ODSEE 11.1.1.5.0 SASL GSSAPI requires patch for bug ID 12654448 to be compatible with -X u: and -X dn: notation by openldap or components following RFC 4513 section 5.2.1.8 (Doc ID 1339464.1)

Last updated on OCTOBER 11, 2016

Applies to:

Oracle Directory Server Enterprise Edition - Version 7.0 and later
Information in this document applies to any platform.

Symptoms

On : ODSEE 11gR1p1, Security/SSL

When attempting to configure a linux client to use/test SASL authentication using GSSAPI mechanism, when using the openLDAP version of the ldapsearch command, the authentication attempt will fail and the following message appears as a response to the authentication event.


COMMAND EXAMPLE AND ERROR
-----------------------

/usr/bin/ldapsearch -LLL -Y GSSAPI -X"u:testuser" -h host.example.com:389 -b "o=example.com" -s sub uid=anotheruser

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

/usr/bin/ldapsearch -LLL -Y GSSAPI -X"dn:uid=testuser,ou=people,o=example.com" -h host.example.com -p 389 -b "dc=example,dc=com" uid=anotheruser

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)




STEPS
-----------------------
The issue can be reproduced with the following steps:

1. Set up and configure SASL authentication following the Administration Guide for ODSEE, including the configuration of the identity mapping entries using the GSSAPI against a kerberos provider.

2. Attempt to use ldapsearch against the ODSEE, using the default Linux provided "ldapsearch" command, following the LINUX version of the commands instruction to use -X"u:uid=testuser" or -X"dn: uid=testuser, ou=some unit, dc=example, dc=com

Regardless of configuration used, they will fail with the same messages.

BUSINESS IMPACT
-----------------------
The issue impacts sites attempting to use ODSEE with openldap as well as other components that allow for the authentication to be presented based on section 5.2.1.8 of RFC 4513.

Changes

Support has been added in the 11.1.1.5.0 release of the ODSEE (11gR1ps1) on Linux for SASL authentication using the GSSAPI mechanisims, previously this was only supported on Solaris. While the issue effects all platforms, customers on linux are more likely to notice as openLDAP's version of the ldapsearch and ldapmodify commands will present requests in a way that can not be handled properly by the DS without first installing the fix for the bug.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms