Bug 479253 - Configuring Server to Server GSSAPI over SSL - Need better Error Message
Configuring Server to Server GSSAPI over SSL - Need better Error Message
Status: CLOSED CURRENTRELEASE
Product: Red Hat Directory Server
Classification: Red Hat
Component: Security - SASL (Show other bugs)
8.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
:
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
 
Reported: 2009-01-08 08:01 EST by Jenny Galipeau
Modified: 2015-01-04 18:35 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 19:09:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
diffs (7.89 KB, patch)
2009-01-27 15:29 EST, Rich Megginson
no flags Details | Diff
cvs commit log (431 bytes, text/plain)
2009-01-27 17:37 EST, Rich Megginson
no flags Details

  None (edit)
Description Jenny Galipeau 2009-01-08 08:01:00 EST
Description of problem:
SASL/GSSAPI over SSL for replication bind is not supported, but you can configure replication agreements and initialize consumers with this configuration.  The bind fails and subsequently replication - but the errors in the errors log is too vague to know what the problem is.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.  Install two servers.
2.  Configure replication agreement to bind with SASL/GSSAPI over SSL
3.  View errors logs
  
Actual results:
Bind and replication fails with the following error:
Error: could not perform interactive bind for id [cn=replication manager,cn=config] mech [GSSAPI]: error 81

Expected results:
Better error message stating that GSSAPI is not supported over SSL.

Additional info:
Comment 1 Rich Megginson 2009-01-27 15:29:42 EST
Created attachment 330144 [details]
diffs
Comment 2 Rich Megginson 2009-01-27 17:37:44 EST
Created attachment 330166 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: If the user attempts to set the bind mech to GSSAPI, and a secure transport is being used, the server will return LDAP_UNWILLING_TO_PERFORM and provide a useful error message.  Same if GSSAPI is being used and the user attempts to use a secure transport.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Comment 3 Jenny Galipeau 2009-03-30 16:25:23 EDT
fix verified DS 8.1 and regression being tested by Server to Server SASL automated acceptance tests on all platforms.
Comment 4 Chandrasekar Kannan 2009-04-29 19:09:11 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.