SASL: encoded packet size too big

Eugene Bright eugene at bright.gdn
Thu Aug 15 14:56:23 EEST 2019 

That's right.
GSS-API is not used anywhere else.
Do you like to inspect my full configuration?
I can dump connection session and send pcap file here.

On August 15, 2019 7:27:20 AM GMT+03:00, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
>> On 15/08/2019 00:34 Eugene via dovecot <dovecot at dovecot.org> wrote:
>> 
>>  
>> The next combination of parameters makes 100% LDAP connections
>unsuccessful (the log snippet form the previous mail).
>> sasl_bind = yes
>> sasl_mech = gssapi
>> tls = yes
>> 
>> Looks like this combination is utterly incorrect and should be
>prohibited (tls must not be used when mech is gssapi).
>>
>https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/
>> 
>> With `tls = no` errors `encoded packet size too big` becomes
>sporadic, but still heart auth orepations performance.
>> May be there are two different problems.
>> 
>
>Does the "encoded packet size too big" coincide with LDAP server
>connection failure?
>
>Aki
>
>> Has someone encountered this problem before?
>> How can I help to facilitate the issue debugging?
>> 
>> [I] net-mail/dovecot
>>      Installed versions:  2.3.7.1(01:58:12 08/14/19)(bzip2 caps ipv6
>kerberos ldap libressl lua lz4 lzma pam postgres sieve sqlite tcpd zlib
>-argon2 -doc -lucene -managesieve -mysql -selinux -solr -static-libs
>-suid -textcat -vpopmail)
>> 
>> On 8/15/19 12:01 AM, Eugene wrote:
>> > Hello!
>> > 
>> > Dovecot uses it's own SASL implementation, doesn't it?
>> > 
>> > 	Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1
>> > 	Aug 14 23:45:23 example.com auth[10428]: encoded packet size too
>big (813804546 > 65536)
>> > 	Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428):
>Error: LDAP: Can't connect to server: ldap://ipa2.example.com
>> > 	Aug 14 23:45:23 example.com dovecot[10085]: auth: Error: auth
>worker: Aborted USER request for eugene: Lookup timed out
>> > 	Aug 14 23:45:23 example.com dovecot[10085]: imap: Error:
>auth-master: login: request [3847225345]: Login auth request failed:
>Internal auth failure (auth connected 60000 msecs ago, request took
>60000 msecs, client-pid=10362 client-id=1)
>> > 
>> > Looks like cyrus-sasl encountered same problem earlier.
>> >
>https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003001.html
>> > 
>> > I never have such an issue with ldapsearch. So, I assume there is a
>similar problem in Dovecot SASL implementation.
>> > 
>> 
>> -- 
>> Eugene Bright
>> IT engineer
>> Tel: + 79257289622

---
Eugene Bright
IT-engineer
Tel.: +7 925 728 96 22
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190815/7faba47b/attachment.html>

More information about the dovecot mailing list