SASL2 plugin problem

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Tue Apr 7 04:18:07 EDT 2009 

> -----Original Message-----
> From: Howard Chu [mailto:hyc at highlandsun.com] 
> Sent: Friday, April 03, 2009 1:07 PM
> To: Xu, Qiang (FXSGSC)
> Cc: Henry B. Hotz; cyrus-sasl at lists.andrew.cmu.edu
> Subject: Re: SASL2 plugin problem
> 
> Xu, Qiang (FXSGSC) wrote:
> >
> > The caller seems innocent:
> > ========================================
> > <apManager>  (Tue Mar 31 2009 
> 16:39:02.518)<p27931,t3079396256,aba_ldap_interface.c,6666>
> >       INFO>>  Value of hostname sesswin2003:389
> 
> Fix that. MozLDAP isn't parsing it correctly; just use the hostname.
> 
> The C API spec says that this is allowed to be in host:port 
> form, and the LDAP library is supposed to recognize that and 
> parse it appropriately when this form is passed in. MozLDAP 
> doesn't parse it though, it uses it verbatim. When it hands 
> this host:port form to SASL, which expects hostname and 
> portnumber as two separate parameters, things fail.

Good news, Howard. 

The original code is like this: 
========================================
    if ((ldapHandle = prldap_init((ldapServerConfigData.hostnames),
                                  LDAP_PORT, 0)) == NULL)
    {
      LOGERROR("prldap_init failed");
      return(ABA_LDAP_INIT_CALL_FAILED);
    }
    LOGINFO("prldap_init succeeded");
========================================
As you have noticed, the value of the variable "ldapServerConfigData.hostnames" is actually in a format of "host:port", which is incorrect. The reason that simple binding can succeed may be due to the high tolerance of the function "ldap_simple_bind_s()", whereas "ldap_sasl_interactive_bind_ext_s()" is more sensitive. It is strange that the function "prldap_init()" doesn't report any error when the hostname comes in the form of "host:port". The log entry "prldap_init succeeded" is always visible, even in the case of SASL binding failure.

According to your advice, I modifed the code as follows: 
========================================
  char *pSemicolon = NULL;
  char serverHost[PRIMARY_HOSTNAME+1] = {0};
  int serverPort = 0;
......
    pSemicolon = strchr(ldapServerConfigData.hostnames, ':');
    strncpy(serverHost, ldapServerConfigData.hostnames, pSemicolon - ldapServerConfigData.hostnames);
    serverPort = atoi(pSemicolon + 1);
    LOGINFO("serverHost is [%s]", serverHost);
    LOGINFO("serverPort is [%d]", serverPort);

    if ((ldapHandle = prldap_init(serverHost,
                                  serverPort, 0)) == NULL)
    {
      LOGERROR("prldap_init failed");
      return(ABA_LDAP_INIT_CALL_FAILED);
    }
    LOGINFO("prldap_init succeeded");
========================================
Now SASL LDAP binding with "ldap_sasl_interactive_bind_ext_s()" returns LDAP_SUCCESS now. I am greatly relieved. Many thanks about it.

Still, I have seen some strange packets: 
========================================
32	17.839052	13.198.98.107	13.198.98.35	LDAP	bindRequest(1) "<ROOT>" sasl 
33	17.917608	13.198.98.35	13.198.98.107	LDAP	bindResponse(1) saslBindInProgress 
35	17.919333	13.198.98.107	13.198.98.35	LDAP	bindRequest(2) "<ROOT>" [Malformed Packet]
36	17.919637	13.198.98.35	13.198.98.107	LDAP	bindResponse(2) saslBindInProgress 
37	17.920316	13.198.98.107	13.198.98.35	LDAP	bindRequest(3) "<ROOT>" sasl 
38	17.920691	13.198.98.35	13.198.98.107	LDAP	bindResponse(3) success 
========================================
I am not sure if packet 35 is normal or not? After all, it says the packet is malformed.

In contrast, a trace captured with OpenLDAP ldapsearch utility does not have this malformat packet: 
========================================
22	24.805633	13.198.98.35	13.198.98.190	LDAP	bindResponse(1) saslBindInProgress 
28	26.616093	13.198.98.190	13.198.98.35	LDAP	bindRequest(2) "<ROOT>" sasl 
29	26.616459	13.198.98.35	13.198.98.190	LDAP	bindResponse(2) saslBindInProgress 
31	26.616705	13.198.98.190	13.198.98.35	LDAP	bindRequest(3) "<ROOT>" sasl 
32	26.633134	13.198.98.35	13.198.98.190	LDAP	bindResponse(3) success 
========================================
Packet 29 is normal, compared to Packet 35 in the last trace.

Another question: In SASL LDAP binding, I can't see explicit unbinding request and response, while I can see them in simple binding. Is this normal?

Thanks a million,
Xu Qiang

More information about the Cyrus-sasl mailing list