Digging into a problem

Mon Jul 2 06:33:20 EDT 2012

On 02/07/2012 00:51, Matthias Wimmer wrote:
> Hi,

Hi,

> I am currently digging into a problem I have with cyrus sasl since I
> upgraded from Ubuntu 11.10 to 12.04.

Which version of SASL is used by Ubuntu 12.04?

> Some of my own programs stopped working since that upgrade. After some
> playing with the code, I found out, that I could log in again after I
> changed to SQL query string I am using.
>
> What I had until now (and did work in the past) was this:
>
> sql_select: SELECT password FROM system_users WHERE '%p'='userPassword' AND username='%u' AND realm='%r'
>
> I changed now changed this to:
>
> sql_select: SELECT password FROM system_users WHERE AND username='%u' AND realm='%r'
>
> This does now work again.
>
>
>
> In my user database I only store the plain text passwords. So with the
> original query I tried to make sure, that only the query for the plain
> text password does return results.
>
> With the original query, I can see in my logs, that two queries are made
> against my postgresql database (some additional logging by me):
>
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin create statement from userPassword m tthias.eu
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin doing query SELECT password FROM system_users WHERE 'userPassword'='userPassword' AND username='m' AND realm='tthias.eu' ;
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query: SELECT password FROM system_users WHERE 'userPassword'='userPassword' AND username='m' AND realm='tthias.eu';
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query status: PGRES_TUPLES_OK
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: Row Count: 1
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL result was: XXXXXXXX
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin create statement from cmusaslsecretDIGEST-MD5 m tthias.eu
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin doing query SELECT password FROM system_users WHERE 'cmusaslsecretDIGEST-MD5'='userPassword' AND username='m' AND realm= 'tthias.eu';
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query: SELECT password FROM system_users WHERE 'cmusaslsecretDIGEST-MD5'='userPassword' AND username='m' AND realm='tthi as.eu';
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query status: PGRES_TUPLES_OK
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: Row Count: 0
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin: no result found (not row count)
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: commit transaction
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query: COMMIT;
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query status: PGRES_COMMAND_OK
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: ... so no results
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: unable to open Berkeley db /etc/sasldb2: Permission denied
> Jul  1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin Parse the username m at tthias.eu
>
>
> So I see cyrus is first trying to read the plain text password (and gets
> it from the database. Then it does the query for the hashed password and
> does not get one.
> Shouldn't Cyrus SASL use the plain text password in my case now?

What does your program do (or more specifically, how does it use 
libsasl)? In general, SASL plugins like DIGEST-MD5 can request both 
cleartext attribute (userPassword) and a non cleartext one, but should 
work if either one of them is present. Hopefully the same applies to 
your program.

> Instead
> it tries to read /etc/sasldb2 (which is not used in my setup).

You have SASLDB auxprop plugin installed and enabled. If you don't want 
to use it, you should disable it.

> With the changed setup, Cyrus SASL does get the plain text password for
> both queries and feels happy with that. I can authenticate and Cyrus is
> not trying to access /etc/sasldb2.
>
>
>
> Has there something changed in cyrus, that makes my query fail? Did I
> understand wrong how the %p variable works? Isn't it a problem if I
> return the plain text password in my SQL statement, when Cyrus expects
> to get a hashed password for its DIGEST-MD5 query?