--On Thursday, March 21, 2013 04:44:20 PM -0700 Bill MacAllister
<w...@stanford.edu> wrote:
Yeah, it's almost certainly an upstream bug. Ah, I see that Cyrus SASL
has a Bugzilla and everything these days.
Once I complete testing today I will file the bug.
And I confirmed that if I use TLS encryption the client works.
I sent a note to the cyrus-sasl list and got a response from Quanah
saying that "cyrus-sasl 2.1.25 had multiple problems with GSSAPI
unless it was patched heavily". I'll try packaging that we see
what happens. I did file a bugzilla, but if the newer version
works that is mote.
Hugh Cole-Baker on the Cyrus SASL list pointed me to the solution
for Cyrus SASL version 2.1.25 at
http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006665.html
I confirmed that this does indeed solve the problem. Basically,
OpenLDAP needs the global configuration setting for sasl-secprops
to include minssl=1. (Or olcSaslSecProps if you are using cn=config.)
In our case we set it to:
olcSaslSecProps: minssf=1,noplain,noanonymous
I also confirmed that 2.1.26 also solves the problem. Quanah Gibson-Mount
reported that there have been a number of other problems with 2.1.25.
I think this bug can be closed.
Bill
--
Bill MacAllister
Infrastructure Delivery Group, Stanford University
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
