Resolves: bug 479313

Bug Description: Server to Server SASL - DIGEST/MD5 - Can not Stop server
Reviewed by: nhosoi (Thanks!)
Fix Description: Using ldap_set_option with LDAP_OPT_X_SASL_SECPROPS is not thread safe.  ldap_set_option acquires the OPTION lock, but using LDAP_OPT_X_SASL_SECPROPS just calls return rather than calling break to exit the switch and unlock the lock.  A mozilla bug has been filed https://bugzilla.mozilla.org/show_bug.cgi?id=473438.  The fix is to use LDAP_OPT_X_SASL_SSF_MAX.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no

1 files changed, 3 insertions, 2 deletions

diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index 8e4876e9..79df75be 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -1105,6 +1105,7 @@ slapi_ldap_init( char *ldaphost, int ldapport, int secure, int shared )
     return slapi_ldap_init_ext(NULL, ldaphost, ldapport, secure, shared, NULL);
 }
 
+#include <sasl.h>
 /*
  * Does the correct bind operation simple/sasl/cert depending
  * on the arguments passed in.  If the user specified to use
@@ -1258,7 +1259,8 @@ slapi_ldap_bind(
     } else {
 	/* a SASL mech - set the sasl ssf to 0 if using TLS/SSL */
 	if (secure) {
-	    ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, "maxssf=0");
+	    sasl_ssf_t max_ssf = 0;
+	    ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);
 	}
 	rc = slapd_ldap_sasl_interactive_bind(ld, bindid, creds, mech,
 					      serverctrls, returnedctrls,
@@ -1282,7 +1284,6 @@ done:
 
 /* the following implements the client side of sasl bind, for LDAP server
    -> LDAP server SASL */
-#include <sasl.h>
 
 typedef struct {
     char *mech;