POSSIBLE BUG: Cyrus SASL 2.1.22: ldapdb

Patrick Ben Koetter <p@xxxxxxxxxxxxxxxx> · Sun, 19 Aug 2007 09:20:33 +0200

This mail expands on a mail I had sent to cyrus-sasl@xxxxxxxxxxxxxxxxxxxx a
few days ago. I spent the last days testing this and I believe I have found a
bug.

Version:    Cyrus SASL 2.1.22
OS:         CentOS (also tested and verified on Ubuntu and OpenSuse)
Descrition: Entries that successfully can be authenticated using the
            ldapwhoami command can only partially be authenticated using the
            Cyrus SASL ldapdb-plugin.

Steps to reproduce:
(All files are available for download at
<http://www.state-of-mind.de/bugreport_cyrus-sasl-2.1.22.tgz>)

1. Install configuration as provided by bugreport_cyrus-sasl-2.1.22.tgz.
2. Use ldapwhoami to verify authentication:

    [root@netinstall ldap]# ldapwhoami -U a -w a
    SASL/DIGEST-MD5 authentication started
    SASL username: a
    SASL SSF: 128
    SASL installing layers
    dn:uid=a,ou=people,dc=example,dc=com
    Result: Success (0)

    [root@netinstall ldap]# ldapwhoami -U b -w b
    SASL/DIGEST-MD5 authentication started
    SASL username: b
    SASL SSF: 128
    SASL installing layers
    dn:uid=b,ou=people,dc=example,dc=com
    Result: Success (0)

3. Use sample-server and sample-client to test authentication:

    [root@netinstall ldap]# sasl2-sample-client -s rcmd -p 1234 -m PLAIN localhost
    receiving capability list... recv: {41}
    PLAIN LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
    PLAIN LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
    please enter an authentication id: b
    please enter an authorization id: b
    Password:
    send: {5}
    PLAIN
    send: {1}
    Y
    send: {5}
    b[0]b[0]b
    successful authentication
    closing connection

    [root@netinstall ldap]# sasl2-sample-client -s rcmd -p 1234 -m PLAIN localhost
    receiving capability list... recv: {41}
    PLAIN LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
    PLAIN LOGIN CRAM-MD5 ANONYMOUS DIGEST-MD5
    please enter an authentication id: a
    please enter an authorization id: a
    Password:
    send: {5}
    PLAIN
    send: {1}
    Y
    send: {5}
    a[0]a[0]a
    authentication failed
    closing connection

We want to use ldapdb in production in two weeks from now. We can switch, but
we'd rather not.

Thanks,

p@rick

-- 
state of mind
Agentur für Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht München        Partnerschaftsregister PR 563