On 15 Apr 2008, at 22:31, Howard Chu wrote:
ssh and GSSAPI may be analogous here. In that respect, these layers should renegotiate keys transparently so that upper layers never see it. The fact that SASL doesn't expose lifetime restrictions either means (a) apps aren't supposed to have to worry about them or (b) the SASL design is broken.
Personally, I think the GSSAPI SASL design is broken, in that it doesn't attempt renegotiation. That's something that I know people are working on fixing.
However, all of this is really by the by. The key issue is that sasl_encode and sasl_decode are defined as returning an error code in what passes for the Cyrus SASL API documentation. At the moment, the OpenLDAP code doesn't handle those functions returning anything other than success.
S.