[Pkg-openldap-devel] Bug#604122: Bug#604122: Bug#604122: libldap-2.4-2: libldap open a the TCP connection before validating the SASL mechanism
Dan White
dwhite at olp.net
Mon Nov 29 17:16:30 UTC 2010
On 29/11/10 09:00 -0800, Quanah Gibson-Mount wrote:
>--On Saturday, November 20, 2010 3:22 PM -0800 Quanah Gibson-Mount
><quanah at zimbra.com> wrote:
>
>>--On Saturday, November 20, 2010 1:49 PM +0100 Daniel Dehennin
>><daniel.dehennin at baby-gnu.org> wrote:
>>
>>>Package: libldap-2.4-2
>>>Version: 2.4.23-6
>>>Severity: minor
>>>
>>>Hello,
>>>
>>>During some tests for nslcd[1], I found that if the SASL_SECPROPS in
>>>/etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
>>>library:
>>
>>I suggest you file this as a bug with the OpenLDAP foundation:
>>
>>http://www.openldap.org/its/
>
>I went ahead and filed
><http://www.openldap.org/its/index.cgi/?findid=6728> for you.
Isn't that to be expected?
Typically, you wouldn't 'know' that there are no worthy mechs until Cyrus
attempts to negotiate, at runtime, a common mechanism which meets both the
server and the client's SASL criteria.
the 'no worthy mechs' error is most likely coming from libsasl.
For instance, specifying a mechanism that the server does not offer (e.g.
EXTERNAL) should produce a similar error, and there's no way for
(lisasl on) the client to magically know that it should use another
mechanism, because it was told to be too picky about the SASL negotiation
by the local administrator.
The same would go for SASL_SECPROPS, e.g. setting your min_ssf to something
too high would probably produce the same error even if you didn't specify a
mechanism.
--
Dan White
More information about the Pkg-openldap-devel
mailing list