POSSIBLE BUG: Cyrus SASL 2.1.22: ldapdb
Patrick Ben Koetter
p at state-of-mind.de
Sun Aug 19 15:12:47 EDT 2007
* Howard Chu <hyc at highlandsun.com>:
> Patrick Ben Koetter wrote:
> >This mail expands on a mail I had sent to cyrus-sasl at lists.andrew.cmu.edu a
> >few days ago. I spent the last days testing this and I believe I have
> >found a
> >bug.
>
> The likelihood that a bug is in the ldapdb code is about zero.
Agreed. That's why I wrote "possible".
> >Version: Cyrus SASL 2.1.22
> >OS: CentOS (also tested and verified on Ubuntu and OpenSuse)
> >Descrition: Entries that successfully can be authenticated using the
> > ldapwhoami command can only partially be authenticated using
> > the
> > Cyrus SASL ldapdb-plugin.
>
> >Steps to reproduce:
> >(All files are available for download at
> ><http://www.state-of-mind.de/bugreport_cyrus-sasl-2.1.22.tgz>)
>
> Since you've gone to the trouble of packaging this up, you should also have
> included an extract from the slapd debug log taken from running the sample-
> authentication.
Right. My fault. I've created a completely new package and put it at
http://www.state-of-mind.de/bugreport_2_cyrus-sasl-2.1.22.tgz.
It contains log from "loglevel ACL traces".
> >1. Install configuration as provided by bugreport_cyrus-sasl-2.1.22.tgz.
> >2. Use ldapwhoami to verify authentication:
> >
> > [root at netinstall ldap]# ldapwhoami -U a -w a
> > SASL/DIGEST-MD5 authentication started
> > SASL username: a
> > SASL SSF: 128
> > SASL installing layers
> > dn:uid=a,ou=people,dc=example,dc=com
> > Result: Success (0)
> >
> > [root at netinstall ldap]# ldapwhoami -U b -w b
> > SASL/DIGEST-MD5 authentication started
> > SASL username: b
> > SASL SSF: 128
> > SASL installing layers
> > dn:uid=b,ou=people,dc=example,dc=com
> > Result: Success (0)
>
> Neither of these commands reflects what the ldapdb plugin does. To test
> that you first need to test e.g.
> ldapwhoami -U proxyuser -X a
[root at netinstall ~]# ldapwhoami -U proxyuser -X a
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: unable authorization ID
So it seems that the proxyuser has "Insufficient access". I've followed the
traces of authentication in the log and see that it fails, but I can't tell
why.
If I do interpret the log correctly the authz-regexp mapping works and maps
proxyuser to the correct dn. Permission is given to read the uid and
userPassword, but then it fails. This is where I am lost.
(On a sidenote I wonder: If proxyuser fails, how come the ldapdb plugin would
work for one entry and not the other?)
p at rick
P.S: Seems this is more an OpenLDAP topic than a Cyrus SASL topic. If you want
me to I can open a new thread on openldap.
--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
More information about the Cyrus-sasl
mailing list