SASL auth problem on bind with Mac OS X 10.4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Rich...

Thanks for your reply!

> > I rebooted also my mac. My mac no longer issues a CRAM-MD5 SASL bind
> > that is the good news, but it does not switch over to a simple bind 
using
> > a binddn. It just does no bind anymore. What a mess. 
> So the mac finds that CRAM-MD5 is not available, and does nothing at 
all?
Mac OS X 10.4 behaves that way. At least as far as I can tell from my 
wireshark sniffing and the 389ds access log file. It just does some 
searches
for user attributes (including userPassword), but no bind for 
authorization
as user just an anonymous bind ahead of all this which does not retrieve
the password due to the anonymous aci entry of 389ds. I removed the 
restriction
to not deliver the userPassword in searches with anonymous bind but it did 
not
help either. 

I consider this to be a bug in 10.4. With Mac OS X 10.5 and 10.6 this
has changed. There it tries the SASL auth first (if available) and if
it fails (or it is not available) it is doing a simple bind which then
succeeds.

> > Maybe I haven't found it but an option to enable/disable certain SASL
> > methods within 389ds would IMHO be good to have for other situations
> > where you can come into these needs.
> It's on the Roadmap - http://directory.fedoraproject.org/wiki/Roadmap
Nice to read... Thanks.... :-)

But generally speaking - with thinking while typing: 
If the password policy is set to something else than cleartext
SASL MD5 methods do not make sense at all. An auth using these methods 
will not succeed. Right? 
So they could automatically be disabled by dirsrv if the password policy 
is set
to something different than cleartext? Or am I wrong?

Hmm... Or would it work (at least if the password is stored in md5 not 
s(sha))
if the same salt is used in the sasl md5 challenge supplied to the client? 
If the 
client uses this supplied salt for hashing the password, the sent result 
should 
be comparable with the stored md5 hashed password using that same salt. So 
a SASL 
MD5 auth would be possible than. Maybe I am wrong and it is already much 
too late
for me to think about these things today ... ;-)

Roland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100519/0ea29631/attachment.html 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux