Bug#703113: libsasl2-modules-gssapi-mit: Java client GSSAPI connections to OpenLDAP fail

Ondřej Surý ondrej at sury.org
Thu Mar 21 16:36:09 UTC 2013 

On Thu, Mar 21, 2013 at 5:26 PM, Russ Allbery <rra at debian.org> wrote:

> (Bill and I work in the same group.)
>
> Ondřej Surý <ondrej at sury.org> writes:
>
> > It might be related to
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665476
>
> This bug is about the ABI of the Cyrus SASL libraries.  In the problem
> we're having, the libraries are being loaded by slapd just fine, and are
> being used to authenticate non-Java clients just fine.  The Java clients
> are obviously not using Cyrus SASL; they're using the SASL implementation
> internal to Java.
>
> In other words, this is almost certainly some sort of protocol-level
> interoperability problem with Java that was introduced between
> 2.1.23.dfsg1-8 and 2.1.25.dfsg1-6.
>
> Bill and I talked about this further, and we think this may be specific to
> code that uses SASL GSS-API privacy.  UnboundID's Java LDAP implementation
> works properly, but it doesn't support GSS-API privacy; it requires that
> you use TLS.  JNDI does, which means that it exercises a different part of
> the protocol.
>
> The LDAP servers in question are used by Java clients all over campus on a
> variety of platforms (not just Linux) and different versions of OpenJDK
> and Sun/Oracle Java.  The problem appears to be general to any clients
> using the native Java JNDI code to authenticate to LDAP servers that have
> been upgraded to wheezy.
>
> > Also when you said:
>
> >> We do not see this problem on our squeeze systems using version
> >> 2.1.23.dfsg1-8 of libsasl2-modules-gssapi-mit.
>
> >> We do see the same problem if we use libsasl2-modules-gssapi-heimdal
> >> instead of libsasl2-modules-gssapi-mit.
>
> > It might suggest that the problem doesn't have to be in libsasl2, but it
> > could be burried deeper in the libkrb5-3 library which got bumped from
> > 1.8.3 to 1.10.1.
>
> I suppose we could try it, but that's the reason why Bill pointed out that
> it fails with both MIT and Heimdal.  If it doesn't work with either
> independent Kerberos implementation, it's fairly unlikely that it's a
> problem with the Kerberos libraries.


On second read – I have understood this as "this doesn't work with heimdal
libraries both in squeeze and wheezy". So to clarify this – does it work
when you switch from mit to heimdal on squeeze?

Basically you have much deeper knowledge of SASL and Kerberos internals
than I have :). So while I would be happy to assist you, but I guess the
only thing I can do for you at this moment is to report the bug to upstream
bugzilla. And even that would be better if reported by Bill, since he can
provide valuable input.

O.
-- 
Ondřej Surý <ondrej at sury.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20130321/9a3e8df4/attachment-0001.html>

More information about the Pkg-cyrus-sasl2-debian-devel mailing list