https://bugzilla.novell.com/show_bug.cgi?id=868588 https://bugzilla.novell.com/show_bug.cgi?id=868588#c0 Summary: cyrus-sasl broken for connecting to MS AD with "GSSAPI Error: A required input parameter could not be read (Unknown error)" Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: boris@steki.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 using squid with kerberos tickets is not possible because cyrus-sasl patch introduced while ago breaks its usage Already upstream documented here: https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480 I have using cyrus-sasl with this patch and it definitely makes things work ---- without patch ---- support_ldap.cc(845): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ldap.ADDOMAIN:636 support_ldap.cc(690): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(519): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Disable server certificate check for ldap server. support_ldap.cc(704): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Operations error support_ldap.cc(845): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ldap.ADDOMAIN:389 support_ldap.cc(690): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(519): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Disable server certificate check for ldap server. support_ldap.cc(704): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server support_ldap.cc(856): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(268): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server support_ldap.cc(860): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(845): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ldap.ADDOMAIN:636 support_ldap.cc(690): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(519): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Disable server certificate check for ldap server. support_ldap.cc(704): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server support_ldap.cc(856): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(268): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server support_ldap.cc(860): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while binding to ldap server with SASL/GSSAPI: Can't contact LDAP server support_ldap.cc(845): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ADDOMAIN:389 support_ldap.cc(690): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(519): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Disable server certificate check for ldap server. support_ldap.cc(704): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Can't contact LDAP server support_ldap.cc(856): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_sasl.cc(268): pid=10733 :2014/03/15 13:38:47| kerberos_ldap_group: ERROR: ldap_sasl_interactive_bind_s error: Can't contact LDAP server ---- end without patch ---- ---- with patch ---- support_ldap.cc(845): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Setting up connection to ldap server ldap.ADDOMAIN:636 support_ldap.cc(690): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Set SSL defaults support_ldap.cc(519): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Disable server certificate check for ldap server. support_ldap.cc(704): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: ERROR: Error while setting start_tls for ldap server: Operations error support_ldap.cc(856): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Bind to ldap server with SASL/GSSAPI support_ldap.cc(870): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Successfully initialised SSL protected connection to ldap server ldap.ADDOMAIN:636 support_ldap.cc(299): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Search ldap server with bind path "" and filter: (objectclass=*) support_ldap.cc(569): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : schemaNamingContext support_ldap.cc(615): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: 1 ldap entry found with attribute : schemaNamingContext support_ldap.cc(308): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Search ldap server with bind path CN=Schema,CN=Configuration,dc=ldap,dc=ADDOMAIN and filter: (ldapdisplayname=samaccountname) support_ldap.cc(311): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Found 1 ldap entry support_ldap.cc(316): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Determined ldap server as an Active Directory server support_ldap.cc(978): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Search ldap server with bind path dc=ldap,dc=ADDOMAIN and filter : (samaccountname=luzer) support_ldap.cc(991): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Found 1 ldap entry support_ldap.cc(569): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: Search ldap entries for attribute : memberof support_ldap.cc(615): pid=11726 :2014/03/15 14:30:13| kerberos_ldap_group: DEBUG: 19 ldap entries found with attribute : memberof ---- with patch ---- Reproducible: Always Steps to Reproduce: 1. 2. 3. Expected Results: login with kerberos ticket of HTTP/ principal logins to ldap -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.