POSSIBLE BUG: Cyrus SASL 2.1.22: ldapdb

Patrick Ben Koetter p at state-of-mind.de
Sun Aug 19 15:12:47 EDT 2007


* Howard Chu <hyc at highlandsun.com>:
> Patrick Ben Koetter wrote:
> >This mail expands on a mail I had sent to cyrus-sasl at lists.andrew.cmu.edu a
> >few days ago. I spent the last days testing this and I believe I have 
> >found a
> >bug.
> 
> The likelihood that a bug is in the ldapdb code is about zero.

Agreed. That's why I wrote "possible".


> >Version:    Cyrus SASL 2.1.22
> >OS:         CentOS (also tested and verified on Ubuntu and OpenSuse)
> >Descrition: Entries that successfully can be authenticated using the
> >            ldapwhoami command can only partially be authenticated using 
> >            the
> >            Cyrus SASL ldapdb-plugin.
> 
> >Steps to reproduce:
> >(All files are available for download at
> ><http://www.state-of-mind.de/bugreport_cyrus-sasl-2.1.22.tgz>)
> 
> Since you've gone to the trouble of packaging this up, you should also have 
> included an extract from the slapd debug log taken from running the sample- 
> authentication.


Right. My fault. I've created a completely new package and put it at
http://www.state-of-mind.de/bugreport_2_cyrus-sasl-2.1.22.tgz.

It contains log from "loglevel ACL traces".


> >1. Install configuration as provided by bugreport_cyrus-sasl-2.1.22.tgz.
> >2. Use ldapwhoami to verify authentication:
> >
> >    [root at netinstall ldap]# ldapwhoami -U a -w a
> >    SASL/DIGEST-MD5 authentication started
> >    SASL username: a
> >    SASL SSF: 128
> >    SASL installing layers
> >    dn:uid=a,ou=people,dc=example,dc=com
> >    Result: Success (0)
> >
> >    [root at netinstall ldap]# ldapwhoami -U b -w b
> >    SASL/DIGEST-MD5 authentication started
> >    SASL username: b
> >    SASL SSF: 128
> >    SASL installing layers
> >    dn:uid=b,ou=people,dc=example,dc=com
> >    Result: Success (0)
> 
> Neither of these commands reflects what the ldapdb plugin does. To test 
> that you first need to test e.g.
> 	ldapwhoami -U proxyuser -X a

[root at netinstall ~]# ldapwhoami -U proxyuser -X a
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Insufficient access (50)
        additional info: SASL(-14): authorization failure: unable authorization ID


So it seems that the proxyuser has "Insufficient access". I've followed the
traces of authentication in the log and see that it fails, but I can't tell
why.

If I do interpret the log correctly the authz-regexp mapping works and maps
proxyuser to the correct dn. Permission is given to read the uid and
userPassword, but then it fails. This is where I am lost.

(On a sidenote I wonder: If proxyuser fails, how come the ldapdb plugin would
work for one entry and not the other?)

p at rick

P.S: Seems this is more an OpenLDAP topic than a Cyrus SASL topic. If you want
me to I can open a new thread on openldap.

-- 
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>


More information about the Cyrus-sasl mailing list