I have a Perl script to read from an OpenLDAP instance using Net::LDAP with a GSSAPI bind. The script works fine on Debian stretch but fails on Debian buster.
Note that on both servers the line at the bottom of the Perl code that runs ldapsearch produces the same correct results, so I am sure that the Kerberos ticket cache is correct on both servers.
Looking at the OpenLDAP logs I see that the ldapsearch run shows up with the strength factors sasl_ssf=256 ssf=256 while the Net::LDAP bind shows up with the strength factors sasl_ssf=1 ssf=256. Since the Net::LDAP bind is using Kerberos, the sasl_ssf should be 56, not 1.
Any suggestions as to why the Net::LDAP bind is connecting with the wrong sasl_ssf?
use strict;
use warnings;
use Authen::SASL;
use Net::LDAP;
use Data::Dumper;
my $server_name = 'ldap.example.com';
$ENV{'KRB5CCNAME'} = '/tmp/krb.tkt';
my $ld = Net::LDAP->new($server_name, version => '3');
$ld->start_tls(verify => 'require');
if (!$ld or $ld == -1) {
die "Could not connect to directory server $server_name";
}
my $SASL = Authen::SASL->new('GSSAPI');
my $status = $ld->bind(sasl => $SASL);
if ($status->code) {
die 'Bind error: (' . $status->error_name . ') ' . $status->error_text;
}
my $base = 'dc=example,dc=com';
my $filter = '(uid=johndoe)';
my @attrs = ('uid', 'sn');
$status = $ld->search(
base => 'dc=example,dc=com',
filter => $filter,
attrs => \@attrs,
) ;
my @entries = $status->all_entries;
# This results in nothing (but should result in the same data as the ldapsearch below):
warn Dumper @entries ;
my $attrs = join(' ', @attrs) ;
my $cmd = "ldapsearch -LLL -h $server_name -b $base '$filter' $attrs";
# This gives the correct result:
warn `$cmd`;
