For the records, I did upgrade to OpenLDAP 2.4.28, latest stuff. It doesn't solve anything.
How can I debug this problem? Anything else I can do?
THX
Daniel
Le vendredi 10 février 2012 à 12:59 -0500, Daniel Savard a écrit :
Le jeudi 09 février 2012 à 17:21 -0600, Dan White a écrit :
On 02/09/12 17:15 -0500, Daniel Savard wrote:
(...)
This could be a libsasl2 problem. What version of cyrus sasl do you have installed, and what kerberos library/version is it compiled against?
If you're running libsasl2 > 2.1.23, see if either of these apply to you:
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480 https://bugzilla.cyrusimap.org/show_bug.cgi?id=3445
MIT Kerberos 1.9.2-r2 Cyrus-Sasl 2.1.23-r6 OpenLDAP 2.4.24
Linux distro: Gentoo
Code fragment from plugins/gssapi.c compared to bug 3445 and its patch:
if (output_token->value && output) { int len; ret = _plug_buf_alloc(text->utils, &(text->encode_buf), &(text->encode_buf_len),output_token->length + 4);
if (ret != SASL_OK) { GSS_LOCK_MUTEX(text->utils); gss_release_buffer(&min_stat, output_token); GSS_UNLOCK_MUTEX(text->utils); return ret; } len = htonl(output_token->length); memcpy(text->encode_buf, &len, 4); memcpy(text->encode_buf + 4, output_token->value,output_token->length); }
This one seems correct. And code fragment compared to patch for bug 3480:
/* Setup req_flags properly */ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG; if(params->props.max_ssf > params->external_ssf) { /* We are requesting a security layer */ req_flags |= GSS_C_INTEG_FLAG; /* Any SSF bigger than 1 is confidentiality. */ /* Let's check if the client of the API requiresconfidentiality, and it wasn't already provided by an external layer */
Seems correct too.