<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Hi,</DIV>
<DIV> </DIV>
<DIV> Apologies, but is nobody seeing the same issue as I
? Could someone point me to some documentation about what
external_ssf means compared to max/min ssf ?</DIV>
<DIV> </DIV>
<DIV>Thank you</DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV style="FONT: 10pt tahoma">
<DIV> </DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A title=huaraz@moeller.plus.com
href="mailto:huaraz@moeller.plus.com">Markus Moeller</A> </DIV>
<DIV><B>Sent:</B> Sunday, December 08, 2013 1:30 PM</DIV>
<DIV><B>To:</B> <A title=cyrus-sasl@lists.andrew.cmu.edu
href="mailto:cyrus-sasl@lists.andrew.cmu.edu">cyrus-sasl@lists.andrew.cmu.edu</A>
; <A title=openldap-technical@openldap.org
href="mailto:openldap-technical@openldap.org">openldap-technical@openldap.org</A>
</DIV>
<DIV><B>Subject:</B> SASL/GSSAPI authentication failing in many cases ( related
to Bug 3480 ?)</DIV></DIV></DIV>
<DIV> </DIV></DIV>
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Hi </DIV>
<DIV> </DIV>
<DIV> I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl
1.2.25 and observe the following:</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>This authenticates the user and encrypts the traffic via the gssapi ( This
works) </DIV>
<DIV> </DIV>
<DIV> ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=56
-s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>This should authenticate the user but not encrypt the traffic (This fails)
</DIV>
<DIV> </DIV>
<DIV>ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"</DIV>
<DIV>SASL/GSSAPI authentication started</DIV>
<DIV>ldap_sasl_interactive_bind_s: Local error (-2)</DIV>
<DIV> additional info: SASL(-1):
generic failure: GSSAPI Error: A required input parameter could not be read
(Unknown error)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>This should authenticate the user with gssapi but encrypt the traffic with
SSL (This fails)</DIV>
<DIV> </DIV>
<DIV>ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"</DIV>
<DIV>SASL/GSSAPI authentication started</DIV>
<DIV>ldap_sasl_interactive_bind_s: Local error (-2)</DIV>
<DIV> additional info: SASL(-1):
generic failure: GSSAPI Error: A required input parameter could not be read
(Unknown error)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>This should authenticate the user with gssapi but encrypt the traffic with
SSL (This fails)</DIV>
<DIV> </DIV>
<DIV>ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"</DIV>
<DIV>SASL/GSSAPI authentication started</DIV>
<DIV>ldap_sasl_interactive_bind_s: Local error (-2)</DIV>
<DIV> additional info: SASL(-1):
generic failure: GSSAPI Error: A required input parameter could not be read
(Unknown error)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Applying the “fix” from Bug 3480 (<A
title=https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
href="https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480">https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480</A>)
make all 4 cases work. May I ask why the fix is not
correct/applied. It really limits openldap/cyrus-sasl and makes it
useless for many environments with Active Directory and enforced security (i.e.
SSL)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Thank you</DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV></DIV></DIV></DIV></DIV></DIV></BODY></HTML>