Re: [PATCH v2 2/2] autofs-5.1.8 - ldap_sasl_interactive_bind() needs credentials for auto-detection

[Thomas Reim <reimth@xxxxxxxxx>]

Dear Paul,

thank you for reviewing the patch. My understanding of your comment is 
to align the notation and use authentication "type" or "method". Is this 
correct?

In general, IANA and IETF define SASL authentication mechanisms. For 
LDAP people talk about different types LDAP authentication calls: simple 
bind, SASL bind, mixed bind type.
In autofs LDAP configuration users can specify the SASL mechanism using 
attribute authtype and the authentication bind call type using parameter 
authrequired.

I'm not sure how to proceed. Maybe we should use:
- "Simple authentication requires ..."
- "%s authentication requires ..." (e. g. SCRAM-SHA-256 authentication 
requires ...)
- "SASL authentication mechanism auto-selection requires ..."

What do you think?

Kind regards

Thomas

On 12.09.22 07:18, Paul Menzel wrote:
> Dear Thomas,
>
>
> Thank you for your patch. Two minor things below.
>
> Am 12.09.22 um 02:58 schrieb ThomasReim:
> > From: Thomas Reim <reimth@xxxxxxxxx>
> >
> > SASL mechanism auto-selection using ldap_sasl_interactive_bind() is 
> > tricky.
> > The behaviour and the required information depend not only on the 
> > capablities
>
> capabilities
>
> > of Cyrus SASL on the client machine but also on 
> > supportedSASLmechanisms on the
> > LDAP server. The latter information will be requested by libldap 
> > during SASL
> > mechanism negotiation. Current OpenLDAP libldap implementation is to 
> > prefer
> > user credential based SCRAM-* mechanisms on token based GSSAPI. Only 
> > exception
> > are SASL bind requests to servers, e. g. Active Directory domain 
> > controllers,
> > that have disabled all SASL mechanisms, which rely on user credential 
> > transfer
> > between client and directory server.
> >
> > Current autofs implementation fetches user credential information 
> > from LDAP
> > authentication configuration file for LDAP simple binds or if users 
> > explicitly
> > specify a user credential based authentication mechanism (authtype).
> >
> > This patch makes specification of user credentials mandatory for SASL 
> > mechanism
> > auto-detection using ldap_sasl_interactive_bind(). Users can then 
> > omit SASL
> > authtype specification and automount will auto-select the best suited 
> > user
> > credential based SASL mechanism supported by client and LDAP server.
> > If authtype="GSSAPI" is specified together with 
> > authrequired="autodetect"
> > automount will obtain a Kerberos ticket-granting ticket and bind to 
> > all Active
> > Directory servers or use the specified user credentials to bind to 
> > all other
> > LDAP servers that also support user credential based SASL mechanisms.
> >
> > The patch is backward compatible to implementations that use autofs 
> > function
> > sasl_choose_mech(). The strategy of this function is to force users 
> > to specify
> > the SASL mechanism (authtype) if user credentials shall be used for 
> > SASL binding
> > and only perform auto-selection for server supported mechanisms, 
> > which are not
> > based on user credentials.
> >
> > Signed-off-by: Thomas Reim <reimth@xxxxxxxxx>
> > ---
> >   modules/lookup_ldap.c | 45 ++++++++++++++++++++++++++++++++++---------
> >   1 file changed, 36 insertions(+), 9 deletions(-)
> >
> > diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c
> > index e4cc32b..f2e553a 100644
> > --- a/modules/lookup_ldap.c
> > +++ b/modules/lookup_ldap.c
> > @@ -644,14 +644,14 @@ static int do_bind(unsigned logopt, struct 
> > ldap_conn *conn,
> >               sasl_flags = LDAP_SASL_QUIET;
> >           }
> >   -        debug(logopt, "Attempting sasl bind with mechanism %s", 
> > ctxt->sasl_mech);
> > -
> >           if (ctxt->auth_required & LDAP_AUTH_AUTODETECT) {
> >               if (ctxt->sasl_mech) {
> >                   free(ctxt->sasl_mech);
> >                   ctxt->sasl_mech = NULL;
> >               }
> > -        }
> > +            debug(logopt, "Attempting sasl bind with mechanism 
> > auto-select");
> > +        } else
> > +            debug(logopt, "Attempting sasl bind with mechanism %s", 
> > ctxt->sasl_mech);
> >             /*
> >            *  If LDAP_AUTH_AUTODETECT is set, it means that there was no
> > @@ -1445,20 +1445,47 @@ int parse_ldap_config(unsigned logopt, struct 
> > lookup_context *ctxt)
> >           goto out;
> >       }
> >   +#ifndef WITH_LDAP_CYRUS_SASL
> >       if (auth_required == LDAP_AUTH_USESIMPLE ||
> >          (authtype && authtype_requires_creds(authtype))) {
> > +#else
> > +    /*
> > +     * OpenLDAP with Cyrus SASL needs user credentials for
> > +     * SASL mechanism auto-selection in following cases:
> > +     * (a) LDAP_AUTH_AUTODETECT
> > +     * (b) LDAP_AUTH_REQUIRED but no SASL mechanism specified
> > +     */
> > +    if (auth_required == LDAP_AUTH_USESIMPLE ||
> > +       (authtype && authtype_requires_creds(authtype)) ||
> > +       (!authtype && (auth_required & LDAP_AUTH_REQUIRED)) ||
> > +       (auth_required & LDAP_AUTH_AUTODETECT)) {
> > +#endif
> >           char *s1 = NULL, *s2 = NULL;
> >           ret = get_property(logopt, root, "user",  &user);
> >           ret |= get_property(logopt, root, "secret", &s1);
> >           ret |= get_property(logopt, root, "encoded_secret", &s2);
> >           if (ret != 0 || (!user || (!s1 && !s2))) {
> >   auth_fail:
> > -            error(logopt,
> > -                  MODPREFIX
> > -                  "%s authentication type requires a username "
> > -                  "and a secret.  Please fix your configuration "
> > -                  "in %s.", authtype, auth_conf);
> > -            free(authtype);
> > +            if (auth_required == LDAP_AUTH_USESIMPLE)
> > +                error(logopt,
> > +                      MODPREFIX
> > +                      "Simple authentication method requires a 
> > username "
>
> Above and below *type* instead of *method* is used.
>
> > +                      "and a secret. Please fix your configuration "
> > +                      "in %s.", auth_conf);
> > +            else if (authtype && authtype_requires_creds(authtype))
> > +                error(logopt,
> > +                      MODPREFIX
> > +                      "%s authentication type requires a username "
> > +                      "and a secret.  Please fix your configuration "
> > +                      "in %s.", authtype, auth_conf);
> > +            else
> > +                error(logopt,
> > +                      MODPREFIX
> > +                      "SASL authentication type auto-selection 
> > requires a "
> > +                      "username and a secret.  Please fix your 
> > configuration "
> > +                      "in %s.", auth_conf);
> > +            if (authtype)
> > +                free(authtype);
> >               if (user)
> >                   free(user);
> >               if (s1)
>
>
> Kind regards,
>
> Paul