Re: SASL/GSSAPI authentication failing in many cases ( related to Bug 3480 ?)

Sun, 02 Mar 2014 06:39:07 -0800 

Another attempt of getting some hints to solve this. Do you require more 
information about this problem ?

Thank you
Markus


"Markus Moeller" <hua...@moeller.plus.com> wrote in message 
news:1E42C9C271E249768B675C094BA1E407@Ultrabook1...
Hi,

   Apologies, but is nobody seeing the same issue as I ?   Could someone point 
me to some documentation about what external_ssf means  compared to max/min ssf 
?

Thank you
Markus


From: Markus Moeller 
Sent: Sunday, December 08, 2013 1:30 PM
To: cyrus-sasl@lists.andrew.cmu.edu ; openldap-techni...@openldap.org 
Subject: SASL/GSSAPI authentication failing in many cases ( related to Bug 3480 
?)

Hi 

  I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl 1.2.25 and 
observe the following:


This authenticates the user and encrypts the traffic via the gssapi ( This 
works) 

   ldapsearch -H ldap://w2k3r2.win2003r2.home  -Omaxssf=56 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"


This should authenticate the user but not encrypt the traffic (This fails) 

ldapsearch -H ldap://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required 
input parameter could not be read (Unknown error)


This should authenticate the user with gssapi but encrypt the traffic with SSL 
(This fails)

ldapsearch -H ldaps://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required 
input parameter could not be read (Unknown error)


This should authenticate the user with gssapi but encrypt the traffic with SSL 
(This fails)

ldapsearch -H ldaps://w2k3r2.win2003r2.home  -Omaxssf=56 -s sub -b 
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required 
input parameter could not be read (Unknown error)


Applying the “fix” from Bug 3480 
(https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480)  make all 4 cases work.  
May I ask why the fix is not correct/applied.   It really limits 
openldap/cyrus-sasl and makes it useless for many environments with Active 
Directory and enforced security (i.e. SSL)


Thank you
Markus

Reply via email to