Xu, Qiang (FXSGSC) wrote, On 2009-04-19 19:34: >> -----Original Message----- >> From: >> [email protected] >> >> [mailto:[email protected] >> illa.org] On Behalf Of Xu, Qiang (FXSGSC) >> Sent: Wednesday, April 15, 2009 10:32 AM >> To: Markus Moeller; [email protected] >> Subject: RE: SASL authentication >> >> The problem here is, to use ldap_sasl_interactive_bind_ext_s() do sasl >> binding over ssl connection, while set maxssf=0 using >> ldap_set_option(), the binding result is not stable. The result is good >> and bad alternatively. The odd numbered tryings are successful, while >> the even numbered all fail. > > Just want you guys know that, if maxssf is set to 0 in sasl binding with > non-ssl connection, the result is constantly good. No pingpong style > observed in logs and network traces. Maybe this is another proof that it > is a defect in MozLDAP library's ssl part.
Does maxssf disable the use of SSL? I wonder if this could be another manifestation of failure to specify the client's identity to libSSL (that is, to name a client session cache to be used with each connection). If a process is trying to act as multiple client identities, and doesn't identify each of those identities separately to libSSL through a call to SSL_SetSockPeerID, then libSSL will attempt to use a single common SSL session for all of them. Perhaps this leads to failures with the following scenario: - identity 1 establishes an SSL session with the server and binds his identity to it with SASL. - identity 2 connects to the same server, and reuses the SSL session established by identity 1. Things fail because of the identity mismatch. - identity 2 retries, creating a new session, bound to identity 2, and succeeds. - identity 1 connects to that server, reusing the session of identity 2, ... etc. Is that the behavior described as "ping pong style" ? _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
