Bug#703113: libsasl2-modules-gssapi-mit: Java client GSSAPI connections to OpenLDAP fail

Bill MacAllister whm at stanford.edu
Fri Mar 15 08:47:23 UTC 2013 

Package: libsasl2-modules-gssapi-mit
Version: 2.1.25.dfsg1-6
Severity: important

Dear Maintainer,

We are starting the process of upgrading our LDAP service to OpenLDAP
2.4.34 on wheezy.  None of the Java applications that we have tested
can connect to the LDAP server using GSSAPI.

In the server log we see:

% grep conn=142291 /var/log/ldap
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 fd=16 ACCEPT from IP=171.64.19.165:44175 (IP=0.0.0.0:389)
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=0 BIND dn="" method=163
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: 
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND dn="" method=163
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND authcid="whm at stanford.edu" authzid="whm at stanford.edu"
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND dn="uid=whm,cn=accounts,dc=stanford,dc=edu" mech=GSSAPI sasl_ssf=56 ssf=56
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 RESULT tag=97 err=0 text=
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 fd=16 closed (connection lost)

The client failure traceback from a small test program is on Java 
1.7.0_03 is:

Exception in thread "main" java.lang.NegativeArraySizeException
        at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
        at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
        at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)
        at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:851)
        at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
        at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:103)
        at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:414)
        at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:547)
        at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
        at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
        at TestPersonQuery.performJndiOperation(TestLDAP.java:109)
        at TestPersonQuery.run(TestLDAP.java:80)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:356)
        at TestLDAP.main(TestLDAP.java:53)

The failure from Apache Directory Studio on Java 1.6.0_27 is
slightly different:

  java.lang.ArrayIndexOutOfBoundsException: 9
  at sun.security.jgss.krb5.WrapToken.getPadding(WrapToken.java:395)
  at sun.security.jgss.krb5.WrapToken.<init>(WrapToken.java:406)
  at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:826)
  at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:384)
  at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:103)
  at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
  at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:408)
  at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:383)
  at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546)
  at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1975)
  at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1837)
  at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
  at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$1.run(JNDIConnectionWrapper.java:356)
  at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
  at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1203)
  at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.search(JNDIConnectionWrapper.java:398)
  at org.apache.directory.studio.ldapbrowser.core.jobs.SearchRunnable.search(SearchRunnable.java:500)
  at org.apache.directory.studio.ldapbrowser.core.jobs.ReloadSchemaRunnable.getSchemaLocation(ReloadSchemaRunnable.java:266)
  at org.apache.directory.studio.ldapbrowser.core.jobs.ReloadSchemaRunnable.reloadSchema(ReloadSchemaRunnable.java:147)
  at org.apache.directory.studio.ldapbrowser.core.BrowserConnectionListener.openBrowserConnection(BrowserConnectionListener.java:115)
  at org.apache.directory.studio.ldapbrowser.core.BrowserConnectionListener.connectionOpened(BrowserConnectionListener.java:65)
  at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.runNotification(OpenConnectionsRunnable.java:132)
  at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:120)
  at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)

On the client we have tried sun-java6, openjdk-6, and openjdk-7 with
the similiar failures.

We do not see this problem on our squeeze systems using version
2.1.23.dfsg1-8 of libsasl2-modules-gssapi-mit.  

We do see the same problem if we use libsasl2-modules-gssapi-heimdal
instead of libsasl2-modules-gssapi-mit.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libsasl2-modules-gssapi-mit depends on:
ii  libc6             2.13-38
ii  libcomerr2        1.42.5-1
ii  libgssapi-krb5-2  1.10.1+dfsg-4
ii  libk5crypto3      1.10.1+dfsg-4
ii  libkrb5-3         1.10.1+dfsg-4
ii  libsasl2-modules  2.1.25.dfsg1-6
ii  libssl1.0.0       1.0.1e-1

libsasl2-modules-gssapi-mit recommends no packages.

libsasl2-modules-gssapi-mit suggests no packages.

-- no debconf information

More information about the Pkg-cyrus-sasl2-debian-devel mailing list