GSSAPI and "encoded packet size too big"

Bill MacAllister whm at stanford.edu
Sun Mar 24 14:09:54 EDT 2013



--On Saturday, March 23, 2013 09:47:09 PM -0700 Bill MacAllister <whm at stanford.edu> wrote:

>
>
> --On Friday, March 22, 2013 12:04:43 PM -0700 Bill MacAllister <whm at stanford.edu> wrote:
>
>>
>>
>> --On Friday, March 22, 2013 04:21:55 PM +0000 Hugh Cole-Baker <sigmaris at gmail.com> wrote:
>>
>>> On 22 Mar 2013, at 16:00, cyrus-sasl-request at lists.andrew.cmu.edu wrote:
>>>
>>>> We are seeing a problem that looks a lot like this yours.  From JNDI
>>>> clients connecting to our OpenLDAP server on Debian Wheezy connections
>>>> are failing.  If the client makes a GSSAPI connection and uses SASL
>>>> encryption then the client will fail with a
>>>> java.lang.NegativeArraySizeException error.
>>>
>>> I ran into the same problem with Java interop [1], initially thinking
>>> it was a Java bug, and found a workaround, which is to set minssf to
>>> at least 1 in the sasl-secprops setting in OpenLDAP. This might be
>>> useful - I haven't tried to upgrade to 2.1.26 yet to check if it's
>>> fixed in that version.
>>>
>>> Hugh C-B
>>>
>>> [1] http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006665.html
>>
>> That fixes the problem that we were seeing.  Thanks a lot.
>>
>> I am going to try 2.1.26 as well because it finally includes the
>> change to make life simpler in a load balanced environment.  I let you
>> know how that goes.
>
> And I confirmed that 2.1.26 also fixes this problem.

And after testing some more and this time testing against the correct
server I found that Cyrus SASL version 2.1.26 does _not_ fix the
problem, i.e. minssf=1 needs to be specified in olcSaslSecProps.

Bill

-- 

Bill MacAllister
Infrastructure Delivery Group, Stanford University



More information about the Cyrus-sasl mailing list