Hi,
On Sun, Sep 11, 2022 at 9:58 PM ThomasReim <reimth@xxxxxxxxx> wrote:
> This patch enables SCRAM-SHA-1 and other SCRAM-SHA mechanisms
> (if supported by SASL library).
> @@ -1241,6 +1241,7 @@ int authtype_requires_creds(const char *authtype)
> #ifdef WITH_SASL
> if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) ||
> !strncmp(authtype, "DIGEST-MD5", strlen("DIGEST-MD5")) ||
> + !strncmp(authtype, "SCRAM-SHA-", strlen("SCRAM-SHA-")) ||
> !strncmp(authtype, "LOGIN", strlen("LOGIN")))
> return 1;
> #endif
While writing a test for this, I decided to include NTLM and CRAM-MD5,
and noticed something interesting. NTLM in autofs-5.1.8 would "work".
automount was able to fetch the map from openldap using NTLM SASL
authentication. Even though it's not handled by
authtype_requires_creds().
When switching to openldap for the sasl authentication, then automount
would fail if configured to use NTLM. So initially I thought it was a
regression, but turns out automount 5.1.8 was just ignoring the SASL
NTLM error and continuing. openldap allowed that, but treated it as an
anonymous bind I suppose, and since the ACLs didn't prevent that, in
the end it all worked.
Attempting to mount entry /mnt/storage, notice how sasl fails, but is
then declared as having worked:
lookup_mount: lookup(ldap): looking up storage
do_bind: lookup(ldap): auth_required: 2, sasl_mech NTLM
sasl_bind_mech: Attempting sasl bind with mechanism NTLM
getuser_func: called with context (nil), id 16386.
sasl_log_func:128: Parameter Error in ../../common/plugin_common.c near line 364
sasl_bind_mech: sasl bind with mechanism NTLM succeeded
do_bind: lookup(ldap): autofs_sasl_bind returned 0
get_query_dn: lookup(ldap): query succeeded, no matches for (objectclass=nisMap)
get_query_dn: lookup(ldap): found query dn ou=auto.indirect,dc=example,dc=fake
lookup_one: lookup(ldap): searching for
"(&(objectclass=automount)(|(cn=storage)(cn=/)(cn=\2A)))" under
"ou=auto.indirect,dc=example,dc=fake"
lookup_one: lookup(ldap): getting first entry for cn="storage"
lookup_one: lookup(ldap): examining first entry
lookup_mount: lookup(ldap): storage -> -fstype=nfs4 server.example.fake:/&
corresponding openldap logs:
slapd[5499]: conn=1012 op=0 BIND dn="" method=163
slapd[5499]: NTLM server step 1
slapd[5499]: client flags: 207
slapd[5499]: conn=1012 op=0 RESULT tag=97 err=14 qtime=0.000021
etime=0.000118 text=SASL(0): successful result:
slapd[5499]: conn=1012 op=1 BIND dn="" method=163
slapd[5499]: NTLM server step 2
slapd[5499]: SASL [conn=1012] Failure: client didn't issue valid NTLM response
slapd[5499]: conn=1012 op=1 RESULT tag=97 err=80 qtime=0.000018
etime=0.000070 text=SASL(-5): bad protocol / cancel: client didn't
issue valid NTLM response
slapd[5499]: conn=1012 op=2 SRCH
base="ou=auto.indirect,dc=example,dc=fake" scope=2 deref=0
filter="(objectClass=nisMap)"
slapd[5499]: conn=1012 op=2 SRCH attr=nisMapName
slapd[5499]: conn=1012 op=2 SEARCH RESULT tag=101 err=0 qtime=0.000016
etime=0.000166 nentries=0 text=
slapd[5499]: conn=1012 op=3 SRCH
base="ou=auto.indirect,dc=example,dc=fake" scope=2 deref=0
filter="(objectClass=automountMap)"
slapd[5499]: conn=1012 op=3 SRCH attr=ou
slapd[5499]: conn=1012 op=3 SEARCH RESULT tag=101 err=0 qtime=0.000016
etime=0.000112 nentries=1 text=
slapd[5499]: conn=1012 op=4 SRCH
base="ou=auto.indirect,dc=example,dc=fake" scope=2 deref=0
filter="(&(objectClass=automount)(|(cn=storage)(cn=/)(cn=\2A)))"
slapd[5499]: conn=1012 op=4 SRCH attr=cn automountInformation
slapd[5499]: conn=1012 op=4 SEARCH RESULT tag=101 err=0 qtime=0.000018
etime=0.000123 nentries=1 text=
Now, NTLM and CRAM-MD5 are deprecated nowadays (specially CRAM-MD5,
see https://datatracker.ietf.org/doc/html/draft-ietf-sasl-crammd5-to-historic-00.html).
Is there still interest in supporting those?
If yes, the trivial change should be just this:
--- a/modules/lookup_ldap.c
+++ b/modules/lookup_ldap.c
@@ -1208,6 +1208,8 @@
if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) ||
!strncmp(authtype, "DIGEST-MD5", strlen("DIGEST-MD5")) ||
!strncmp(authtype, "SCRAM-SHA-", strlen("SCRAM-SHA-")) ||
+ !strncmp(authtype, "NTLM", strlen("NTLM")) ||
+ !strncmp(authtype, "CRAM-MD5", strlen("CRAM-MD5")) ||
!strncmp(authtype, "LOGIN", strlen("LOGIN")))
return 1;
#endif
