[Pkg-openldap-devel] Bug#683561: libldap-2.4-2: LDAP clients cannot send requests larger than ~16k to servers when using SASL over TLS

Christian Seiler christian at iwakd.de
Wed Aug 1 19:18:09 UTC 2012 

Package: libldap-2.4-2
Version: 2.4.23-7.2
Severity: normal
Tags: patch

When using SASL authentication over TLS, if a request is larger than ~16k, the
client library will issue the error message "Cannot connect to server". The
reason for this is that the SASL layer (which just passes the data for
read/write operations through to the underlying TLS layer) has a limit of ~9M
for its maximum message size, while GnuTLS internally only uses at most 16k
buffers. If one wants to send more than ~16k as a request, the SASL layer can't
pass everything through at once. The code actually does contain a detection
mechanism for partial writes in the underlying I/O layer, but it doesn't tell
that information to the calling function, but just pretends that zero bytes
were written, which causes the calling function to think the server broke the
connection off before the client could send the request.

Upstream OpenLDAP has already fixed this and the version in wheezy is not
affected anymore, but squeeze still has this bug.

The upstream bug report is:
<http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6639;selectid=6639>

The upstream commit that fixes the problem is:
<http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=f32f1a45d4e4f3259e33cedc3571c27787add409>

Please note that this does not only occur when using syncrepl (as discussed in
the upstream bug report), but also when for example uploading a JPEG photo that
is larger than ~16K with either ldapmodify or any other client software (such
as python-ldap-based scripts).

The patch applies cleanly against the current version of OpenLDAP.



-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-lxc-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libldap-2.4-2 depends on:
ii  libc6                   2.11.3-3         Embedded GNU C Library: Shared lib
ii  libgnutls26             2.8.6-1+squeeze2 the GNU TLS library - runtime libr
ii  libsasl2-2              2.1.23.dfsg1-7   Cyrus SASL - authentication abstra

libldap-2.4-2 recommends no packages.

libldap-2.4-2 suggests no packages.

-- Configuration Files:
/etc/ldap/ldap.conf changed [not included]

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openldap-sasl-large-data.patch
Type: text/x-c
Size: 829 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20120801/061e5a59/attachment.bin>

More information about the Pkg-openldap-devel mailing list