--On Saturday, March 23, 2013 09:47:09 PM -0700 Bill MacAllister <whm@xxxxxxxxxxxx> wrote:
--On Friday, March 22, 2013 12:04:43 PM -0700 Bill MacAllister <whm@xxxxxxxxxxxx> wrote:
--On Friday, March 22, 2013 04:21:55 PM +0000 Hugh Cole-Baker <sigmaris@xxxxxxxxx> wrote:
On 22 Mar 2013, at 16:00, cyrus-sasl-request@xxxxxxxxxxxxxxxxxxxx wrote:
We are seeing a problem that looks a lot like this yours. From JNDI
clients connecting to our OpenLDAP server on Debian Wheezy connections
are failing. If the client makes a GSSAPI connection and uses SASL
encryption then the client will fail with a
java.lang.NegativeArraySizeException error.
I ran into the same problem with Java interop [1], initially thinking
it was a Java bug, and found a workaround, which is to set minssf to
at least 1 in the sasl-secprops setting in OpenLDAP. This might be
useful - I haven't tried to upgrade to 2.1.26 yet to check if it's
fixed in that version.
Hugh C-B
[1] http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006665.html
That fixes the problem that we were seeing. Thanks a lot.
I am going to try 2.1.26 as well because it finally includes the
change to make life simpler in a load balanced environment. I let you
know how that goes.
And I confirmed that 2.1.26 also fixes this problem.
And after testing some more and this time testing against the correct
server I found that Cyrus SASL version 2.1.26 does _not_ fix the
problem, i.e. minssf=1 needs to be specified in olcSaslSecProps.
Bill
--
Bill MacAllister
Infrastructure Delivery Group, Stanford University
