My Oracle Support Banner

ODSEE SASL GSSAPI requires patch for bug ID 12654448 to be compatible with -X u: and -X dn: notation by openldap or components following RFC 4513 section (Doc ID 1339464.1)

Last updated on MAY 17, 2018

Applies to:

Oracle Directory Server Enterprise Edition - Version 7.0 and later
Information in this document applies to any platform.


On : ODSEE 11gR1p1, Security/SSL

When attempting to configure a linux client to use/test SASL authentication using GSSAPI mechanism, when using the openLDAP version of the ldapsearch command, the authentication attempt will fail and the following message appears as a response to the authentication event.


/usr/bin/ldapsearch -LLL -Y GSSAPI -X"u:testuser" -h -b "" -s sub uid=anotheruser

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

/usr/bin/ldapsearch -LLL -Y GSSAPI -X"dn:uid=testuser,ou=people," -h -p 389 -b "dc=example,dc=com" uid=anotheruser

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

The issue can be reproduced with the following steps:

1. Set up and configure SASL authentication following the Administration Guide for ODSEE, including the configuration of the identity mapping entries using the GSSAPI against a kerberos provider.

2. Attempt to use ldapsearch against the ODSEE, using the default Linux provided "ldapsearch" command, following the LINUX version of the commands instruction to use -X"u:uid=testuser" or -X"dn: uid=testuser, ou=some unit, dc=example, dc=com

Regardless of configuration used, they will fail with the same messages.

The issue impacts sites attempting to use ODSEE with openldap as well as other components that allow for the authentication to be presented based on section of RFC 4513.


Support has been added in the release of the ODSEE (11gR1ps1) on Linux for SASL authentication using the GSSAPI mechanisims, previously this was only supported on Solaris. While the issue effects all platforms, customers on linux are more likely to notice as openLDAP's version of the ldapsearch and ldapmodify commands will present requests in a way that can not be handled properly by the DS without first installing the fix for the bug.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.