[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: fixes for SASL KERBEROS_V4 mechanism (ITS#829)
Karsten,
We had a bit of prior discussion regarding this issue. In
particular, please review:
http://www.openldap.org/lists/openldap-devel/200007/msg00031.html
http://www.openldap.org/lists/openldap-devel/200007/msg00039.html
Basically, we suggest compiling Cyrus SASL with
KRB4_IGNORE_IP_ADDRESS. This works fine unless you desire
to use security layers.
If you want to use security layers, than, yes, both -lldap
and slapd need patching. However, as OpenLDAP supports
multiple protocol families and Cyrus SASL only supports
AF_INET, special care must be taken.
Kurt
At 10:52 PM 10/11/00 +0000, karsten.kuenne@desy.de wrote:
>Full_Name: Karsten Kuenne
>Version: 2.0.6
>OS: Solaris 7
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (131.169.137.215)
>
>
>The KERBEROS_V4 SASL mechanism needs the local and remote IP address to be set
>with
>sasl_setprop in order to work. The following patch fixes it:
>
>*** ./libraries/libldap/cyrus.c.orig Wed Oct 11 19:58:00 2000
>--- ./libraries/libldap/cyrus.c Thu Oct 12 00:07:29 2000
>***************
>*** 386,391 ****
>--- 386,394 ----
> {
> int rc;
> sasl_conn_t *ctx;
>+ ber_socket_t sd;
>+ struct sockaddr_in sinloc, sinrem;
>+ socklen_t socklen;
>
> sasl_callback_t *session_callbacks =
> ber_memcalloc( 2, sizeof( sasl_callback_t ) );
>***************
>*** 420,425 ****
>--- 423,452 ----
>
> lc->lconn_sasl_ctx = ctx;
>
>+ ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd );
>+ socklen = sizeof(sinloc);
>+ rc = getsockname(sd, (struct sockaddr *)&sinloc, &socklen);
>+ if (rc == -1) {
>+ ld->ld_errno = errno;
>+ return rc;
>+ }
>+ rc = sasl_setprop(ctx, SASL_IP_LOCAL, &sinloc);
>+ if ( rc != SASL_OK ) {
>+ ld->ld_errno = sasl_err2ldap( rc );
>+ return ld->ld_errno;
>+ }
>+ socklen = sizeof(sinrem);
>+ rc = getpeername(sd, (struct sockaddr *)&sinrem, &socklen);
>+ if (rc == -1) {
>+ ld->ld_errno = errno;
>+ return rc;
>+ }
>+ rc = sasl_setprop(ctx, SASL_IP_REMOTE, &sinrem);
>+ if ( rc != SASL_OK ) {
>+ ld->ld_errno = sasl_err2ldap( rc );
>+ return ld->ld_errno;
>+ }
>+
> if( ssf ) {
> sasl_external_properties_t extprops;
> memset(&extprops, 0L, sizeof(extprops));
>*** ./servers/slapd/sasl.c.orig Wed Oct 11 18:51:14 2000
>--- ./servers/slapd/sasl.c Thu Oct 12 00:08:01 2000
>***************
>*** 221,226 ****
>--- 221,229 ----
> #ifdef HAVE_CYRUS_SASL
> sasl_conn_t *ctx = NULL;
> sasl_callback_t *session_callbacks;
>+ ber_socket_t sd;
>+ struct sockaddr_in sinloc, sinrem;
>+ socklen_t socklen;
>
> assert( conn->c_sasl_context == NULL );
> assert( conn->c_sasl_extra == NULL );
>***************
>*** 259,264 ****
>--- 262,290 ----
>
> conn->c_sasl_context = ctx;
>
>+ ber_sockbuf_ctrl( conn->c_sb, LBER_SB_OPT_GET_FD, &sd );
>+ socklen = sizeof(sinloc);
>+ sc = getsockname(sd, (struct sockaddr *)&sinloc, &socklen);
>+ if (sc == -1) {
>+ return sc;
>+ }
>+ sc = sasl_setprop(ctx, SASL_IP_LOCAL, &sinloc);
>+ if ( sc != SASL_OK ) {
>+ sc = slap_sasl_err2ldap( sc );
>+ return sc;
>+ }
>+
>+ socklen = sizeof(sinrem);
>+ sc = getpeername(sd, (struct sockaddr *)&sinrem, &socklen);
>+ if (sc == -1) {
>+ return sc;
>+ }
>+ sc = sasl_setprop(ctx, SASL_IP_REMOTE, &sinrem);
>+ if ( sc != SASL_OK ) {
>+ sc = slap_sasl_err2ldap( sc );
>+ return sc;
>+ }
>+
> if( sc == SASL_OK ) {
> sc = sasl_setprop( ctx,
> SASL_SEC_PROPS, &sasl_secprops );
>
>
>I tested that GSSAPI is still working with these changes applied but I didn't
>test
>whether it affects other mechanisms (it shouldn't).
>
>Karsten.