<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Another attempt of getting some hints to solve this. Do you require more
information about this problem ?</DIV>
<DIV> </DIV>
<DIV>Thank you</DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV style="FONT-FAMILY: ; COLOR: ; TEXT-DECORATION: ; DISPLAY: inline">
<DIV>"Markus Moeller" <huaraz@moeller.plus.com> wrote in message
news:1E42C9C271E249768B675C094BA1E407@Ultrabook1...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV style="FONT-FAMILY: ; COLOR: ; TEXT-DECORATION: ; DISPLAY: inline">
<DIV dir=ltr>
<DIV style="FONT-FAMILY: ; COLOR: ">
<DIV>Hi,</DIV>
<DIV> </DIV>
<DIV> Apologies, but is nobody seeing the same issue as I
? Could someone point me to some documentation about what
external_ssf means compared to max/min ssf ?</DIV>
<DIV> </DIV>
<DIV>Thank you</DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV style="FONT-FAMILY: ; COLOR: ; TEXT-DECORATION: ; DISPLAY: inline">
<DIV style="FONT-FAMILY: ; LINE-HEIGHT: normal">
<DIV><FONT face=Tahoma><FONT style="FONT-SIZE: 10pt"></FONT></FONT> </DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><FONT face=Tahoma><B><FONT
style="FONT-SIZE: 10pt">From:</FONT></B><FONT style="FONT-SIZE: 10pt">
</FONT></FONT><FONT style="FONT-SIZE: 10pt"><A title=huaraz@moeller.plus.com
href="mailto:huaraz@moeller.plus.com"><FONT face=Tahoma>Markus
Moeller</FONT></A></FONT><FONT face=Tahoma><FONT style="FONT-SIZE: 10pt">
</FONT></FONT></DIV>
<DIV><FONT face=Tahoma><B><FONT style="FONT-SIZE: 10pt">Sent:</FONT></B><FONT
style="FONT-SIZE: 10pt"> Sunday, December 08, 2013 1:30 PM</FONT></FONT></DIV>
<DIV><FONT face=Tahoma><B><FONT style="FONT-SIZE: 10pt">To:</FONT></B><FONT
style="FONT-SIZE: 10pt"> </FONT></FONT><FONT style="FONT-SIZE: 10pt"><A
title=cyrus-sasl@lists.andrew.cmu.edu
href="mailto:cyrus-sasl@lists.andrew.cmu.edu"><FONT
face=Tahoma>cyrus-sasl@lists.andrew.cmu.edu</FONT></A><FONT face=Tahoma> ;
</FONT><A title=openldap-technical@openldap.org
href="mailto:openldap-technical@openldap.org"><FONT
face=Tahoma>openldap-technical@openldap.org</FONT></A></FONT><FONT
face=Tahoma><FONT style="FONT-SIZE: 10pt"> </FONT></FONT></DIV>
<DIV><FONT face=Tahoma><B><FONT style="FONT-SIZE: 10pt">Subject:</FONT></B><FONT
style="FONT-SIZE: 10pt"> SASL/GSSAPI authentication failing in many cases (
related to Bug 3480 ?)</FONT></FONT></DIV></DIV></DIV>
<DIV> </DIV></DIV>
<DIV style="FONT-FAMILY: ; COLOR: ; TEXT-DECORATION: ; DISPLAY: inline">
<DIV dir=ltr>
<DIV style="FONT-FAMILY: ; COLOR: ">
<DIV>Hi </DIV>
<DIV> </DIV>
<DIV> I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl
1.2.25 and observe the following:</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>This authenticates the user and encrypts the traffic via the gssapi ( This
works) </DIV>
<DIV> </DIV>
<DIV> ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=56
-s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>This should authenticate the user but not encrypt the traffic (This fails)
</DIV>
<DIV> </DIV>
<DIV>ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"</DIV>
<DIV>SASL/GSSAPI authentication started</DIV>
<DIV>ldap_sasl_interactive_bind_s: Local error (-2)</DIV>
<DIV> additional info: SASL(-1):
generic failure: GSSAPI Error: A required input parameter could not be read
(Unknown error)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>This should authenticate the user with gssapi but encrypt the traffic with
SSL (This fails)</DIV>
<DIV> </DIV>
<DIV>ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"</DIV>
<DIV>SASL/GSSAPI authentication started</DIV>
<DIV>ldap_sasl_interactive_bind_s: Local error (-2)</DIV>
<DIV> additional info: SASL(-1):
generic failure: GSSAPI Error: A required input parameter could not be read
(Unknown error)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>This should authenticate the user with gssapi but encrypt the traffic with
SSL (This fails)</DIV>
<DIV> </DIV>
<DIV>ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b
DC=WIN2003R2,DC=HOME "(samaccountname=mm)"</DIV>
<DIV>SASL/GSSAPI authentication started</DIV>
<DIV>ldap_sasl_interactive_bind_s: Local error (-2)</DIV>
<DIV> additional info: SASL(-1):
generic failure: GSSAPI Error: A required input parameter could not be read
(Unknown error)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Applying the “fix” from Bug 3480 (<A
title=https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
href="https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480">https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480</A>)
make all 4 cases work. May I ask why the fix is not
correct/applied. It really limits openldap/cyrus-sasl and makes it
useless for many environments with Active Directory and enforced security (i.e.
SSL)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Thank you</DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></BODY></HTML>