Re: [PATCH 2/2] autofs-5.1.8 - ldap_sasl_interactive_bind() needs credentials for auto-detection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm sorry but I have to revise this patch. SASL mechanism auto-selection is really tricky. automount requires auto-selection of the SASL mechanism also if the user specifies authrequired="yes" but does not specify an SASL mechanism to use. This case is missing in the if clause below and ldap_sasl_interactive_bind() will fail to auto-select the mechanism due to missing user credentials.

I will post a second version (v2) of the patches that fix this issue.

On 11.09.22 16:41, ThomasReim wrote:
From: Thomas Reim <reimth@xxxxxxxxx>

SASL mechanism auto-selection using ldap_sasl_interactive_bind() is tricky.
The behaviour and the required information depend not only on the capablities
of Cyrus SASL on the client machine but also on supportedSASLmechanisms on the
LDAP server. The latter information will be requested by libldap during SASL
mechanism negotiation. Current OpenLDAP libldap implementation is to prefer
user credential based SCRAM-* mechanisms on token based GSSAPI. Only exception
are SASL bind requests to servers, e. g. Active Directory domain controllers,
that have disabled all SASL mechanisms, which rely on user credential transfer
between client and directory server.

Current autofs implementation fetches user credential information from LDAP
authentication configuration file for LDAP simple binds or if users explicitly
specify a user credential based authentication mechanism (authtype).

This patch makes specification of user credentials mandatory for SASL mechanism
auto-detection using ldap_sasl_interactive_bind(). Users can then omit SASL
authtype specification and automount will auto-select the best suited user
credential based SASL mechanism supported by client and LDAP server.
If authtype="GSSAPI" is specified together with authrequired="autodetect"
automount will obtain a Kerberos ticket-granting ticket and bind to all Active
Directory servers or use the specified user credentials to bind to all other
LDAP servers that also support user credential based SASL mechanisms.

The patch is backward compatible to implementations that use autofs function
sasl_choose_mech(). The strategy of this function is to force users to specify
the SASL mechanism (authtype) if user credentials shall be used for SASL binding
and only perform auto-selection for server supported mechanisms, which are not
based on user credentials.

Signed-off-by: Thomas Reim <reimth@xxxxxxxxx>
---
  modules/lookup_ldap.c | 38 +++++++++++++++++++++++++++++---------
  1 file changed, 29 insertions(+), 9 deletions(-)

diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c
index e4cc32b..160c7a9 100644
--- a/modules/lookup_ldap.c
+++ b/modules/lookup_ldap.c
@@ -644,14 +644,14 @@ static int do_bind(unsigned logopt, struct ldap_conn *conn,
  			sasl_flags = LDAP_SASL_QUIET;
  		}
- debug(logopt, "Attempting sasl bind with mechanism %s", ctxt->sasl_mech);
-
  		if (ctxt->auth_required & LDAP_AUTH_AUTODETECT) {
  			if (ctxt->sasl_mech) {
  				free(ctxt->sasl_mech);
  				ctxt->sasl_mech = NULL;
  			}
-		}
+			debug(logopt, "Attempting sasl bind with mechanism auto-select");
+		} else
+			debug(logopt, "Attempting sasl bind with mechanism %s", ctxt->sasl_mech);
/*
  		 *  If LDAP_AUTH_AUTODETECT is set, it means that there was no
@@ -1445,20 +1445,40 @@ int parse_ldap_config(unsigned logopt, struct lookup_context *ctxt)
  		goto out;
  	}
+#ifndef WITH_LDAP_CYRUS_SASL
  	if (auth_required == LDAP_AUTH_USESIMPLE ||
  	   (authtype && authtype_requires_creds(authtype))) {
+#else
+	if (auth_required == LDAP_AUTH_USESIMPLE ||
+	   (authtype && authtype_requires_creds(authtype)) ||
+	   (auth_required & LDAP_AUTH_AUTODETECT)) {
+#endif
  		char *s1 = NULL, *s2 = NULL;
  		ret = get_property(logopt, root, "user",  &user);
  		ret |= get_property(logopt, root, "secret", &s1);
  		ret |= get_property(logopt, root, "encoded_secret", &s2);
  		if (ret != 0 || (!user || (!s1 && !s2))) {
  auth_fail:
-			error(logopt,
-			      MODPREFIX
-			      "%s authentication type requires a username "
-			      "and a secret.  Please fix your configuration "
-			      "in %s.", authtype, auth_conf);
-			free(authtype);
+			if (auth_required == LDAP_AUTH_USESIMPLE)
+				error(logopt,
+				      MODPREFIX
+				      "Simple authentication method requires a username "
+				      "and a secret.  Please fix your configuration "
+				      "in %s.", auth_conf);
+			else if (authtype)
+				error(logopt,
+				      MODPREFIX
+				      "%s authentication type requires a username "
+				      "and a secret.  Please fix your configuration "
+				      "in %s.", authtype, auth_conf);
+			else
+				error(logopt,
+				      MODPREFIX
+				      "SASL authentication type auto-selection requires a "
+				      "username and a secret.  Please fix your configuration "
+				      "in %s.", authtype, auth_conf);
+			if (authtype)
+				free(authtype);
  			if (user)
  				free(user);
  			if (s1)



[Index of Archives]     [Linux Filesystem Development]     [Linux Ext4]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux