Digging into a problem
Matthias Wimmer
m at tthias.eu
Sun Jul 1 19:51:26 EDT 2012
Hi,
I am currently digging into a problem I have with cyrus sasl since I
upgraded from Ubuntu 11.10 to 12.04.
Some of my own programs stopped working since that upgrade. After some
playing with the code, I found out, that I could log in again after I
changed to SQL query string I am using.
What I had until now (and did work in the past) was this:
sql_select: SELECT password FROM system_users WHERE '%p'='userPassword' AND username='%u' AND realm='%r'
I changed now changed this to:
sql_select: SELECT password FROM system_users WHERE AND username='%u' AND realm='%r'
This does now work again.
In my user database I only store the plain text passwords. So with the
original query I tried to make sure, that only the query for the plain
text password does return results.
With the original query, I can see in my logs, that two queries are made
against my postgresql database (some additional logging by me):
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin create statement from userPassword m tthias.eu
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin doing query SELECT password FROM system_users WHERE 'userPassword'='userPassword' AND username='m' AND realm='tthias.eu' ;
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query: SELECT password FROM system_users WHERE 'userPassword'='userPassword' AND username='m' AND realm='tthias.eu';
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query status: PGRES_TUPLES_OK
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: Row Count: 1
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL result was: XXXXXXXX
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin create statement from cmusaslsecretDIGEST-MD5 m tthias.eu
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin doing query SELECT password FROM system_users WHERE 'cmusaslsecretDIGEST-MD5'='userPassword' AND username='m' AND realm= 'tthias.eu';
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query: SELECT password FROM system_users WHERE 'cmusaslsecretDIGEST-MD5'='userPassword' AND username='m' AND realm='tthi as.eu';
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query status: PGRES_TUPLES_OK
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: Row Count: 0
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin: no result found (not row count)
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: commit transaction
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query: COMMIT;
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query status: PGRES_COMMAND_OK
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: ... so no results
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: unable to open Berkeley db /etc/sasldb2: Permission denied
Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin Parse the username m at tthias.eu
So I see cyrus is first trying to read the plain text password (and gets
it from the database. Then it does the query for the hashed password and
does not get one.
Shouldn't Cyrus SASL use the plain text password in my case now? Instead
it tries to read /etc/sasldb2 (which is not used in my setup).
With the changed setup, Cyrus SASL does get the plain text password for
both queries and feels happy with that. I can authenticate and Cyrus is
not trying to access /etc/sasldb2.
Has there something changed in cyrus, that makes my query fail? Did I
understand wrong how the %p variable works? Isn't it a problem if I
return the plain text password in my SQL statement, when Cyrus expects
to get a hashed password for its DIGEST-MD5 query?
Regards,
Matthias
--
Matthias Wimmer USt-IdNr. DE244176643
Contact details: http://matthias.wimmer.tel/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4083 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20120701/f9c40949/attachment.bin
More information about the Cyrus-sasl
mailing list