I have a small LDAP utility (msktutil) that talks to Active Directory using GSSAPI over TLS. I'm trying to set the SASL parameter "maxssf" to "0" in the code.
I've found that in a recent version of OpenLDAP (2.4.24), modifying LDAP_OPT_X_SASL_SSF_MAX with ldap_set_option() has no effect. The basic code is
sasl_ssf_t max_ssf = 0; printf( "setting max ssf to %d\n", max_ssf ); ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf)
Subsequent ldap_get_option() calls show that the value is not changing, as does the output when I bind with ldap_sasl_interactive_bind_s(). I would at the very least expect ldap_set_option() to return something other than LDAP_OPT_SUCCESS here. Am I hitting a bug in OpenLDAP, or am I really off track ? :)
I've attached a small test case (gcc -o test test.c -lldap -llber). This works as I expect in both 2.3.43 and 2.4.23, and fails in 2.4.24.
RHEL5: openldap-2.3.43-12.el5_6.7 ./test LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647 setting max ssf to 0 LDAP_OPT_X_SASL_SSF_MAX after setting = 0
RHEL6: openldap-2.4.23-15.el6_1.1.x86_64 ./test LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647 setting max ssf to 0 LDAP_OPT_X_SASL_SSF_MAX after setting = 0
Fedora 15: openldap-2.4.24-3.fc15.i686 ./test LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647 setting max ssf to 0 LDAP_OPT_X_SASL_SSF_MAX after setting = 2147483647
--On Monday, August 15, 2011 12:47 PM -0600 Ken Dreyer ktdreyer@ktdreyer.com wrote:
I have a small LDAP utility (msktutil) that talks to Active Directory using GSSAPI over TLS. I'm trying to set the SASL parameter "maxssf" to "0" in the code.
I've found that in a recent version of OpenLDAP (2.4.24), modifying LDAP_OPT_X_SASL_SSF_MAX with ldap_set_option() has no effect. The basic code is
Have you tested against the most recent version (2.4.26)?
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Ken Dreyer wrote:
I have a small LDAP utility (msktutil) that talks to Active Directory using GSSAPI over TLS. I'm trying to set the SASL parameter "maxssf" to "0" in the code.
I've found that in a recent version of OpenLDAP (2.4.24), modifying LDAP_OPT_X_SASL_SSF_MAX with ldap_set_option() has no effect. The basic code is
sasl_ssf_t max_ssf = 0; printf( "setting max ssf to %d\n", max_ssf ); ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX,&max_ssf)
Subsequent ldap_get_option() calls show that the value is not changing, as does the output when I bind with ldap_sasl_interactive_bind_s(). I would at the very least expect ldap_set_option() to return something other than LDAP_OPT_SUCCESS here. Am I hitting a bug in OpenLDAP, or am I really off track ? :)
Read the ldap_get_option(3) manpage. You're using the wrong variable type.
I've attached a small test case (gcc -o test test.c -lldap -llber). This works as I expect in both 2.3.43 and 2.4.23, and fails in 2.4.24.
RHEL5: openldap-2.3.43-12.el5_6.7 ./test LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647 setting max ssf to 0 LDAP_OPT_X_SASL_SSF_MAX after setting = 0
RHEL6: openldap-2.4.23-15.el6_1.1.x86_64 ./test LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647 setting max ssf to 0 LDAP_OPT_X_SASL_SSF_MAX after setting = 0
Fedora 15: openldap-2.4.24-3.fc15.i686 ./test LDAP_OPT_X_SASL_SSF_MAX before setting = 2147483647 setting max ssf to 0 LDAP_OPT_X_SASL_SSF_MAX after setting = 2147483647
On Mon, Aug 15, 2011 at 4:15 PM, Howard Chu hyc@symas.com wrote:
Ken Dreyer wrote:
sasl_ssf_t max_ssf = 0; printf( "setting max ssf to %d\n", max_ssf ); ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX,&max_ssf)
Subsequent ldap_get_option() calls show that the value is not changing, as does the output when I bind with ldap_sasl_interactive_bind_s(). I would at the very least expect ldap_set_option() to return something other than LDAP_OPT_SUCCESS here. Am I hitting a bug in OpenLDAP, or am I really off track ? :)
Read the ldap_get_option(3) manpage. You're using the wrong variable type.
I tried using ber_len_t instead of sasl_ssf_t, but the problem persisted. I did some digging with git-bisect between 2.4.23 and 2.4.24, and problem first shows up with 769083f84816a380a4ae9bb48ab55631ff596751 .
Quanah's suggestion of testing with 2.4.26 was a good one, because the problem is solved in this version. Thank you for your help!
- Ken
openldap-technical@openldap.org
-
Howard Chu -
Ken Dreyer -
Quanah Gibson-Mount