Bug#703113: libsasl2-modules-gssapi-mit: Java client GSSAPI connections to OpenLDAP fail

Sun, 24 Mar 2013 23:37:16 -0700 


--On Sunday, March 24, 2013 07:35:27 AM +0100 Ondřej Surý <ond...@sury.org> 
wrote:


Bill,

thanks for investigating this. I'll keep the bug open in case somebody else
gets hit by it, and mark it as fixed in 2.1.26 when it hits unstable.

O.


And after doing some more testing, with the correct server this time,
I discovered that 2.1.26 does _not_ fix the problem, i.e. minssf=1
needs to be specified in the OpenLDAP configuration element
olcSaslSecProps.  Sorry for the mis-direction.

And, thinking about this some more it is not clear that this is a bug
in Cyrus SASL.  At a minimum JNDI should give a better error message
than it is, but really JNDI should just probably handle it.

Bill



On Sun, Mar 24, 2013 at 5:40 AM, Bill MacAllister <w...@stanford.edu> wrote:




--On Thursday, March 21, 2013 04:44:20 PM -0700 Bill MacAllister <
w...@stanford.edu> wrote:

 Yeah, it's almost certainly an upstream bug.  Ah, I see that Cyrus SASL

has a Bugzilla and everything these days.



Once I complete testing today I will file the bug.



And I confirmed that if I use TLS encryption the client works.

I sent a note to the cyrus-sasl list and got a response from Quanah
saying that "cyrus-sasl 2.1.25 had multiple problems with GSSAPI
unless it was patched heavily".  I'll try packaging that we see
what happens.  I did file a bugzilla, but if the newer version
works that is mote.



Hugh Cole-Baker on the Cyrus SASL list pointed me to the solution
for Cyrus SASL version 2.1.25 at

 http://mail.openjdk.java.net/**pipermail/security-dev/2013-**
February/006665.html<http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006665.html>

I confirmed that this does indeed solve the problem.  Basically,
OpenLDAP needs the global configuration setting for sasl-secprops
to include minssl=1.  (Or olcSaslSecProps if you are using cn=config.)
In our case we set it to:

 olcSaslSecProps: minssf=1,noplain,noanonymous

I also confirmed that 2.1.26 also solves the problem.  Quanah Gibson-Mount
reported that there have been a number of other problems with 2.1.25.

I think this bug can be closed.


Bill

--

Bill MacAllister
Infrastructure Delivery Group, Stanford University





--

Bill MacAllister
Infrastructure Delivery Group, Stanford University


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

























					Reply via email to