On 02/07/2012 00:51, Matthias Wimmer wrote:
Hi,
Hi,
I am currently digging into a problem I have with cyrus sasl since I upgraded from Ubuntu 11.10 to 12.04.
Which version of SASL is used by Ubuntu 12.04?
Some of my own programs stopped working since that upgrade. After some playing with the code, I found out, that I could log in again after I changed to SQL query string I am using. What I had until now (and did work in the past) was this: sql_select: SELECT password FROM system_users WHERE '%p'='userPassword' AND username='%u' AND realm='%r' I changed now changed this to: sql_select: SELECT password FROM system_users WHERE AND username='%u' AND realm='%r' This does now work again. In my user database I only store the plain text passwords. So with the original query I tried to make sure, that only the query for the plain text password does return results. With the original query, I can see in my logs, that two queries are made against my postgresql database (some additional logging by me): Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin create statement from userPassword m tthias.eu Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin doing query SELECT password FROM system_users WHERE 'userPassword'='userPassword' AND username='m' AND realm='tthias.eu' ; Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query: SELECT password FROM system_users WHERE 'userPassword'='userPassword' AND username='m' AND realm='tthias.eu'; Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query status: PGRES_TUPLES_OK Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: Row Count: 1 Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL result was: XXXXXXXX Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin create statement from cmusaslsecretDIGEST-MD5 m tthias.eu Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin doing query SELECT password FROM system_users WHERE 'cmusaslsecretDIGEST-MD5'='userPassword' AND username='m' AND realm= 'tthias.eu'; Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query: SELECT password FROM system_users WHERE 'cmusaslsecretDIGEST-MD5'='userPassword' AND username='m' AND realm='tthi as.eu'; Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query status: PGRES_TUPLES_OK Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: Row Count: 0 Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin: no result found (not row count) Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: commit transaction Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query: COMMIT; Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: PostgreSQL query status: PGRES_COMMAND_OK Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: ... so no results Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: unable to open Berkeley db /etc/sasldb2: Permission denied Jul 1 22:37:07 eder jadc2s.amessage.eu[24924]: sql plugin Parse the username m@xxxxxxxxx So I see cyrus is first trying to read the plain text password (and gets it from the database. Then it does the query for the hashed password and does not get one. Shouldn't Cyrus SASL use the plain text password in my case now?
What does your program do (or more specifically, how does it use libsasl)? In general, SASL plugins like DIGEST-MD5 can request both cleartext attribute (userPassword) and a non cleartext one, but should work if either one of them is present. Hopefully the same applies to your program.
Instead it tries to read /etc/sasldb2 (which is not used in my setup).
You have SASLDB auxprop plugin installed and enabled. If you don't want to use it, you should disable it.
With the changed setup, Cyrus SASL does get the plain text password for both queries and feels happy with that. I can authenticate and Cyrus is not trying to access /etc/sasldb2. Has there something changed in cyrus, that makes my query fail? Did I understand wrong how the %p variable works? Isn't it a problem if I return the plain text password in my SQL statement, when Cyrus expects to get a hashed password for its DIGEST-MD5 query?
