SASL authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Date: Fri, 08 Sep 2006 09:01:41 -0600
> From: Richard Megginson <rmeggins at redhat.com>

> Josh Kelley wrote:
>> > On 9/7/06, Richard Megginson <rmeggins at redhat.com> wrote:
>>> >> I checked RFC 4513  - http://www.ietf.org/rfc/rfc4513.txt - it doesn't
>>> >> say anything about the correct result code to return in this case, other
>>> >> than it is an error if anything other than success or bindinprogress is
>>> >> returned.  You might want to ask on ldap at umich.edu or on
>>> >> IRC.freenode.net #ldap if there is a standard that covers this case.
>> >
>> > Thanks for the suggestion.  I'll ask.
>> >
>> > I skimmed RFC 4513 (sans coffee) and didn't find the section you're
>> > referring to.  I did see that RFC 4422 (last paragraph of section 3.6)
>> > seems to suggest that OS X's and OpenLDAP's behavior is legitimate and
>> > useful.

Before you go any further with this, please tell us which version of 
OpenLDAP you're using. Current releases (since 2.3.6) return 
invalidCredentials for a SASL bind failure:

ldapsearch -H ldap://:9000 -Y DIGEST-MD5
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
         additional info: SASL(-13): user not found: no secret in database

Probably we should also do something about not returning the 
SASL-specific error code in this case too, to adhere more to the intent 
of rfc4422. Logging it on the server side should be sufficient.

I just checked, and releases 2.1 and 2.2 returned error code 80 here. So 
it seems Apple is relying on a broken behavior.

> Yes.  But it seems to differ from the behavior of a simple bind (rfc4513 
> 5.1.3).  In a simple bind, the server resultCode differentiates these cases:
> 1) Invalid bind DN results in a noSuchObject (well, not exactly 
> specified, but this is the usual behavior)
> 2) Valid bind DN but invalid password results in invalidCredentials
> 
> However, the rfc (and also rfc 4511 Appendix A LDAP Result Codes) says 
> that other codes may be substituted for the above "to prevent 
> unauthorized disclosures (such as substitution of noSuchObject for 
> insufficientAccessRights, or invalidCredentials for 
> insufficientAccessRights)."
> 
> The SASL doc (rfc4422) says:
> 
> "It is also important that the server can be configured such that the outcome message will not distinguish between a valid user with invalid credentials and an invalid user."
> 
> 
> So it seems that SASL wants the server not to differentiate these cases, 
> probably for security reasons.  But this makes sasl binds have different 
> semantics than simple binds.
>> >
>> > Even if the standards permit either behavior (and even if it's
>> > slightly more secure to not reveal additional information, as David
>> > Boreham pointed out), wouldn't it be worth having FDS compatible with
>> > OpenLDAP and OS X?
> Yes.  And please file a bug about this at http://bugzilla.redhat.com/

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux