SASL/GSSAPI authentication failing in many cases ( related to Bug 3480 ?)
Markus Moeller
huaraz at moeller.plus.com
Fri Jan 3 09:29:31 EST 2014
Hi,
Apologies, but is nobody seeing the same issue as I ? Could someone point me to some documentation about what external_ssf means compared to max/min ssf ?
Thank you
Markus
From: Markus Moeller
Sent: Sunday, December 08, 2013 1:30 PM
To: cyrus-sasl at lists.andrew.cmu.edu ; openldap-technical at openldap.org
Subject: SASL/GSSAPI authentication failing in many cases ( related to Bug 3480 ?)
Hi
I am running OpenSuse 12.3 with openldap 2.4.33 and cyrus-sasl 1.2.25 and observe the following:
This authenticates the user and encrypts the traffic via the gssapi ( This works)
ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
This should authenticate the user but not encrypt the traffic (This fails)
ldapsearch -H ldap://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
This should authenticate the user with gssapi but encrypt the traffic with SSL (This fails)
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
This should authenticate the user with gssapi but encrypt the traffic with SSL (This fails)
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=56 -s sub -b DC=WIN2003R2,DC=HOME "(samaccountname=mm)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
Applying the “fix” from Bug 3480 (https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480) make all 4 cases work. May I ask why the fix is not correct/applied. It really limits openldap/cyrus-sasl and makes it useless for many environments with Active Directory and enforced security (i.e. SSL)
Thank you
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20140103/9ae0124e/attachment.html
More information about the Cyrus-sasl
mailing list