Postfix, SASL/SASL2 and LDAP

[Phil Brutsche]

Diego Rivera wrote:
> My question is: am I totally screwed?  Will I be forced to go to
> OpenLDAP 2.1.X and recompile EVERYTHING that touches LDAP (especially
> hoping that 2.1.X is backward-compatible with 2.0.X)?

You're not the only person to get bitten by this (nss_ldap uses OpenLDAP
2.0 which uses SASL 1.x, which causes segfaults in anything using SASL 2.1).

Note this comment from README.Debian.gz, from the Cyrus IMAP 2.1.x 
Debian packages:
  o "The Debian libldap2 and cyrus-imapd packages are both compiled using
    the SASL library.  If you use cyrus-imapd together with libnss-ldap,
    or saslauthd together with libpam-ldap, the resulting double calls to
    SASL library functions can trigger a double-free bug which may cause
    the calling process to crash.  To avoid such a crash, you must
    recompile the libldap2 package --without-cyrus-sasl."  --
    http://bugs.debian.org/145766 [!@#$%!!! I didn't expect SASL 2.1 to
    still have this annoying problem]

My understanding of the situation is that you have 2 options:
1) Upgrade to OpenLDAP 2.1 which uses SASL 2.1
2) Re-compile OpenLDAP 2.0 to not link against SASL

Either way you'll need to maintain custom binaries.  Option 1 definitely 
works, but is a non-trivial change.  Option 2 may the easier of the two 
for you.

-- 

Phil Brutsche
phil at optimumdata.com