Description of problem: When querying for subschemaSubentries using GSSAPI, ldapsearch fails reporting "Can't contact LDAP server (-1)". All other queries work fine. Adding more debug, we have found that the sb_sasl_read() function returns failure as server bufer size differ and seems bigger than what the client expects. -- sb_sasl_read: failed to decode packet: generic failure ldap_read: want=8 error=Input/output error ber_get_next failed. ldap_perror ldap_result: Can't contact LDAP server (-1) -- Checking then upstream, it has been fixed and attached is the backported patch for this release. Customer has confirm the fix. Version-Release number of selected component (if applicable): openldap 2.2.13-6.4 How reproducible: Always. Steps to Reproduce: 1. ldapsearch -ZZ -H ldap://ldap_server -s base -b "cn=Subschema" attributeTypes -Y GSSAPI Actual results: Failure (see attachment output_failure.log) Expected results: Success (see attachment output_success.log) Additional info: Fix attached. Jose
Created attachment 141033 [details] sb_sasl_readwrites.patch The most important bit of this patch is : --- - if ( ret <= 0 ) { - /* caller will retry, so clear this buffer out */ - p->buf_out.buf_ptr = p->buf_out.buf_end; - return ret; - } + /* return number of bytes encoded, not written, to ensure + * no byte is encoded twice (even if only sent once). + */ return len; } ---
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0739.html