SASL/GSSAPI authentication failing in many cases ( related to Bug 3480 ?)

Markus Moeller huaraz at moeller.plus.com
Fri Jan 3 09:29:31 EST 2014 

Hi,

   Apologies, but is nobody seeing the same issue as I ?   Could someone point me to some documentation about what external_ssf means  compared to max/min ssf ?

Thank you
Markus


From: Markus Moeller 
Sent: Sunday, December 08, 2013 1:30 PM
To: cyrus-sasl at lists.andrew.cmu.edu ; openldap-technical at openldap.org 
Subject: SASL/GSSAPI authentication failing in many cases ( related to Bug 3480 ?)

Hi 

  I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl 1.2.25 and observe the following:


This authenticates the user and encrypts the traffic via the gssapi ( This works) 

   ldapsearch -H ldap://w2k3r2.win2003r2.home  -Omaxssf=56 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"


This should authenticate the user but not encrypt the traffic (This fails) 

ldapsearch -H ldap://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)


This should authenticate the user with gssapi but encrypt the traffic with SSL (This fails)

ldapsearch -H ldaps://w2k3r2.win2003r2.home  -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)


This should authenticate the user with gssapi but encrypt the traffic with SSL (This fails)

ldapsearch -H ldaps://w2k3r2.win2003r2.home  -Omaxssf=56 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)


Applying the “fix” from Bug 3480 (https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480)  make all 4 cases work.  May I ask why the fix is not correct/applied.   It really limits openldap/cyrus-sasl and makes it useless for many environments with Active Directory and enforced security (i.e. SSL)


Thank you
Markus


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20140103/9ae0124e/attachment.html

More information about the Cyrus-sasl mailing list