I have a small LDAP utility (msktutil) that talks to Active Directory using GSSAPI over TLS. I'm trying to set the SASL parameter "maxssf" to "0" in the code.
I've found that in a recent version of OpenLDAP (2.4.24), modifying LDAP_OPT_X_SASL_SSF_MAX with ldap_set_option() has no effect. The basic code is
sasl_ssf_t max_ssf = 0; printf( "setting max ssf to %d\n", max_ssf ); ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf)
Subsequent ldap_get_option() calls show that the value is not changing, as does the output when I bind with ldap_sasl_interactive_bind_s(). I would at the very least expect ldap_set_option() to return something other than LDAP_OPT_SUCCESS here. Am I hitting a bug in OpenLDAP, or am I really off track ? :)
I've attached a small test case (gcc -o test test.c -lldap -llber). This works as I expect in both 2.3.43 and 2.4.23, and fails in 2.4.24.
RHEL5: openldap-2.3.43-12.el5_6.7 ./test LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647 setting max ssf to 0 LDAP_OPT_X_SASL_SSF_MAX after setting = 0
RHEL6: openldap-2.4.23-15.el6_1.1.x86_64 ./test LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647 setting max ssf to 0 LDAP_OPT_X_SASL_SSF_MAX after setting = 0
Fedora 15: openldap-2.4.24-3.fc15.i686 ./test LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647 setting max ssf to 0 LDAP_OPT_X_SASL_SSF_MAX after setting = 2147483647