Incompatibility with older versions of libsasldb.so?

Mike Percy mpercy at gmail.com
Fri Aug 23 04:12:26 EDT 2013 

Hi folks,
I've been struggling with this issue for a few days and am hoping I can get
some help troubleshooting a confusing problem I'm hitting with the SASL
library.

It seems like there is some compatibility problem between stock cyrus-sasl
2.1.26 and the libsasldb.so shipped with RHEL 6. When I run
sasl_server_start() with either the anonymous or plain mechanism on RHEL,
the auth mechanism loads and seems to be OK until it tries looking for
auxprop plugins, when it returns SASL_NOMECH and logs the following message:

  could not find auxprop plugin, was searching for '[all]'

I don't have the same problem with the same code on my Ubuntu 13.04 dev
box... there it works as expected (I'm building cyrus-sasl the same way in
both environments).

On the RHEL machine, I am able to see the anonymous and plain mechanisms in
the app (via sasl_global_listmech()), as expected, but it seems like it
can't find libsasldb.so ... even though it is right there next to the other
loaded mechanisms.

$ ls -al /usr/lib64/sasl2
total 160
drwxr-xr-x.  2 root root  4096 Feb 20  2013 .
dr-xr-xr-x. 62 root root 36864 Jul 18 14:53 ..
lrwxrwxrwx.  1 root root    22 Feb 20  2013 libanonymous.so ->
libanonymous.so.2.0.23
lrwxrwxrwx.  1 root root    22 Feb 20  2013 libanonymous.so.2 ->
libanonymous.so.2.0.23
-rwxr-xr-x.  1 root root 18776 Dec  7  2011 libanonymous.so.2.0.23
...
lrwxrwxrwx.  1 root root    18 Feb 20  2013 libplain.so ->
libplain.so.2.0.23
lrwxrwxrwx.  1 root root    18 Feb 20  2013 libplain.so.2 ->
libplain.so.2.0.23
-rwxr-xr-x.  1 root root 18808 Dec  7  2011 libplain.so.2.0.23
lrwxrwxrwx.  1 root root    19 Feb 20  2013 libsasldb.so ->
libsasldb.so.2.0.23
lrwxrwxrwx.  1 root root    19 Feb 20  2013 libsasldb.so.2 ->
libsasldb.so.2.0.23
-rwxr-xr-x.  1 root root 22784 Dec  7  2011 libsasldb.so.2.0.23

(Note: I'm setting the plugin path to include /usr/lib64/sasl2 via a
SASL_CB_GETPATH callback.)

It looks like the library found the plugin modules; they show up in lsof
output:

$ sudo lsof -p 20497 | grep sasl2/
sasl_rpc- 20497 mpercy  mem    REG                8,1    22784    920289
/usr/lib64/sasl2/libsasldb.so.2.0.23
sasl_rpc- 20497 mpercy  mem    REG                8,1    31256    944275
/usr/lib64/sasl2/libgssapiv2.so.2.0.23
sasl_rpc- 20497 mpercy  mem    REG                8,1    18808    925831
/usr/lib64/sasl2/liblogin.so.2.0.23
sasl_rpc- 20497 mpercy  mem    REG                8,1    18808    925834
/usr/lib64/sasl2/libplain.so.2.0.23
sasl_rpc- 20497 mpercy  mem    REG                8,1    18776    920286
/usr/lib64/sasl2/libanonymous.so.2.0.23

In the application, I'm statically linking libsasl2 but not the plugins
(I'm relying on the plugins being there from the system packages). I'm
using stock cyrus-sasl-2.1.26 and building it like this:

  CFLAGS="-DPIC" ./configure --prefix=$PREFIX \
    --disable-digest --disable-sql --disable-cram --disable-ldap
--disable-otp \
    --enable-static --enable-staticdlopen --without-des
  make clean
  make
  make install

To make things slightly more complicated, for the plain mech only, this
error goes away if I compile without -DPIC. But anonymous authentication
continues to fail with the above error code and log message, either with or
without -DPIC.

It's worth mentioning that I don't really need sasldb... not using it at
all AFAIK (I'm hooking into SASL_CB_SERVER_USERDB_CHECKPASS for plain auth
on the server). But it seems that _sasl_canon_user_lookup() requires that
an auxprop plugin (any plugin) to be present. Here's the backtrace from the
above log message:

#0  _sasl_log (conn=<value optimized out>, level=5, fmt=0x6302f0 "could not
find auxprop plugin, was searching for '%s'") at common.c:1988
#1  0x0000000000562118 in _sasl_auxprop_lookup (sparams=0x1164000, flags=0,
user=0x1145fa1 "anonymous", ulen=9) at auxprop.c:973
#2  0x0000000000563ab5 in _sasl_auxprop_lookup_user_props (conn=0x1145200,
user=<value optimized out>, ulen=<value optimized out>, flags=3,
oparams=0x1145a70) at canonusr.c:220
#3  _sasl_canon_user_lookup (conn=0x1145200, user=<value optimized out>,
ulen=<value optimized out>, flags=3, oparams=0x1145a70) at canonusr.c:281
#4  0x0000000000561860 in anonymous_server_mech_step (conn_context=<value
optimized out>, sparams=0x1164000, clientin=0x10d9b18 "anonymous at localhost",
clientinlen=34,
    serverout=<value optimized out>, serveroutlen=<value optimized out>,
oparams=0x1145a70) at anonymous.c:135
#5  0x000000000055c1db in sasl_server_step (conn=0x1145200, clientin=<value
optimized out>, clientinlen=<value optimized out>,
serverout=0x7ffff6d67478, serveroutlen=<value optimized out>)
    at server.c:1618
#6  0x000000000055c6e4 in sasl_server_start (conn=0x1145200, mech=<value
optimized out>, clientin=0x10d9b18 "anonymous at localhost", clientinlen=34,
serverout=0x7ffff6d67478,
    serveroutlen=<value optimized out>) at server.c:1533

Any ideas about what the problem could be here? Or suggestions for
debugging this further?

Thanks in advance!

Mike


PS:
I've included some more details from the problematic environment below.

$ pluginviewer -a
Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,     API version: 4
    supports store: yes

$ pluginviewer -s
Installed SASL (server side) mechanisms are:
ANONYMOUS GSSAPI PLAIN LOGIN EXTERNAL
List of server plugins follows
Plugin "anonymous" [loaded],     API version: 4
    SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
    security flags: NO_PLAINTEXT
    features: WANT_CLIENT_FIRST
Plugin "gssapiv2" [loaded],     API version: 4
    SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
    security flags:
NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
    features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "plain" [loaded],     API version: 4
    SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
    security flags: NO_ANONYMOUS
    features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "login" [loaded],     API version: 4
    SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
    security flags: NO_ANONYMOUS
    features:

$ rpm -qa | grep sasl
cyrus-sasl-plain-2.1.23-13.el6.x86_64
cyrus-sasl-devel-2.1.23-13.el6.x86_64
cyrus-sasl-2.1.23-13.el6.x86_64
cyrus-sasl-gssapi-2.1.23-13.el6.x86_64
cyrus-sasl-lib-2.1.23-13.el6.x86_64

$ lsb_release -a
LSB Version:
:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID:    CentOS
Description:    CentOS release 6.2 (Final)
Release:    6.2
Codename:    Final
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20130823/1da7ed45/attachment.html

More information about the Cyrus-sasl mailing list