[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL EXTERNAL fails with current slapd (ITS#2200)
Full_Name: Luke Howard
Version: HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (165.228.130.12)
The following change was recently made to slapd:
@@ -1515,7 +1510,7 @@
if ( !conn->c_sasl_bind_in_progress ) {
sc = START( ctx,
conn->c_sasl_bind_mech.bv_val,
- cred->bv_len ? cred->bv_val : "",
+ cred->bv_len ? cred->bv_val : NULL,
cred->bv_len,
(SASL_CONST char **)&response.bv_val, &reslen, &errstr
);
This broke SASL EXTERNAL (testing with internal patch to support ldapi:// and
SO_PEERCRED), because the Cyrus SASL library's EXTERNAL implementation expects
to receive a non-NULL pointer for the input buffer, even if the length is zero.
If it receives a NULL pointer, then it will return SASL_CONTINUE which
ultimately results in SASL_BIND_IN_PROGRESS being returned to the client.
The client, obviously, is not binding with an authorization identity (otherwise
cred->bv_len would be non-zero). Our application is attempting to acquire
Administrator authorization through binding as root over a domain socket.
Presumably there was some reason that this change was introduced (I haven't
checked the commit logs), so it might be difficult to workaround if there is a
good reason for it being there. For our purposes, though, I 've changed it back.
:-)