Re: Confusion over MIT/Heimdal compatibility

[Simon Wilkinson <simon@sxw.org.uk>]

On 15 Apr 2008, at 22:31, Howard Chu wrote:
> ssh and GSSAPI may be analogous here. In that respect, these layers  
> should renegotiate keys transparently so that upper layers never  
> see it. The fact that SASL doesn't expose lifetime restrictions  
> either means (a) apps aren't supposed to have to worry about them  
> or (b) the SASL design is broken.

Personally, I think the GSSAPI SASL design is broken, in that it  
doesn't attempt renegotiation. That's something that I know people  
are working on fixing.

However, all of this is really by the by. The key issue is that  
sasl_encode and sasl_decode are defined as returning an error code in  
what passes for the Cyrus SASL API documentation. At the moment, the  
OpenLDAP code doesn't handle those functions returning anything other  
than success.

S.