Hi Howard, We didn't try neither 2.1.24 nor 2.1.25.
The issue is probably caused by additional SASL plugins we have. I will continue my investigation. Thanks, Sergey Emantayev On Wednesday, December 4, 2013 11:19 AM, Howard Chu <h...@highlandsun.com> wrote: Bill MacAllister wrote: > > > --On Monday, December 02, 2013 01:14:24 PM -0800 Sergey Emantayev > <serg...@yahoo.com> wrote: > >> Hello, >> >> We successfully use OpenLDAP C SDK 2.4.36 integrated with Cyrus-SASL >> 2.1.23. Recently we have upgraded Cyrus-SASL to 2.1.26 and >> encountering the next issue. >> >> LDAP search consistently fails. We analyzed this issue and found the >> following behavior. >> >> When we use OpenLDAP with Cyrus-SASL 2.1.23 the LDAP Message Search >> Request payload is wrapped in GSS-API payload. >> >> When we use OpenLDAP with Cyrus-SASL 2.1.26 the LDAP Message Search >> Request payload is not wrapped in GSS-API payload at all. LDAP >> Search Request looks like clear text LDAP Search Request and not >> like LDAP SASL Search Request. >> >> In both cases - with Cyrus-SASL 2.1.23 and with Cyrus-SASL 2.1.26 – >> LDAP SASL Bind succeeds and LDAP SASL bindResponse looks identical >> with Cyrus-SASL 2.1.23 and with Cyrus-SASL 2.1.26. >> >> Please advise how to troubleshoot the issue. > > When I tried using 2.1.26 I had to set minssf to get it to work. Here > is the setting that we are currently using. > > olcSaslSecProps: minssf=1,noplain,noanonymous This sounds like a regression in Cyrus SASL; certainly it is an undocumented change in behavior. Can you confirm that the behavior from 2.1.23-2.1.25 wasn't changed? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
