Red Hat Bugzilla – Bug 207518
Usage of DIGEST-MD5 corrupts session of programs
Last modified: 2009-04-10 09:56:16 EDT
Description of problem:
Using a SASL/DIGEST-MD5 authentication, programs like 'ldapsearch' report an
'Invalid Sequence Number' followed by a bogus 'ldap_result: Can't contact LDAP
server (-1)' when transferring larger data.
It is possible that this problem only occurs using TLS/SSL connections.
Version-Release number of selected component (if applicable):
Server is on RHEL4. Client is on same host, or on different Linux distro.
DIGEST-MD5 modules must be installed.
Here we can reproduce the problem 100% - it seems very deterministic and
seemingly depends on the size of the transferred data.
Steps to Reproduce:
1.) You need a SASL enabled LDAP-server
2.) You need lots of data on that server (here: dbsize of ~10MB)
3.) You query lots of data from that server
ldapsearch -H ldaps://server -Y DIGEST-MD5
... outputs lots of (correct) data ...
... and suddenly stops after approx. 40k lines
ldap_result: Can't contact LDAP server (-1)
ldapsearch -H ldaps://server -Y CRAM-MD5
... works fine
ldapsearch -H ldap://server -Y DIGEST-MD5
... works fine for me without TLS/SSL
ldapsearch -H ldap://server -Y DIGEST-MD5 -Z
... same problem as with ldaps://server -Y DIGEST-MD5
no error - just the data
Using strace to debug this problem, we found out that the digest-md5 module
tries to syslog "Invalid Sequence Number".
We found this thread on a ML: http://www.spinics.net/lists/cyrus-sasl/msg00168.html
Unfortunately I am not able to reproduce this problem with current cyrus-sasl and openldap packages on RHEL-4 Update 7.
Can you still reproduce it?
problem is no longer reproducible.. neither on 4.7 nor (and never was) on 5.3
the cyrus and openldap packages were updated in 2007 (after filing the bug). i cannot tell what solved the problem, sorry.
but it is no longer persistent. thank you for looking into that problem.