Re: SASL/GSSAPI authentication failing in many cases ( related to Bug 3480 ?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
 
   Apologies, but is nobody seeing the same issue as I ?   Could someone point me to some documentation about what external_ssf means  compared to max/min ssf ?
 
Thank you
Markus
 
 
Sent: Sunday, December 08, 2013 1:30 PM
Subject: SASL/GSSAPI authentication failing in many cases ( related to Bug 3480 ?)
 
Hi
 
  I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl 1.2.25 and observe the following:
 
 
This authenticates the user and encrypts the traffic via the gssapi ( This works)
 
   ldapsearch -H ldap://w2k3r2.win2003r2.home  -Omaxssf=56 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
 
 
This should authenticate the user but not encrypt the traffic (This fails)
 
ldapsearch -H ldap://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
 
 
This should authenticate the user with gssapi but encrypt the traffic with SSL (This fails)
 
ldapsearch -H ldaps://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
 
 
This should authenticate the user with gssapi but encrypt the traffic with SSL (This fails)
 
ldapsearch -H ldaps://w2k3r2.win2003r2.home  -Omaxssf=56 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
 
 
Applying the “fix” from Bug 3480 (https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480)  make all 4 cases work.  May I ask why the fix is not correct/applied.   It really limits openldap/cyrus-sasl and makes it useless for many environments with Active Directory and enforced security (i.e. SSL)
 
 
Thank you
Markus
 
 
 
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux