[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: GSSAPI (SASL) + LDAP
For the records, I did upgrade to OpenLDAP 2.4.28, latest stuff. It
doesn't solve anything.
How can I debug this problem? Anything else I can do?
THX
Daniel
Le vendredi 10 fÃvrier 2012 Ã 12:59 -0500, Daniel Savard a Ãcrit :
> Le jeudi 09 fÃvrier 2012 Ã 17:21 -0600, Dan White a Ãcrit :
> > On 02/09/12 17:15 -0500, Daniel Savard wrote:
> (...)
> >
> > This could be a libsasl2 problem. What version of cyrus sasl do you have
> > installed, and what kerberos library/version is it compiled against?
> >
> > If you're running libsasl2 > 2.1.23, see if either of these apply to you:
> >
> > https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
> > https://bugzilla.cyrusimap.org/show_bug.cgi?id=3445
> >
>
> MIT Kerberos 1.9.2-r2
> Cyrus-Sasl 2.1.23-r6
> OpenLDAP 2.4.24
>
> Linux distro: Gentoo
>
> Code fragment from plugins/gssapi.c compared to bug 3445 and its patch:
>
> if (output_token->value && output) {
> int len;
>
> ret = _plug_buf_alloc(text->utils, &(text->encode_buf),
> &(text->encode_buf_len),
> output_token->length + 4);
>
> if (ret != SASL_OK) {
> GSS_LOCK_MUTEX(text->utils);
> gss_release_buffer(&min_stat, output_token);
> GSS_UNLOCK_MUTEX(text->utils);
> return ret;
> }
>
> len = htonl(output_token->length);
> memcpy(text->encode_buf, &len, 4);
> memcpy(text->encode_buf + 4, output_token->value,
> output_token->length);
> }
>
> This one seems correct. And code fragment compared to patch for bug
> 3480:
>
> /* Setup req_flags properly */
> req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
> if(params->props.max_ssf > params->external_ssf) {
> /* We are requesting a security layer */
> req_flags |= GSS_C_INTEG_FLAG;
> /* Any SSF bigger than 1 is confidentiality. */
> /* Let's check if the client of the API requires
> confidentiality,
> and it wasn't already provided by an external layer */
>
> Seems correct too.
>