Bug#703113: libsasl2-modules-gssapi-mit: Java client GSSAPI connections to OpenLDAP fail
Bill MacAllister
whm at stanford.edu
Sun Mar 24 18:17:22 UTC 2013
--On Sunday, March 24, 2013 07:35:27 AM +0100 Ondřej Surý <ondrej at sury.org> wrote:
> Bill,
>
> thanks for investigating this. I'll keep the bug open in case somebody else
> gets hit by it, and mark it as fixed in 2.1.26 when it hits unstable.
>
> O.
And after doing some more testing, with the correct server this time,
I discovered that 2.1.26 does _not_ fix the problem, i.e. minssf=1
needs to be specified in the OpenLDAP configuration element
olcSaslSecProps. Sorry for the mis-direction.
And, thinking about this some more it is not clear that this is a bug
in Cyrus SASL. At a minimum JNDI should give a better error message
than it is, but really JNDI should just probably handle it.
Bill
>
> On Sun, Mar 24, 2013 at 5:40 AM, Bill MacAllister <whm at stanford.edu> wrote:
>
>>
>>
>> --On Thursday, March 21, 2013 04:44:20 PM -0700 Bill MacAllister <
>> whm at stanford.edu> wrote:
>>
>> Yeah, it's almost certainly an upstream bug. Ah, I see that Cyrus SASL
>>>>> has a Bugzilla and everything these days.
>>>>>
>>>>
>>>> Once I complete testing today I will file the bug.
>>>>
>>>
>>> And I confirmed that if I use TLS encryption the client works.
>>>
>>> I sent a note to the cyrus-sasl list and got a response from Quanah
>>> saying that "cyrus-sasl 2.1.25 had multiple problems with GSSAPI
>>> unless it was patched heavily". I'll try packaging that we see
>>> what happens. I did file a bugzilla, but if the newer version
>>> works that is mote.
>>>
>>
>> Hugh Cole-Baker on the Cyrus SASL list pointed me to the solution
>> for Cyrus SASL version 2.1.25 at
>>
>> http://mail.openjdk.java.net/**pipermail/security-dev/2013-**
>> February/006665.html<http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006665.html>
>>
>> I confirmed that this does indeed solve the problem. Basically,
>> OpenLDAP needs the global configuration setting for sasl-secprops
>> to include minssl=1. (Or olcSaslSecProps if you are using cn=config.)
>> In our case we set it to:
>>
>> olcSaslSecProps: minssf=1,noplain,noanonymous
>>
>> I also confirmed that 2.1.26 also solves the problem. Quanah Gibson-Mount
>> reported that there have been a number of other problems with 2.1.25.
>>
>> I think this bug can be closed.
>>
>>
>> Bill
>>
>> --
>>
>> Bill MacAllister
>> Infrastructure Delivery Group, Stanford University
>>
--
Bill MacAllister
Infrastructure Delivery Group, Stanford University
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list