Bug#703113: libsasl2-modules-gssapi-mit: Java client GSSAPI connections to OpenLDAP fail

[Bill MacAllister]

--On Thursday, March 21, 2013 09:51:45 AM -0700 Russ Allbery <rra at debian.org> wrote:

> Ondřej Surý <ondrej at sury.org> writes:
>
>> On second read – I have understood this as "this doesn't work with
>> heimdal libraries both in squeeze and wheezy". So to clarify this – does
>> it work when you switch from mit to heimdal on squeeze?
>
> Basically, it works on squeeze and doesn't work on wheezy, although I'm
> not sure if we've explicitly tried both Kerberos libraries on squeeze.

On squeeze I could not get heimdal to work, but mit worked just fine.
On wheezy neither works.  (Yes, I should have been a better citizen and
reported the problem.)

One thing that I will try today is to use GSSAPI for authentication
and TLS for encryption and see if that works.  I expect that to work
given that UnboundID libraries work which will help us narrow down the
problem.

>> Basically you have much deeper knowledge of SASL and Kerberos internals
>> than I have :). So while I would be happy to assist you, but I guess the
>> only thing I can do for you at this moment is to report the bug to
>> upstream bugzilla. And even that would be better if reported by Bill,
>> since he can provide valuable input.
>
> Yeah, it's almost certainly an upstream bug.  Ah, I see that Cyrus SASL
> has a Bugzilla and everything these days.

Once I complete testing today I will file the bug.

Bill

-- 

Bill MacAllister
Infrastructure Delivery Group, Stanford University