(Resending, used wrong From address before, cc'd to openldap-its@xxxxxxxxxxxx) dwhite@xxxxxxx wrote:
Full_Name: Dan White Version: 2.3.39 OS: Linux URL: http://support.olp.net/ldap/log2.txt Submission from: (NULL) (65.161.252.42) If I enable SASL auto_transition, I receive the following error during authentication: SASL(-14): authorization failure: invalid authcid I'm using openldap version 2.3.39 for both slapd and my ldap utils (ldapsearch). I'm using the bdb backend. I'm also using Debian Etch with the following versions of software: Cyrus SASL 2.1.22(.dfsg1-8) libdb 4.2.52(+dfsg-2) libc6 2.3.6(.ds1-13etch2) PAM 0.79(-4) pam_ldap 184(-2) I'm using saslauthd's PAM backend, and in turn using pam_ldap for authentication, although I don't believe the problem is related to the saslauthd/pam configuration. Here's the client side output from the attempted bind: hiro:~# ldapsearch -LLL -Y PLAIN -U abrown@xxxxxxx uid=n/a SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50) additional info: SASL(-14): authorization failure: invalid authcid If I turn off auto_transition, it works: hiro:~# ldapsearch -LLL -Y PLAIN -U abrown@xxxxxxx uid=n/a SASL/PLAIN authentication started Please enter your password: SASL username: abrown@xxxxxxx SASL SSF: 0 hiro:~# My slapd.conf SASL service file looks like: hiro:~# cat /usr/lib/sasl2/slapd.conf keytab: /etc/krb5.keytab-ldap pwcheck_method: saslauthd auxprop_plugin: slapd auto_transition: yes log_level: 7 And the server log (loglevel -1) is located at: http://support.olp.net/ldap/log2.txt The error appears to be occurring while transitioning the password to the auxprop store, in the slap_sasl_authorize function: /* Skip SLAP_SASL_PROP_CONN */ prop_getnames( props, slap_propnames+1, auxvals ); /* Should not happen */ if ( !auxvals[0].values ) { sasl_seterror( sconn, 0, "invalid authcid" ); return SASL_NOAUTHZ; } What I'm expecting to happen during the bind, is to have SASL overwrite my userPassword and cmusaslsecretOTP attributes, via the slapd auxprop plugin. I have a lot of passwords in crypted form (which PAM authenticates), and I'm aiming towards a clear-text password store by using this functionality.
This is a bug in Cyrus SASL; the setpass function is zeroing out the connection state when it should be leaving it intact. The attached patch will fix the problem. (Verified using saslauthd and most of the above components.)
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Index: server.c =================================================================== RCS file: /cvs/src/sasl/lib/server.c,v retrieving revision 1.147 diff -u -r1.147 server.c --- server.c 3 Jul 2006 14:43:16 -0000 1.147 +++ server.c 23 Dec 2007 01:52:25 -0000 @@ -129,6 +129,7 @@ int result = SASL_OK, tmpresult; sasl_server_conn_t *s_conn = (sasl_server_conn_t *) conn; const char *password_request[] = { SASL_AUX_PASSWORD_PROP, NULL }; + struct propctx *propctx = NULL; sasl_server_userdb_setpass_t *setpass_cb = NULL; void *context = NULL; int tried_setpass = 0; @@ -172,14 +173,18 @@ pass = NULL; passlen = 0; } - - result = prop_request(s_conn->sparams->propctx, password_request); + + propctx = prop_new(0); + if ( !propctx ) { + RETURN(conn, SASL_NOMEM); + } + result = prop_request(propctx, password_request); if (result == SASL_OK) { - result = prop_set(s_conn->sparams->propctx, SASL_AUX_PASSWORD_PROP, + result = prop_set(propctx, SASL_AUX_PASSWORD_PROP, pass, passlen); } if (result == SASL_OK) { - result = sasl_auxprop_store(conn, s_conn->sparams->propctx, user); + result = sasl_auxprop_store(conn, propctx, user); } if (result != SASL_OK) { _sasl_log(conn, SASL_LOG_ERR, @@ -189,6 +194,7 @@ _sasl_log(conn, SASL_LOG_NOTE, "setpass succeeded for %s", user); } + prop_dispose(&propctx); } /* We want to preserve the current value of result, so we use tmpresult below */