-sasl to suppress
mechanisms, although I'd be curious to hear if they work (or not) in this case.