Your message dated Wed, 1 Aug 2012 12:43:54 -0700
with message-id <[email protected]>
and subject line Re: [Pkg-openldap-devel] Bug#683561: libldap-2.4-2: LDAP
clients cannot send requests larger than ~16k to servers when using SASL over
TLS
has caused the Debian Bug report #683561,
regarding libldap-2.4-2: LDAP clients cannot send requests larger than ~16k to
servers when using SASL over TLS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
683561: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683561
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libldap-2.4-2
Version: 2.4.23-7.2
Severity: normal
Tags: patch
When using SASL authentication over TLS, if a request is larger than ~16k, the
client library will issue the error message "Cannot connect to server". The
reason for this is that the SASL layer (which just passes the data for
read/write operations through to the underlying TLS layer) has a limit of ~9M
for its maximum message size, while GnuTLS internally only uses at most 16k
buffers. If one wants to send more than ~16k as a request, the SASL layer can't
pass everything through at once. The code actually does contain a detection
mechanism for partial writes in the underlying I/O layer, but it doesn't tell
that information to the calling function, but just pretends that zero bytes
were written, which causes the calling function to think the server broke the
connection off before the client could send the request.
Upstream OpenLDAP has already fixed this and the version in wheezy is not
affected anymore, but squeeze still has this bug.
The upstream bug report is:
<http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6639;selectid=6639>
The upstream commit that fixes the problem is:
<http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=f32f1a45d4e4f3259e33cedc3571c27787add409>
Please note that this does not only occur when using syncrepl (as discussed in
the upstream bug report), but also when for example uploading a JPEG photo that
is larger than ~16K with either ldapmodify or any other client software (such
as python-ldap-based scripts).
The patch applies cleanly against the current version of OpenLDAP.
-- System Information:
Debian Release: 6.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-lxc-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libldap-2.4-2 depends on:
ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib
ii libgnutls26 2.8.6-1+squeeze2 the GNU TLS library - runtime libr
ii libsasl2-2 2.1.23.dfsg1-7 Cyrus SASL - authentication abstra
libldap-2.4-2 recommends no packages.
libldap-2.4-2 suggests no packages.
-- Configuration Files:
/etc/ldap/ldap.conf changed [not included]
-- no debconf information
X-Git-Url: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blobdiff_plain;f=libraries%2Flibldap%2Fsasl.c;h=8856ef78d556b74607390d2e2b548460565af3b7;hp=6aa8cce49791cda8720636d6f88c8589c4cee24d;hb=f32f1a45d4e4f3259e33cedc3571c27787add409;hpb=50a21d512f0585af4cb7d84d77597029a64beca9
diff --git a/libraries/libldap/sasl.c b/libraries/libldap/sasl.c
index 6aa8cce..8856ef7 100644
--- a/libraries/libldap/sasl.c
+++ b/libraries/libldap/sasl.c
@@ -733,8 +733,9 @@ sb_sasl_generic_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
return ret;
} else if ( p->buf_out.buf_ptr != p->buf_out.buf_end ) {
/* partial write? pretend nothing got written */
- len2 = 0;
p->flags |= LDAP_PVT_SASL_PARTIAL_WRITE;
+ sock_errset(EAGAIN);
+ len2 = -1;
}
/* return number of bytes encoded, not written, to ensure
--- End Message ---
--- Begin Message ---
Version: 2.4.31-1
On Wed, Aug 01, 2012 at 09:18:09PM +0200, Christian Seiler wrote:
> Upstream OpenLDAP has already fixed this and the version in wheezy is not
> affected anymore, but squeeze still has this bug.
Marking this resolved in the relevant wheezy version, then.
Please note that the OpenLDAP maintainers don't have a lot of spare capacity
to go around, so it's unlikely that there will be a stable update to squeeze
for this bug.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
[email protected] [email protected]
signature.asc
Description: Digital signature
--- End Message ---
