Bug#703113: libsasl2-modules-gssapi-mit: Java client GSSAPI connections to OpenLDAP fail
Russ Allbery
rra at debian.org
Thu Mar 21 16:26:57 UTC 2013
(Bill and I work in the same group.)
Ondřej Surý <ondrej at sury.org> writes:
> It might be related to
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665476
This bug is about the ABI of the Cyrus SASL libraries. In the problem
we're having, the libraries are being loaded by slapd just fine, and are
being used to authenticate non-Java clients just fine. The Java clients
are obviously not using Cyrus SASL; they're using the SASL implementation
internal to Java.
In other words, this is almost certainly some sort of protocol-level
interoperability problem with Java that was introduced between
2.1.23.dfsg1-8 and 2.1.25.dfsg1-6.
Bill and I talked about this further, and we think this may be specific to
code that uses SASL GSS-API privacy. UnboundID's Java LDAP implementation
works properly, but it doesn't support GSS-API privacy; it requires that
you use TLS. JNDI does, which means that it exercises a different part of
the protocol.
The LDAP servers in question are used by Java clients all over campus on a
variety of platforms (not just Linux) and different versions of OpenJDK
and Sun/Oracle Java. The problem appears to be general to any clients
using the native Java JNDI code to authenticate to LDAP servers that have
been upgraded to wheezy.
> Also when you said:
>> We do not see this problem on our squeeze systems using version
>> 2.1.23.dfsg1-8 of libsasl2-modules-gssapi-mit.
>> We do see the same problem if we use libsasl2-modules-gssapi-heimdal
>> instead of libsasl2-modules-gssapi-mit.
> It might suggest that the problem doesn't have to be in libsasl2, but it
> could be burried deeper in the libkrb5-3 library which got bumped from
> 1.8.3 to 1.10.1.
I suppose we could try it, but that's the reason why Bill pointed out that
it fails with both MIT and Heimdal. If it doesn't work with either
independent Kerberos implementation, it's fairly unlikely that it's a
problem with the Kerberos libraries.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list