external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: c3791130 | patch | commit | show whitespace

dugan

23.54.2009 841933daec4f92d73f999337422fab52c1030b1f

Fixes for these issues:

https://opends.dev.java.net/issues/show_bug.cgi?id=3884
https://opends.dev.java.net/issues/show_bug.cgi?id=3867

3 files modified

	opends/src/messages/messages/extension.properties	5 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/extensions/GSSAPISASLMechanismHandler.java	206 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/extensions/SASLContext.java	33 ●●●●● patch \| view \| raw \| blame \| history

 opends/src/messages/messages/extension.properties

@@ -1417,3 +1417,8 @@
 revision %s)
 SEVERE_ERR_SASL_CREATE_SASL_SERVER_FAILED_572=Failed to create a SASL server \
 for SASL mechanism %s using a server FQDN of %s
SEVERE_ERR_SASL_GSSAPI_KEYTAB_INVALID_573=GSSAPI SASL mechanism handler initalization \
failed because the keytab file %s does not exist
INFO_GSSAPI_STARTED_574=The GSSAPI SASL mechanism handler initialization \
was successful
INFO_GSSAPI_STOPPED_575=The GSSAPI SASL mechanism handler has been stopped

 opends/src/server/org/opends/server/extensions/GSSAPISASLMechanismHandler.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2006-2008 Sun Microsystems, Inc.
 *      Copyright 2006-2009 Sun Microsystems, Inc.
 */
package org.opends.server.extensions;

@@ -52,7 +52,9 @@
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;

import org.ietf.jgss.GSSException;
import org.opends.messages.Message;
import org.opends.messages.MessageBuilder;
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.meta.
  GSSAPISASLMechanismHandlerCfgDefn.QualityOfProtection;
@@ -129,27 +131,14 @@
  @Override()
  public void initializeSASLMechanismHandler(
      GSSAPISASLMechanismHandlerCfg configuration) throws ConfigException,
      InitializationException
  {
      InitializationException {
    try {
      initialize(configuration);
      DirectoryServer.registerSASLMechanismHandler(SASL_MECHANISM_GSSAPI, this);
    configuration.addGSSAPIChangeListener(this);
    this.configuration = configuration;
    configEntryDN = configuration.dn();
    try
    {
      DN identityMapperDN = configuration.getIdentityMapperDN();
      identityMapper = DirectoryServer.getIdentityMapper(identityMapperDN);
      serverFQDN = getFQDN(configuration);
      Message msg = INFO_GSSAPI_SERVER_FQDN.get(serverFQDN);
      Message msg = INFO_GSSAPI_STARTED.get();
      logError(msg);
      saslProps = new HashMap<String, String>();
      saslProps.put(Sasl.QOP, getQOP(configuration));
      saslProps.put(Sasl.REUSE, "false");
      String configFileName = configureLoginConfFile(configuration);
      System.setProperty(JAAS_PROPERTY_CONFIG_FILE, configFileName);
      System.setProperty(JAAS_PROPERTY_SUBJECT_CREDS_ONLY, "false");
      getKdcRealm(configuration);
      DirectoryServer.registerSASLMechanismHandler(SASL_MECHANISM_GSSAPI, this);
      login();
    }
    catch (UnknownHostException unhe)
    {
@@ -305,8 +294,8 @@
   *           If the configuration file cannot be created.
   */
  private String configureLoginConfFile(
      GSSAPISASLMechanismHandlerCfg configuration) throws IOException
  {
      GSSAPISASLMechanismHandlerCfg configuration)
  throws IOException, InitializationException {
    String configFileName;
    File tempFile = File.createTempFile("login", "conf");
    configFileName = tempFile.getAbsolutePath();
@@ -315,27 +304,28 @@
    w.write(getClass().getName() + " {");
    w.newLine();
    w.write("  com.sun.security.auth.module.Krb5LoginModule required "
        + "storeKey=true useKeyTab=true ");
    String keyTabFile = configuration.getKeytab();
    if (keyTabFile != null)
    {
      w.write("keyTab=\"" + keyTabFile + "\" ");
        + "storeKey=true useKeyTab=true doNotPrompt=true ");
    String keyTabFilePath = configuration.getKeytab();
    if(keyTabFilePath == null) {
      String home = System.getProperty("user.home");
      String sep = System.getProperty("file.separator");
      keyTabFilePath = home+sep+"krb5.keytab";
    }
    File keyTabFile = new File(keyTabFilePath);
    if(!keyTabFile.exists()) {
      Message msg = ERR_SASL_GSSAPI_KEYTAB_INVALID.get(keyTabFilePath);
      throw new InitializationException(msg);
    }
    w.write("keyTab=\"" + keyTabFile + "\" ");
    StringBuilder principal = new StringBuilder();
    String principalName = configuration.getPrincipalName();
    String realm = configuration.getRealm();
    if (principalName != null)
    {
      principal.append("principal=\"" + principalName);
    }
    else
    {
      principal.append("principal=\"ldap/" + serverFQDN);
    }
    if (realm != null)
    {
      principal.append("@" + realm);
    }
    w.write(principal.toString());
    Message msg = INFO_GSSAPI_PRINCIPAL_NAME.get(principal.toString());
    logError(msg);
@@ -354,14 +344,23 @@
   * {@inheritDoc}
   */
  @Override()
  public void finalizeSASLMechanismHandler()
  {
  public void finalizeSASLMechanismHandler() {
    logout();
    if(configuration != null)
    configuration.removeGSSAPIChangeListener(this);
    DirectoryServer.deregisterSASLMechanismHandler(SASL_MECHANISM_GSSAPI);
    clearProperties();
    Message msg = INFO_GSSAPI_STOPPED.get();
    logError(msg);
  }


private void clearProperties() {
  System.clearProperty(KRBV_PROPERTY_KDC);
  System.clearProperty(KRBV_PROPERTY_REALM);
  System.clearProperty(JAAS_PROPERTY_CONFIG_FILE);
  System.clearProperty(JAAS_PROPERTY_SUBJECT_CREDS_ONLY);
}

  /**
   * {@inheritDoc}
@@ -379,10 +378,8 @@
    }
    ClientConnection clientConn = bindOp.getClientConnection();
    SASLContext saslContext = (SASLContext) clientConn.getSASLAuthStateInfo();
    if (saslContext == null)
    {
      try
      {
    if (saslContext == null) {
      try {
        //If the connection is secure already (i.e., TLS), then make the
        //receive buffers sizes match.
        if(clientConn.isSecure()) {
@@ -396,15 +393,18 @@
          saslContext = SASLContext.createSASLContext(saslProps, serverFQDN,
                                  SASL_MECHANISM_GSSAPI, identityMapper);
        }
      }
      catch (SaslException ex)
      {
      } catch (SaslException ex) {
        if (debugEnabled())
        {
          TRACER.debugCaught(DebugLogLevel.ERROR, ex);
        }
        Message msg = ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_GSSAPI,
        Message msg;
        GSSException gex = (GSSException) ex.getCause();
        if(gex != null) {
          msg = ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_GSSAPI,
              getGSSExceptionMessage(gex));
        } else {
          msg = ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_GSSAPI,
            getExceptionMessage(ex));
        }
        clientConn.setSASLAuthStateInfo(null);
        bindOp.setAuthFailureReason(msg);
        bindOp.setResultCode(ResultCode.INVALID_CREDENTIALS);
@@ -415,6 +415,26 @@
  }


  /**
   * Get the underlying GSSException messages that really tell what the
   * problem is. The major code is the GSS-API status and the minor is the
   * mechanism specific error.
   *
   * @param gex The GSSExcption thrown.
   *
   * @return The message containing the major and (optional) minor codes and
   *         strings.
   */
  public static Message getGSSExceptionMessage(GSSException gex) {
    MessageBuilder message = new MessageBuilder();
    message.append("major code (" + Integer.valueOf(gex.getMajor()).toString()
                  + ") " +  gex.getMajorString());
    if(gex.getMinor() != 0)
      message.append(", minor code (" +
                      Integer.valueOf(gex.getMinor()).toString()
                       +  ") "  + gex.getMinorString());
    return message.toMessage();
  }

  /**
   * Retrieves the user account for the user associated with the
@@ -472,9 +492,9 @@
  public boolean isConfigurationAcceptable(
      SASLMechanismHandlerCfg configuration, List<Message> unacceptableReasons)
  {
    GSSAPISASLMechanismHandlerCfg config =
    GSSAPISASLMechanismHandlerCfg newConfig =
      (GSSAPISASLMechanismHandlerCfg) configuration;
    return isConfigurationChangeAcceptable(config, unacceptableReasons);
    return isConfigurationChangeAcceptable(newConfig, unacceptableReasons);
  }


@@ -483,10 +503,56 @@
   * {@inheritDoc}
   */
  public boolean isConfigurationChangeAcceptable(
      GSSAPISASLMechanismHandlerCfg configuration,
      List<Message> unacceptableReasons)
  {
    return true;
      GSSAPISASLMechanismHandlerCfg newConfiguration,
      List<Message> unacceptableReasons) {
    boolean returnCode = true;
    boolean newStateEnabled = newConfiguration.isEnabled();
    boolean oldStateEnabled = false;
    if(this.configuration != null)
      oldStateEnabled = configuration.isEnabled();
    if(newStateEnabled) {
      try {
       if(oldStateEnabled)
         finalizeSASLMechanismHandler();
       initialize(newConfiguration);
       finalizeSASLMechanismHandler();
      } catch (InitializationException ex) {
        if (debugEnabled())
          TRACER.debugCaught(DebugLogLevel.ERROR, ex);
        Message message = ex.getMessageObject();
        unacceptableReasons.add(message);
        clearProperties();
        returnCode = false;
      } catch (UnknownHostException ex) {
        if (debugEnabled())
          TRACER.debugCaught(DebugLogLevel.ERROR, ex);
        Message message = ERR_SASL_CANNOT_GET_SERVER_FQDN.get(String
            .valueOf(configEntryDN), getExceptionMessage(ex));
        unacceptableReasons.add(message);
        clearProperties();
        returnCode = false;
      } catch (IOException ex) {
        if (debugEnabled())
          TRACER.debugCaught(DebugLogLevel.ERROR, ex);
        Message message = ERR_SASLGSSAPI_CANNOT_CREATE_JAAS_CONFIG
            .get(getExceptionMessage(ex));
        unacceptableReasons.add(message);
        clearProperties();
        returnCode = false;
      } catch (LoginException ex) {
        if (debugEnabled())
          TRACER.debugCaught(DebugLogLevel.ERROR, ex);
        Message message = ERR_SASLGSSAPI_CANNOT_CREATE_LOGIN_CONTEXT
            .get(getExceptionMessage(ex));
        unacceptableReasons.add(message);
        clearProperties();
        returnCode = false;
      }
    } else {
      if(oldStateEnabled)
       this.finalizeSASLMechanismHandler();
    }
    return returnCode;
  }


@@ -495,23 +561,41 @@
   * {@inheritDoc}
   */
  public ConfigChangeResult applyConfigurationChange(
      GSSAPISASLMechanismHandlerCfg configuration)
  {
      GSSAPISASLMechanismHandlerCfg configuration) {
    ResultCode resultCode = ResultCode.SUCCESS;
    boolean adminActionRequired = false;
    ArrayList<Message> messages = new ArrayList<Message>();
    DN identityMapperDN = configuration.getIdentityMapperDN();
    IdentityMapper<?> newIdentityMapper = DirectoryServer
        .getIdentityMapper(identityMapperDN);
    identityMapper = newIdentityMapper;
    saslProps = new HashMap<String, String>();
    saslProps.put(Sasl.QOP, getQOP(configuration));
    saslProps.put(Sasl.REUSE, "false");
    this.configuration = configuration;
    return new ConfigChangeResult(resultCode, adminActionRequired, messages);
  }


/**
 * Try to initialize the GSSAPI mechanism handler with the specified config.
 *
 * @param config The configuration to use.
 *
 * @throws UnknownHostException If a host name does not resolve.
 * @throws IOException If there was a problem creating the login file.
 * @throws LoginException If the context could not login.
 * @throws InitializationException If the keytab file does not exist.
 */
private void initialize(GSSAPISASLMechanismHandlerCfg config)
throws UnknownHostException, IOException,
       LoginException, InitializationException {
    configEntryDN = config.dn();
    DN identityMapperDN = config.getIdentityMapperDN();
    identityMapper = DirectoryServer.getIdentityMapper(identityMapperDN);
    serverFQDN = getFQDN(config);
    Message msg = INFO_GSSAPI_SERVER_FQDN.get(serverFQDN);
    logError(msg);
    saslProps = new HashMap<String, String>();
    saslProps.put(Sasl.QOP, getQOP(config));
    saslProps.put(Sasl.REUSE, "false");
    String configFileName = configureLoginConfFile(config);
    System.setProperty(JAAS_PROPERTY_CONFIG_FILE, configFileName);
    System.setProperty(JAAS_PROPERTY_SUBJECT_CREDS_ONLY, "false");
    getKdcRealm(config);
    login();
}

  /**
   * Retrieves the QOP (quality-of-protection) from the specified

 opends/src/server/org/opends/server/extensions/SASLContext.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2008 Sun Microsystems, Inc.
 *      Copyright 2008-2009 Sun Microsystems, Inc.
 */

package org.opends.server.extensions;
@@ -44,6 +44,8 @@
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;

import org.ietf.jgss.GSSException;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.messages.Message;
import org.opends.server.api.ClientConnection;
@@ -297,14 +299,13 @@
     * @throws SaslException If the SASL server cannot evaluate the byte array.
     */
    private ByteString evaluateResponse(ByteString response)
      throws SaslException
    {
      throws SaslException  {
      if (response == null)
      {
        response = ByteString.empty();
      }
      return ByteString.wrap(saslServer.evaluateResponse(
          response.toByteArray()));
      byte[] evalResponse = saslServer.evaluateResponse(response.toByteArray());
      if(evalResponse == null)
        return ByteString.empty();
      else return ByteString.wrap(evalResponse);
    }


@@ -750,13 +751,17 @@
       if(saslServer == null) {
           try {
               initSASLServer();
           } catch (SaslException e) {
               if (debugEnabled()) {
                   TRACER.debugCaught(DebugLogLevel.ERROR, e);
               }
               Message msg =
                   ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_DIGEST_MD5,
                                                     getExceptionMessage(e));
           } catch (SaslException ex) {
               if (debugEnabled())
                   TRACER.debugCaught(DebugLogLevel.ERROR, ex);
               Message msg;
               GSSException gex = (GSSException) ex.getCause();
               if(gex != null)
                 msg = ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_GSSAPI,
                     GSSAPISASLMechanismHandler.getGSSExceptionMessage(gex));
               else
                  msg = ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_GSSAPI,
                                                     getExceptionMessage(ex));
               clientConn.setSASLAuthStateInfo(null);
               bindOp.setAuthFailureReason(msg);
               bindOp.setResultCode(ResultCode.INVALID_CREDENTIALS);

			@@ -1417,3 +1417,8 @@
			revision %s)
			SEVERE_ERR_SASL_CREATE_SASL_SERVER_FAILED_572=Failed to create a SASL server \
			for SASL mechanism %s using a server FQDN of %s
			SEVERE_ERR_SASL_GSSAPI_KEYTAB_INVALID_573=GSSAPI SASL mechanism handler initalization \
			failed because the keytab file %s does not exist
			INFO_GSSAPI_STARTED_574=The GSSAPI SASL mechanism handler initialization \
			was successful
			INFO_GSSAPI_STOPPED_575=The GSSAPI SASL mechanism handler has been stopped

			@@ -22,7 +22,7 @@
			* CDDL HEADER END
			*
			*
			* Copyright 2006-2008 Sun Microsystems, Inc.
			* Copyright 2006-2009 Sun Microsystems, Inc.
			*/
			package org.opends.server.extensions;

			@@ -52,7 +52,9 @@
			import javax.security.sasl.Sasl;
			import javax.security.sasl.SaslException;

			import org.ietf.jgss.GSSException;
			import org.opends.messages.Message;
			import org.opends.messages.MessageBuilder;
			import org.opends.server.admin.server.ConfigurationChangeListener;
			import org.opends.server.admin.std.meta.
			GSSAPISASLMechanismHandlerCfgDefn.QualityOfProtection;
			@@ -129,27 +131,14 @@
			@Override()
			public void initializeSASLMechanismHandler(
			GSSAPISASLMechanismHandlerCfg configuration) throws ConfigException,
			InitializationException
			{
			InitializationException {
			try {
			initialize(configuration);
			DirectoryServer.registerSASLMechanismHandler(SASL_MECHANISM_GSSAPI, this);
			configuration.addGSSAPIChangeListener(this);
			this.configuration = configuration;
			configEntryDN = configuration.dn();
			try
			{
			DN identityMapperDN = configuration.getIdentityMapperDN();
			identityMapper = DirectoryServer.getIdentityMapper(identityMapperDN);
			serverFQDN = getFQDN(configuration);
			Message msg = INFO_GSSAPI_SERVER_FQDN.get(serverFQDN);
			Message msg = INFO_GSSAPI_STARTED.get();
			logError(msg);
			saslProps = new HashMap<String, String>();
			saslProps.put(Sasl.QOP, getQOP(configuration));
			saslProps.put(Sasl.REUSE, "false");
			String configFileName = configureLoginConfFile(configuration);
			System.setProperty(JAAS_PROPERTY_CONFIG_FILE, configFileName);
			System.setProperty(JAAS_PROPERTY_SUBJECT_CREDS_ONLY, "false");
			getKdcRealm(configuration);
			DirectoryServer.registerSASLMechanismHandler(SASL_MECHANISM_GSSAPI, this);
			login();
			}
			catch (UnknownHostException unhe)
			{
			@@ -305,8 +294,8 @@
			* If the configuration file cannot be created.
			*/
			private String configureLoginConfFile(
			GSSAPISASLMechanismHandlerCfg configuration) throws IOException
			{
			GSSAPISASLMechanismHandlerCfg configuration)
			throws IOException, InitializationException {
			String configFileName;
			File tempFile = File.createTempFile("login", "conf");
			configFileName = tempFile.getAbsolutePath();
			@@ -315,27 +304,28 @@
			w.write(getClass().getName() + " {");
			w.newLine();
			w.write(" com.sun.security.auth.module.Krb5LoginModule required "
			+ "storeKey=true useKeyTab=true ");
			String keyTabFile = configuration.getKeytab();
			if (keyTabFile != null)
			{
			w.write("keyTab=\"" + keyTabFile + "\" ");
			+ "storeKey=true useKeyTab=true doNotPrompt=true ");
			String keyTabFilePath = configuration.getKeytab();
			if(keyTabFilePath == null) {
			String home = System.getProperty("user.home");
			String sep = System.getProperty("file.separator");
			keyTabFilePath = home+sep+"krb5.keytab";
			}
			File keyTabFile = new File(keyTabFilePath);
			if(!keyTabFile.exists()) {
			Message msg = ERR_SASL_GSSAPI_KEYTAB_INVALID.get(keyTabFilePath);
			throw new InitializationException(msg);
			}
			w.write("keyTab=\"" + keyTabFile + "\" ");
			StringBuilder principal = new StringBuilder();
			String principalName = configuration.getPrincipalName();
			String realm = configuration.getRealm();
			if (principalName != null)
			{
			principal.append("principal=\"" + principalName);
			}
			else
			{
			principal.append("principal=\"ldap/" + serverFQDN);
			}
			if (realm != null)
			{
			principal.append("@" + realm);
			}
			w.write(principal.toString());
			Message msg = INFO_GSSAPI_PRINCIPAL_NAME.get(principal.toString());
			logError(msg);
			@@ -354,14 +344,23 @@
			* {@inheritDoc}
			*/
			@Override()
			public void finalizeSASLMechanismHandler()
			{
			public void finalizeSASLMechanismHandler() {
			logout();
			if(configuration != null)
			configuration.removeGSSAPIChangeListener(this);
			DirectoryServer.deregisterSASLMechanismHandler(SASL_MECHANISM_GSSAPI);
			clearProperties();
			Message msg = INFO_GSSAPI_STOPPED.get();
			logError(msg);
			}


			private void clearProperties() {
			System.clearProperty(KRBV_PROPERTY_KDC);
			System.clearProperty(KRBV_PROPERTY_REALM);
			System.clearProperty(JAAS_PROPERTY_CONFIG_FILE);
			System.clearProperty(JAAS_PROPERTY_SUBJECT_CREDS_ONLY);
			}

			/**
			* {@inheritDoc}
			@@ -379,10 +378,8 @@
			}
			ClientConnection clientConn = bindOp.getClientConnection();
			SASLContext saslContext = (SASLContext) clientConn.getSASLAuthStateInfo();
			if (saslContext == null)
			{
			try
			{
			if (saslContext == null) {
			try {
			//If the connection is secure already (i.e., TLS), then make the
			//receive buffers sizes match.
			if(clientConn.isSecure()) {
			@@ -396,15 +393,18 @@
			saslContext = SASLContext.createSASLContext(saslProps, serverFQDN,
			SASL_MECHANISM_GSSAPI, identityMapper);
			}
			}
			catch (SaslException ex)
			{
			} catch (SaslException ex) {
			if (debugEnabled())
			{
			TRACER.debugCaught(DebugLogLevel.ERROR, ex);
			}
			Message msg = ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_GSSAPI,
			Message msg;
			GSSException gex = (GSSException) ex.getCause();
			if(gex != null) {
			msg = ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_GSSAPI,
			getGSSExceptionMessage(gex));
			} else {
			msg = ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_GSSAPI,
			getExceptionMessage(ex));
			}
			clientConn.setSASLAuthStateInfo(null);
			bindOp.setAuthFailureReason(msg);
			bindOp.setResultCode(ResultCode.INVALID_CREDENTIALS);
			@@ -415,6 +415,26 @@
			}


			/**
			* Get the underlying GSSException messages that really tell what the
			* problem is. The major code is the GSS-API status and the minor is the
			* mechanism specific error.
			*
			* @param gex The GSSExcption thrown.
			*
			* @return The message containing the major and (optional) minor codes and
			* strings.
			*/
			public static Message getGSSExceptionMessage(GSSException gex) {
			MessageBuilder message = new MessageBuilder();
			message.append("major code (" + Integer.valueOf(gex.getMajor()).toString()
			+ ") " + gex.getMajorString());
			if(gex.getMinor() != 0)
			message.append(", minor code (" +
			Integer.valueOf(gex.getMinor()).toString()
			+ ") " + gex.getMinorString());
			return message.toMessage();
			}

			/**
			* Retrieves the user account for the user associated with the
			@@ -472,9 +492,9 @@
			public boolean isConfigurationAcceptable(
			SASLMechanismHandlerCfg configuration, List<Message> unacceptableReasons)
			{
			GSSAPISASLMechanismHandlerCfg config =
			GSSAPISASLMechanismHandlerCfg newConfig =
			(GSSAPISASLMechanismHandlerCfg) configuration;
			return isConfigurationChangeAcceptable(config, unacceptableReasons);
			return isConfigurationChangeAcceptable(newConfig, unacceptableReasons);
			}


			@@ -483,10 +503,56 @@
			* {@inheritDoc}
			*/
			public boolean isConfigurationChangeAcceptable(
			GSSAPISASLMechanismHandlerCfg configuration,
			List<Message> unacceptableReasons)
			{
			return true;
			GSSAPISASLMechanismHandlerCfg newConfiguration,
			List<Message> unacceptableReasons) {
			boolean returnCode = true;
			boolean newStateEnabled = newConfiguration.isEnabled();
			boolean oldStateEnabled = false;
			if(this.configuration != null)
			oldStateEnabled = configuration.isEnabled();
			if(newStateEnabled) {
			try {
			if(oldStateEnabled)
			finalizeSASLMechanismHandler();
			initialize(newConfiguration);
			finalizeSASLMechanismHandler();
			} catch (InitializationException ex) {
			if (debugEnabled())
			TRACER.debugCaught(DebugLogLevel.ERROR, ex);
			Message message = ex.getMessageObject();
			unacceptableReasons.add(message);
			clearProperties();
			returnCode = false;
			} catch (UnknownHostException ex) {
			if (debugEnabled())
			TRACER.debugCaught(DebugLogLevel.ERROR, ex);
			Message message = ERR_SASL_CANNOT_GET_SERVER_FQDN.get(String
			.valueOf(configEntryDN), getExceptionMessage(ex));
			unacceptableReasons.add(message);
			clearProperties();
			returnCode = false;
			} catch (IOException ex) {
			if (debugEnabled())
			TRACER.debugCaught(DebugLogLevel.ERROR, ex);
			Message message = ERR_SASLGSSAPI_CANNOT_CREATE_JAAS_CONFIG
			.get(getExceptionMessage(ex));
			unacceptableReasons.add(message);
			clearProperties();
			returnCode = false;
			} catch (LoginException ex) {
			if (debugEnabled())
			TRACER.debugCaught(DebugLogLevel.ERROR, ex);
			Message message = ERR_SASLGSSAPI_CANNOT_CREATE_LOGIN_CONTEXT
			.get(getExceptionMessage(ex));
			unacceptableReasons.add(message);
			clearProperties();
			returnCode = false;
			}
			} else {
			if(oldStateEnabled)
			this.finalizeSASLMechanismHandler();
			}
			return returnCode;
			}


			@@ -495,23 +561,41 @@
			* {@inheritDoc}
			*/
			public ConfigChangeResult applyConfigurationChange(
			GSSAPISASLMechanismHandlerCfg configuration)
			{
			GSSAPISASLMechanismHandlerCfg configuration) {
			ResultCode resultCode = ResultCode.SUCCESS;
			boolean adminActionRequired = false;
			ArrayList<Message> messages = new ArrayList<Message>();
			DN identityMapperDN = configuration.getIdentityMapperDN();
			IdentityMapper<?> newIdentityMapper = DirectoryServer
			.getIdentityMapper(identityMapperDN);
			identityMapper = newIdentityMapper;
			saslProps = new HashMap<String, String>();
			saslProps.put(Sasl.QOP, getQOP(configuration));
			saslProps.put(Sasl.REUSE, "false");
			this.configuration = configuration;
			return new ConfigChangeResult(resultCode, adminActionRequired, messages);
			}


			/**
			* Try to initialize the GSSAPI mechanism handler with the specified config.
			*
			* @param config The configuration to use.
			*
			* @throws UnknownHostException If a host name does not resolve.
			* @throws IOException If there was a problem creating the login file.
			* @throws LoginException If the context could not login.
			* @throws InitializationException If the keytab file does not exist.
			*/
			private void initialize(GSSAPISASLMechanismHandlerCfg config)
			throws UnknownHostException, IOException,
			LoginException, InitializationException {
			configEntryDN = config.dn();
			DN identityMapperDN = config.getIdentityMapperDN();
			identityMapper = DirectoryServer.getIdentityMapper(identityMapperDN);
			serverFQDN = getFQDN(config);
			Message msg = INFO_GSSAPI_SERVER_FQDN.get(serverFQDN);
			logError(msg);
			saslProps = new HashMap<String, String>();
			saslProps.put(Sasl.QOP, getQOP(config));
			saslProps.put(Sasl.REUSE, "false");
			String configFileName = configureLoginConfFile(config);
			System.setProperty(JAAS_PROPERTY_CONFIG_FILE, configFileName);
			System.setProperty(JAAS_PROPERTY_SUBJECT_CREDS_ONLY, "false");
			getKdcRealm(config);
			login();
			}

			/**
			* Retrieves the QOP (quality-of-protection) from the specified

			@@ -22,7 +22,7 @@
			* CDDL HEADER END
			*
			*
			* Copyright 2008 Sun Microsystems, Inc.
			* Copyright 2008-2009 Sun Microsystems, Inc.
			*/

			package org.opends.server.extensions;
			@@ -44,6 +44,8 @@
			import javax.security.sasl.Sasl;
			import javax.security.sasl.SaslException;
			import javax.security.sasl.SaslServer;

			import org.ietf.jgss.GSSException;
			import org.opends.server.loggers.debug.DebugTracer;
			import org.opends.messages.Message;
			import org.opends.server.api.ClientConnection;
			@@ -297,14 +299,13 @@
			* @throws SaslException If the SASL server cannot evaluate the byte array.
			*/
			private ByteString evaluateResponse(ByteString response)
			throws SaslException
			{
			throws SaslException {
			if (response == null)
			{
			response = ByteString.empty();
			}
			return ByteString.wrap(saslServer.evaluateResponse(
			response.toByteArray()));
			byte[] evalResponse = saslServer.evaluateResponse(response.toByteArray());
			if(evalResponse == null)
			return ByteString.empty();
			else return ByteString.wrap(evalResponse);
			}


			@@ -750,13 +751,17 @@
			if(saslServer == null) {
			try {
			initSASLServer();
			} catch (SaslException e) {
			if (debugEnabled()) {
			TRACER.debugCaught(DebugLogLevel.ERROR, e);
			}
			Message msg =
			ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_DIGEST_MD5,
			getExceptionMessage(e));
			} catch (SaslException ex) {
			if (debugEnabled())
			TRACER.debugCaught(DebugLogLevel.ERROR, ex);
			Message msg;
			GSSException gex = (GSSException) ex.getCause();
			if(gex != null)
			msg = ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_GSSAPI,
			GSSAPISASLMechanismHandler.getGSSExceptionMessage(gex));
			else
			msg = ERR_SASL_CONTEXT_CREATE_ERROR.get(SASL_MECHANISM_GSSAPI,
			getExceptionMessage(ex));
			clientConn.setSASLAuthStateInfo(null);
			bindOp.setAuthFailureReason(msg);
			bindOp.setResultCode(ResultCode.INVALID_CREDENTIALS);