Howard Chu
2007-12-23 02:16:32 UTC
This is a multi-part message in MIME format.
--------------020706040108040002040308
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
connection state when it should be leaving it intact. The attached patch will
fix the problem. (Verified using saslauthd and most of the above components.)
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--------------020706040108040002040308
Content-Type: text/plain;
name="dif.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="dif.txt"
Index: server.c
===================================================================
RCS file: /cvs/src/sasl/lib/server.c,v
retrieving revision 1.147
diff -u -r1.147 server.c
--- server.c 3 Jul 2006 14:43:16 -0000 1.147
+++ server.c 23 Dec 2007 01:52:25 -0000
@@ -129,6 +129,7 @@
int result = SASL_OK, tmpresult;
sasl_server_conn_t *s_conn = (sasl_server_conn_t *) conn;
const char *password_request[] = { SASL_AUX_PASSWORD_PROP, NULL };
+ struct propctx *propctx = NULL;
sasl_server_userdb_setpass_t *setpass_cb = NULL;
void *context = NULL;
int tried_setpass = 0;
@@ -172,14 +173,18 @@
pass = NULL;
passlen = 0;
}
-
- result = prop_request(s_conn->sparams->propctx, password_request);
+
+ propctx = prop_new(0);
+ if ( !propctx ) {
+ RETURN(conn, SASL_NOMEM);
+ }
+ result = prop_request(propctx, password_request);
if (result == SASL_OK) {
- result = prop_set(s_conn->sparams->propctx, SASL_AUX_PASSWORD_PROP,
+ result = prop_set(propctx, SASL_AUX_PASSWORD_PROP,
pass, passlen);
}
if (result == SASL_OK) {
- result = sasl_auxprop_store(conn, s_conn->sparams->propctx, user);
+ result = sasl_auxprop_store(conn, propctx, user);
}
if (result != SASL_OK) {
_sasl_log(conn, SASL_LOG_ERR,
@@ -189,6 +194,7 @@
_sasl_log(conn, SASL_LOG_NOTE,
"setpass succeeded for %s", user);
}
+ prop_dispose(&propctx);
}
/* We want to preserve the current value of result, so we use tmpresult below */
--------------020706040108040002040308--
--------------020706040108040002040308
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Full_Name: Dan White
Version: 2.3.39
OS: Linux
URL: http://support.olp.net/ldap/log2.txt
Submission from: (NULL) (65.161.252.42)
If I enable SASL auto_transition, I receive the following error during
SASL(-14): authorization failure: invalid authcid
I'm using openldap version 2.3.39 for both slapd and my ldap utils
(ldapsearch).
I'm using the bdb backend.
Cyrus SASL 2.1.22(.dfsg1-8)
libdb 4.2.52(+dfsg-2)
libc6 2.3.6(.ds1-13etch2)
PAM 0.79(-4)
pam_ldap 184(-2)
I'm using saslauthd's PAM backend, and in turn using pam_ldap for
authentication, although I don't believe the problem is related to the
saslauthd/pam configuration.
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: invalid authcid
SASL/PLAIN authentication started
SASL SSF: 0
hiro:~#
hiro:~# cat /usr/lib/sasl2/slapd.conf
keytab: /etc/krb5.keytab-ldap
pwcheck_method: saslauthd
auxprop_plugin: slapd
auto_transition: yes
log_level: 7
http://support.olp.net/ldap/log2.txt
The error appears to be occurring while transitioning the password to the
/* Skip SLAP_SASL_PROP_CONN */
prop_getnames( props, slap_propnames+1, auxvals );
/* Should not happen */
if ( !auxvals[0].values ) {
sasl_seterror( sconn, 0, "invalid authcid" );
return SASL_NOAUTHZ;
}
What I'm expecting to happen during the bind, is to have SASL overwrite my
userPassword and cmusaslsecretOTP attributes, via the slapd auxprop plugin.
I have a lot of passwords in crypted form (which PAM authenticates), and I'm
aiming towards a clear-text password store by using this functionality.
This is a bug in Cyrus SASL; the setpass function is zeroing out theVersion: 2.3.39
OS: Linux
URL: http://support.olp.net/ldap/log2.txt
Submission from: (NULL) (65.161.252.42)
If I enable SASL auto_transition, I receive the following error during
SASL(-14): authorization failure: invalid authcid
I'm using openldap version 2.3.39 for both slapd and my ldap utils
(ldapsearch).
I'm using the bdb backend.
Cyrus SASL 2.1.22(.dfsg1-8)
libdb 4.2.52(+dfsg-2)
libc6 2.3.6(.ds1-13etch2)
PAM 0.79(-4)
pam_ldap 184(-2)
I'm using saslauthd's PAM backend, and in turn using pam_ldap for
authentication, although I don't believe the problem is related to the
saslauthd/pam configuration.
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: invalid authcid
SASL/PLAIN authentication started
SASL SSF: 0
hiro:~#
hiro:~# cat /usr/lib/sasl2/slapd.conf
keytab: /etc/krb5.keytab-ldap
pwcheck_method: saslauthd
auxprop_plugin: slapd
auto_transition: yes
log_level: 7
http://support.olp.net/ldap/log2.txt
The error appears to be occurring while transitioning the password to the
/* Skip SLAP_SASL_PROP_CONN */
prop_getnames( props, slap_propnames+1, auxvals );
/* Should not happen */
if ( !auxvals[0].values ) {
sasl_seterror( sconn, 0, "invalid authcid" );
return SASL_NOAUTHZ;
}
What I'm expecting to happen during the bind, is to have SASL overwrite my
userPassword and cmusaslsecretOTP attributes, via the slapd auxprop plugin.
I have a lot of passwords in crypted form (which PAM authenticates), and I'm
aiming towards a clear-text password store by using this functionality.
connection state when it should be leaving it intact. The attached patch will
fix the problem. (Verified using saslauthd and most of the above components.)
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--------------020706040108040002040308
Content-Type: text/plain;
name="dif.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="dif.txt"
Index: server.c
===================================================================
RCS file: /cvs/src/sasl/lib/server.c,v
retrieving revision 1.147
diff -u -r1.147 server.c
--- server.c 3 Jul 2006 14:43:16 -0000 1.147
+++ server.c 23 Dec 2007 01:52:25 -0000
@@ -129,6 +129,7 @@
int result = SASL_OK, tmpresult;
sasl_server_conn_t *s_conn = (sasl_server_conn_t *) conn;
const char *password_request[] = { SASL_AUX_PASSWORD_PROP, NULL };
+ struct propctx *propctx = NULL;
sasl_server_userdb_setpass_t *setpass_cb = NULL;
void *context = NULL;
int tried_setpass = 0;
@@ -172,14 +173,18 @@
pass = NULL;
passlen = 0;
}
-
- result = prop_request(s_conn->sparams->propctx, password_request);
+
+ propctx = prop_new(0);
+ if ( !propctx ) {
+ RETURN(conn, SASL_NOMEM);
+ }
+ result = prop_request(propctx, password_request);
if (result == SASL_OK) {
- result = prop_set(s_conn->sparams->propctx, SASL_AUX_PASSWORD_PROP,
+ result = prop_set(propctx, SASL_AUX_PASSWORD_PROP,
pass, passlen);
}
if (result == SASL_OK) {
- result = sasl_auxprop_store(conn, s_conn->sparams->propctx, user);
+ result = sasl_auxprop_store(conn, propctx, user);
}
if (result != SASL_OK) {
_sasl_log(conn, SASL_LOG_ERR,
@@ -189,6 +194,7 @@
_sasl_log(conn, SASL_LOG_NOTE,
"setpass succeeded for %s", user);
}
+ prop_dispose(&propctx);
}
/* We want to preserve the current value of result, so we use tmpresult below */
--------------020706040108040002040308--