Bug#703113: libsasl2-modules-gssapi-mit: Java client GSSAPI connections to OpenLDAP fail
Ondřej Surý
ondrej at sury.org
Sun Mar 24 06:35:27 UTC 2013
Bill,
thanks for investigating this. I'll keep the bug open in case somebody else
gets hit by it, and mark it as fixed in 2.1.26 when it hits unstable.
O.
On Sun, Mar 24, 2013 at 5:40 AM, Bill MacAllister <whm at stanford.edu> wrote:
>
>
> --On Thursday, March 21, 2013 04:44:20 PM -0700 Bill MacAllister <
> whm at stanford.edu> wrote:
>
> Yeah, it's almost certainly an upstream bug. Ah, I see that Cyrus SASL
>>>> has a Bugzilla and everything these days.
>>>>
>>>
>>> Once I complete testing today I will file the bug.
>>>
>>
>> And I confirmed that if I use TLS encryption the client works.
>>
>> I sent a note to the cyrus-sasl list and got a response from Quanah
>> saying that "cyrus-sasl 2.1.25 had multiple problems with GSSAPI
>> unless it was patched heavily". I'll try packaging that we see
>> what happens. I did file a bugzilla, but if the newer version
>> works that is mote.
>>
>
> Hugh Cole-Baker on the Cyrus SASL list pointed me to the solution
> for Cyrus SASL version 2.1.25 at
>
> http://mail.openjdk.java.net/**pipermail/security-dev/2013-**
> February/006665.html<http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006665.html>
>
> I confirmed that this does indeed solve the problem. Basically,
> OpenLDAP needs the global configuration setting for sasl-secprops
> to include minssl=1. (Or olcSaslSecProps if you are using cn=config.)
> In our case we set it to:
>
> olcSaslSecProps: minssf=1,noplain,noanonymous
>
> I also confirmed that 2.1.26 also solves the problem. Quanah Gibson-Mount
> reported that there have been a number of other problems with 2.1.25.
>
> I think this bug can be closed.
>
>
> Bill
>
> --
>
> Bill MacAllister
> Infrastructure Delivery Group, Stanford University
>
>
--
Ondřej Surý <ondrej at sury.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20130324/c14b52ef/attachment.html>
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list