SASL 2.1.27 rc8

Quanah Gibson-Mount quanah at symas.com
Mon Aug 20 15:35:19 EDT 2018


--On Thursday, May 10, 2018 9:28 PM -0400 Ken Murchison 
<murch at fastmail.com> wrote:

> All,
>
> I have built a eighth (and hopefully last) release candidate of SASL
> 2.1.27 which can be downloaded from here:

Hi Ken,

I've done some testing of the 2.1.27 RC8 and found some issues:

1) While there is the configure option --enable-sample (which defaults to 
yes), the corresponding --disable-sample option doesn't work.  I've opened 
<https://github.com/cyrusimap/cyrus-sasl/issues/524> to track this issue, 
and <https://github.com/cyrusimap/cyrus-sasl/pull/530> to fix it.

2) The sample/server.c code hasn't been updated to match the changes to the 
Heimdal API that were made in 2011.  I opened 
<https://github.com/cyrusimap/cyrus-sasl/issues/525> to track this issue 
and <https://github.com/cyrusimap/cyrus-sasl/pull/527> to fix it.

3) The value supplied to --plugindir is not honored due to the value being 
hard coded in the Makefile.  I opened 
<https://github.com/cyrusimap/cyrus-sasl/issues/528> to track this issue 
and <https://github.com/cyrusimap/cyrus-sasl/pull/529> to fix it.

4) There is no corresponding tag in the git repository for 2.1.27-RC8, so 
it's difficult to know exactly what it was generated from (although I 
assumed master).  2.1.27-RC7 was tagged in the git repo, so that's why I 
make a note of this.

5) One of the major features of Cyrus-SASL 2.1.27 for applications using it 
was that it was supposed to provide the underlying SSF information back out 
instead of hard coding it to the value of "56" for Kerberos based 
mechanisms.  Unfortunatley, I'm seeing it still report "56" (Carson also 
repoted this):

Aug 20 11:16:15 anvil1 slapd[19854]: conn=1005 op=3 BIND 
dn="krb5PrincipalName=bob at symas.net,ou=kerberosprincipals,dc=example,dc=com" 
mech=GSSAPI sasl_ssf=56 ssf=256

Various other bits work as desired although in this case forcing me to deal 
with the limitation of the SASL SSF being hard coded:

GSSAPI only:
root at anvil1:/opt/symas/etc/openldap# ldapsearch -Q -LLL -Y GSSAPI -H 
ldap:/// -s base -b dc=example,dc=com
dn: dc=example,dc=com

GSSAPI+TLS:
root at anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H 
ldap:/// -s base -b dc=example,dc=com
dn: dc=example,dc=com

GSSAPI+TLS+MAXSSF=0:
root at anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H 
ldap:/// -s base -b dc=example,dc=com -O maxssf=0
dn: dc=example,dc=com

GSSAPI+TLS+MAXSSF=512:
root at anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H 
ldap:/// -s base -b dc=example,dc=com -O maxssf=512
dn: dc=example,dc=com

GSSAPI+TLS+MINSSF=56:
root at anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H 
ldap:/// -s base -b dc=example,dc=com -O minssf=56
dn: dc=example,dc=com

GSSAPI+TLS+MINSSF=256 (The TLS SSF):
root at anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H 
ldap:/// -s base -b dc=example,dc=com -O minssf=256
dn: dc=example,dc=com

GSSAPI+TLS+MINSSF=512 (Should fail and does):
root at anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H 
ldap:/// -s base -b dc=example,dc=com -O minssf=512
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-15): mechanism too weak for this user: 
Unable to find a callback: 32775

GSSAPI+MINSSF=56:
root at anvil1:/opt/symas/etc/openldap# ldapsearch -Q -LLL -Y GSSAPI -H 
ldap:/// -s base -b dc=example,dc=com -O minssf=56
dn: dc=example,dc=com

GSSAPI+MINSSF+57 (fails, technically it shouldn't but does due to the hard 
coded value):
root at anvil1:/opt/symas/etc/openldap# ldapsearch -Q -LLL -Y GSSAPI -H 
ldap:/// -s base -b dc=example,dc=com -O minssf=57
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-15): mechanism too weak for this user: 
Unable to find a callback: 32775


So it seems like issue#5 is a major one that needs fixing for the release. 
It *might* work with MIT Kerberos (via 
4b0306dcd76031460246b2dabcb7db766d6b04d8) but it definitely does *not* work 
with Heimdal.  I'll see if I can dig into this further.

Warm regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>



More information about the Cyrus-devel mailing list