Re: OpenLDAP, SASL and TLS
Dan,
Thanks for the quick response.
I tried your suggestion like this:
//GSSAPI and TLS fails to AD. This was a suggestion for the
workaround:
//https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
sasl_ssf_t max_ssf = 0;
ldrc = ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);
if (ldrc != LDAP_SUCCESS) {
logError("ldap_set_option() for LDAP_OPT_X_SASL_SSF_MAX
failure: ldrc = %d", ldrc);
return;
}
But with that change I can't bind any longer, I get a "Local error(-2)"
I get the same for Kerberos with no TLS with this setting.
Is the usecase of SASL authentication with Kerberos to the LDAP server and
TLS to the LDAP server for all other communication a valid one?
Thanks,
Kris
On Mon, Oct 6, 2014 at 2:27 PM, Dan White <dwhite(a)olp.net> wrote:
On 10/06/14 13:24 -0500, Dan White wrote:
> There is a known bug in Cyrus SASL which triggers this problem:
>
> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480
>
> If adding "-O maxssf=0" to your ldapsearch command, when using both
> Kerberos and TLS, works then that's likely the culprit.
>
Apparently I can't read my own bug reports. This may or may not be your
issue.
--
Dan White
Attachments:
- attachment.htm (text/html — 2.5 KB)