Re: GSSAPI (SASL) + LDAP

[Daniel Savard <dsavard@cids.ca>]

Le jeudi 09 fÃvrier 2012 Ã 17:21 -0600, Dan White a Ãcrit :
> On 02/09/12 17:15 -0500, Daniel Savard wrote:
(...)
> 
> This could be a libsasl2 problem. What version of cyrus sasl do you have
> installed, and what kerberos library/version is it compiled against?
> 
> If you're running libsasl2 > 2.1.23, see if either of these apply to you:
> 
> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3445
> 

MIT Kerberos 1.9.2-r2
Cyrus-Sasl 2.1.23-r6
OpenLDAP 2.4.24

Linux distro: Gentoo

Code fragment from plugins/gssapi.c compared to bug 3445 and its patch:

    if (output_token->value && output) {
        int len;

        ret = _plug_buf_alloc(text->utils, &(text->encode_buf),
                              &(text->encode_buf_len),
output_token->length + 4);

        if (ret != SASL_OK) {
            GSS_LOCK_MUTEX(text->utils);
            gss_release_buffer(&min_stat, output_token);
            GSS_UNLOCK_MUTEX(text->utils);
            return ret;
        }

        len = htonl(output_token->length);
        memcpy(text->encode_buf, &len, 4);
        memcpy(text->encode_buf + 4, output_token->value,
output_token->length);
    }

This one seems correct. And code fragment compared to patch for bug
3480:

        /* Setup req_flags properly */
        req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
        if(params->props.max_ssf > params->external_ssf) {
            /* We are requesting a security layer */
            req_flags |= GSS_C_INTEG_FLAG;
            /* Any SSF bigger than 1 is confidentiality. */
            /* Let's check if the client of the API requires
confidentiality,
               and it wasn't already provided by an external layer */

Seems correct too.

-- 
Daniel Savard