Bug#703113: libsasl2-modules-gssapi-mit: Java client GSSAPI connections to OpenLDAP fail

Dan White dwhite at olp.net
Sun Mar 17 00:03:38 UTC 2013 

On 03/15/13 01:47 -0700, Bill MacAllister wrote:
>Package: libsasl2-modules-gssapi-mit
>Version: 2.1.25.dfsg1-6
>Severity: important
>
>Dear Maintainer,
>
>We are starting the process of upgrading our LDAP service to OpenLDAP
>2.4.34 on wheezy.  None of the Java applications that we have tested
>can connect to the LDAP server using GSSAPI.

Can you reproduce this problem using ldapwhoami on the client?

>In the server log we see:
>
>% grep conn=142291 /var/log/ldap
>Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 fd=16 ACCEPT from IP=171.64.19.165:44175 (IP=0.0.0.0:389)
>Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=0 BIND dn="" method=163
>Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=0 RESULT tag=97 err=14 text=SASL(0): successful result:
>Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND dn="" method=163
>Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND authcid="whm at stanford.edu" authzid="whm at stanford.edu"
>Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND dn="uid=whm,cn=accounts,dc=stanford,dc=edu" mech=GSSAPI sasl_ssf=56 ssf=56
>Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 RESULT tag=97 err=0 text=
>Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 fd=16 closed (connection lost)
>
>The client failure traceback from a small test program is on Java
>1.7.0_03 is:
>
>Exception in thread "main" java.lang.NegativeArraySizeException
>        at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
>        at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
>        at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)
>        at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:851)
>        at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
>        at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:103)
>        at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
>        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:414)
>        at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:547)
>        at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
>        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
>        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
>        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
>        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
>        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
>        at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
>        at TestPersonQuery.performJndiOperation(TestLDAP.java:109)
>        at TestPersonQuery.run(TestLDAP.java:80)
>        at java.security.AccessController.doPrivileged(Native Method)
>        at javax.security.auth.Subject.doAs(Subject.java:356)
>        at TestLDAP.main(TestLDAP.java:53)
>
>The failure from Apache Directory Studio on Java 1.6.0_27 is
>slightly different:
>
>  java.lang.ArrayIndexOutOfBoundsException: 9
>  at sun.security.jgss.krb5.WrapToken.getPadding(WrapToken.java:395)
>  at sun.security.jgss.krb5.WrapToken.<init>(WrapToken.java:406)
>  at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:826)
>  at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:384)
>  at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:103)
>  at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
>  at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:408)
>  at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:383)
>  at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546)
>  at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1975)
>  at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1837)
>  at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
>  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
>  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
>  at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$1.run(JNDIConnectionWrapper.java:356)
>  at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
>  at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1203)
>  at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.search(JNDIConnectionWrapper.java:398)
>  at org.apache.directory.studio.ldapbrowser.core.jobs.SearchRunnable.search(SearchRunnable.java:500)
>  at org.apache.directory.studio.ldapbrowser.core.jobs.ReloadSchemaRunnable.getSchemaLocation(ReloadSchemaRunnable.java:266)
>  at org.apache.directory.studio.ldapbrowser.core.jobs.ReloadSchemaRunnable.reloadSchema(ReloadSchemaRunnable.java:147)
>  at org.apache.directory.studio.ldapbrowser.core.BrowserConnectionListener.openBrowserConnection(BrowserConnectionListener.java:115)
>  at org.apache.directory.studio.ldapbrowser.core.BrowserConnectionListener.connectionOpened(BrowserConnectionListener.java:65)
>  at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.runNotification(OpenConnectionsRunnable.java:132)
>  at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:120)
>  at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
>
>On the client we have tried sun-java6, openjdk-6, and openjdk-7 with
>the similiar failures.
>
>We do not see this problem on our squeeze systems using version
>2.1.23.dfsg1-8 of libsasl2-modules-gssapi-mit.
>
>We do see the same problem if we use libsasl2-modules-gssapi-heimdal
>instead of libsasl2-modules-gssapi-mit.
>
>-- System Information:
>Debian Release: 7.0
>  APT prefers testing
>  APT policy: (500, 'testing')
>Architecture: amd64 (x86_64)
>
>Kernel: Linux 3.2.0-4-amd64 (SMP w/16 CPU cores)
>Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
>Shell: /bin/sh linked to /bin/bash
>
>Versions of packages libsasl2-modules-gssapi-mit depends on:
>ii  libc6             2.13-38
>ii  libcomerr2        1.42.5-1
>ii  libgssapi-krb5-2  1.10.1+dfsg-4
>ii  libk5crypto3      1.10.1+dfsg-4
>ii  libkrb5-3         1.10.1+dfsg-4
>ii  libsasl2-modules  2.1.25.dfsg1-6
>ii  libssl1.0.0       1.0.1e-1
>
>libsasl2-modules-gssapi-mit recommends no packages.
>
>libsasl2-modules-gssapi-mit suggests no packages.
>
>-- no debconf information

-- 
Dan White

More information about the Pkg-cyrus-sasl2-debian-devel mailing list