Bug 479253 - Configuring Server to Server GSSAPI over SSL - Need better Error Message
Summary: Configuring Server to Server GSSAPI over SSL - Need better Error Message
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: Security - SASL
Version: 8.1
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 249650 FDS1.2.0
TreeView+ depends on / blocked
Reported: 2009-01-08 13:01 UTC by Jenny Severance
Modified: 2015-01-04 23:35 UTC (History)
2 users (show)

Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-04-29 23:09:11 UTC
Target Upstream Version:

Attachments (Terms of Use)
diffs (7.89 KB, patch)
2009-01-27 20:29 UTC, Rich Megginson
no flags Details | Diff
cvs commit log (431 bytes, text/plain)
2009-01-27 22:37 UTC, Rich Megginson
no flags Details

Description Jenny Severance 2009-01-08 13:01:00 UTC
Description of problem:
SASL/GSSAPI over SSL for replication bind is not supported, but you can configure replication agreements and initialize consumers with this configuration.  The bind fails and subsequently replication - but the errors in the errors log is too vague to know what the problem is.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Install two servers.
2.  Configure replication agreement to bind with SASL/GSSAPI over SSL
3.  View errors logs
Actual results:
Bind and replication fails with the following error:
Error: could not perform interactive bind for id [cn=replication manager,cn=config] mech [GSSAPI]: error 81

Expected results:
Better error message stating that GSSAPI is not supported over SSL.

Additional info:

Comment 1 Rich Megginson 2009-01-27 20:29:42 UTC
Created attachment 330144 [details]

Comment 2 Rich Megginson 2009-01-27 22:37:44 UTC
Created attachment 330166 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: If the user attempts to set the bind mech to GSSAPI, and a secure transport is being used, the server will return LDAP_UNWILLING_TO_PERFORM and provide a useful error message.  Same if GSSAPI is being used and the user attempts to use a secure transport.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no

Comment 3 Jenny Severance 2009-03-30 20:25:23 UTC
fix verified DS 8.1 and regression being tested by Server to Server SASL automated acceptance tests on all platforms.

Comment 4 Chandrasekar Kannan 2009-04-29 23:09:11 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.