[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL/CRAM-MD5 broken in 2.1.12 (ITS#2267)



Full_Name: Karsten Kuenne
Version: 2.1.12
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (65.213.85.53)


I tried 2.1.12 today and apparently SASL/CRAM-MD5 is broken. This is what I get
on the client side:

ldapsearch -h myldap -Y CRAM-MD5 uid=someone
SASL/CRAM-MD5 authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-5): bad protocol / cancel: Remote sent first but
mech does not allow it.

The server is also 2.1.12. The client from 2.1.8 works fine with the same
server. I tracked the issue down to the following change in sasl.c:

--- libraries/libldap/sasl.c	2002/07/11 18:33:26	1.44
+++ libraries/libldap/sasl.c	2002/11/28 15:15:27	1.45
@@ -105,7 +105,7 @@
 			ld->ld_version, dn, LDAP_AUTH_SIMPLE,
 			cred );

-	} else if ( cred == NULL || !cred->bv_len ) {
+	} else if ( cred == NULL ) {
 		/* SASL bind w/o creditials */
 		rc = ber_printf( ber, "{it{ist{sN}N}" /*}*/,
 			++ld->ld_msgid, LDAP_REQ_BIND,

The annotation reads:
Fix ITS#2200, must send non-NULL cred even if it's zero-length.

If I change it back it apparently breaks SASL/EXTERNAL so that is not a good
idea. After I changed sasl.c in the following way both SASL/CRAM-MD5 and
SASL/EXTERNAL seem to work (and also SASL/DIGEST-MD5 and SASL/GSSAPI still work
fine):

--- libraries/libldap/sasl.c.orig       Tue Jan 14 15:14:44 2003
+++ libraries/libldap/sasl.c    Tue Jan 14 16:10:07 2003
@@ -105,7 +105,7 @@
                        ld->ld_version, dn, LDAP_AUTH_SIMPLE,
                        cred );

-       } else if ( cred == NULL ) {
+       } else if ( cred == NULL || cred->bv_val == NULL ) {
                /* SASL bind w/o creditials */
                rc = ber_printf( ber, "{it{ist{sN}N}" /*}*/,
                        ++ld->ld_msgid, LDAP_REQ_BIND,

I'm not sure if this is the correct fix but it seems to work fine for me.