--On November 18, 2009 9:39:02 AM +0000 Bill MacAllister whm@stanford.edu wrote:
For historical note this was caused by Cyrus-sasl being built incorrectly by the debian packagers when heimdal is used.
I don't understand why you refer to this finding as historical.
Not a historical finding. As a record for anyone who comes across this ITS and wants to know what was found.
If I am reading this correctly you and Howard have found the underlying cause. Now that the problem is understood can you suggest a way for us to cause the problem in our test environments? At this point we will really need to convince ourselves that the problem is indeed fixed before we try to deploy 2.4 in our production environment again.
To note, first off, this issue was not a bug in OpenLDAP, and the project went beyond its scope in tracking down why cyrus-sasl was behaving the way it was. Finding out test cases for you to explore is also beyond the scope of the OpenLDAP project when dealing with non-OpenLDAP issues.
However, given what is known, i.e., that the NTLM code path was being called during SASL/GSSAPI binds, I would suggest you either set up a number of windows boxes that try and do SASL/GSSAPI auth with NTLM to a test server, or write a script that does that and run it from multiple systems.
Some reference points:
http://www.netid.washington.edu/documentation/ldapAuth.aspx
It also seems it may be possible to use python-ldap to do this. I don't know if it is possible with Net::LDAP or Net::LDAPapi
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
-
quanah@zimbra.com