Bug#703113: libsasl2-modules-gssapi-mit: Java client GSSAPI connections to OpenLDAP fail
Bill MacAllister
whm at stanford.edu
Sun Mar 24 04:40:59 UTC 2013
--On Thursday, March 21, 2013 04:44:20 PM -0700 Bill MacAllister <whm at stanford.edu> wrote:
>>> Yeah, it's almost certainly an upstream bug. Ah, I see that Cyrus SASL
>>> has a Bugzilla and everything these days.
>>
>> Once I complete testing today I will file the bug.
>
> And I confirmed that if I use TLS encryption the client works.
>
> I sent a note to the cyrus-sasl list and got a response from Quanah
> saying that "cyrus-sasl 2.1.25 had multiple problems with GSSAPI
> unless it was patched heavily". I'll try packaging that we see
> what happens. I did file a bugzilla, but if the newer version
> works that is mote.
Hugh Cole-Baker on the Cyrus SASL list pointed me to the solution
for Cyrus SASL version 2.1.25 at
http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006665.html
I confirmed that this does indeed solve the problem. Basically,
OpenLDAP needs the global configuration setting for sasl-secprops
to include minssl=1. (Or olcSaslSecProps if you are using cn=config.)
In our case we set it to:
olcSaslSecProps: minssf=1,noplain,noanonymous
I also confirmed that 2.1.26 also solves the problem. Quanah Gibson-Mount
reported that there have been a number of other problems with 2.1.25.
I think this bug can be closed.
Bill
--
Bill MacAllister
Infrastructure Delivery Group, Stanford University
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list