On 04/15/15 21:10 +0000, Osipov, Michael wrote:
Hi folks,
I am binding against Active Directory with GSSAPI mech and would like to disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
char *secprops = "minssf=0,maxssf=0"; rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);
with:
Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) Result code: -2
This error is likely produced by your Kerberos library (whichever one Cyrus is compiled against), or perhaps with the way the security properties are passed down from OpenLDAP to Cyrus to Kerberos.
Setting a minssf should not be necessary. Do you also get this error with "maxssf=0"? "maxssf=1" may be a more workable option, since encryption is really what you want to turn off, not integrity.