Digging into a problem

Alexey Melnikov alexey.melnikov at isode.com
Tue Jul 3 13:56:54 EDT 2012 

On 03/07/2012 00:11, Matthias Wimmer wrote:
> Hi Alexey,
>
>
> Alexey Melnikov schrieb am 2012-07-02 11:33:20:
>>> I am currently digging into a problem I have with cyrus sasl since I
>>> upgraded from Ubuntu 11.10 to 12.04.
>> Which version of SASL is used by Ubuntu 12.04?
> Ubuntu 12.04 has Cyrus SASL 2.1.25 - and it seems the same packages are
> used as currently in Debian testing.
Ok, this is fairly recent.

I should have also asked for the Cyrus SASL version used by Ubunto 11.10.

I need to check what has changed between these 2 versions of Cyrus SASL 
in order to have any meaningful theory.
>> What does your program do (or more specifically, how does it use
>> libsasl)? In general, SASL plugins like DIGEST-MD5 can request both
>> cleartext attribute (userPassword) and a non cleartext one, but
>> should work if either one of them is present. Hopefully the same
>> applies to your program.
> At the start:
>
> sasl_server_init(<list of callbacks>, "jadc2s")
> =>  I get SASL_OK
>
> my list of callbacks has three elements:
> - SASL_CB_CANON_USER
> - SASL_CB_PROXY_POLICY
> - SASL_CB_LIST_END
>
>
> /usr/lib/sasl2/jadc2s.conf contains:
>
> log_level: 7
> mech_list: DIGEST-MD5
>
> sql_engine: pgsql
> sql_hostnames: breg.amessage.eu
> sql_user: sasl
> sql_passwd: XXXXXXXX
> sql_database: sasl
> sql_select: SELECT password FROM system_users WHERE username='%u' AND realm='%r'
>
> the last line had been:
>
> sql_select: SELECT password FROM system_users WHERE '%p'='userPassword' AND username='%u' AND realm='%r'
>
>
> For any connection, I set:
>
> sasl_server_new("xmpp",<default domain of server>,<default domain of server>,<ip>,<ip>, NULL, 0,&sasl_conn);
> sasl_setprop(..., SASL_SEC_PROPS, ...);
> 	min_ssf:	0
> 	max_ssf:	-1
> 	maxbufsize:	1024
> 	property_names:	NULL
> 	property_values:NULL
> 	security_flags:	SASL_SEC_NOANONYMOUS
> sasl_setprop(..., SASL_DEFUSERREALM,<domain of the client>);
> sasl_setprop(..., SASL_SSF_EXTERNAL,<value from GnuTLS>);
>
> I request:
>
> sasl_listmech(...)
>
> Authentication is done using (client can send initial data):
>
> sasl_server_start(...)
> sasl_server_step(...)
>
> After authentication I would do:
>
> sasl_getprop(..., SASL_MAXOUTBUF, ...);
> sasl_getprop(..., SASL_USERNAME, ...);
>
>
>>> Instead
>>> it tries to read /etc/sasldb2 (which is not used in my setup).
>> You have SASLDB auxprop plugin installed and enabled. If you don't
>> want to use it, you should disable it.
> that's "auxprop_plugin: sql", right?
Yes.

More information about the Cyrus-sasl mailing list