[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL/CRAM-MD5 broken in 2.1.12 (ITS#2267)
Full_Name: Karsten Kuenne
Version: 2.1.12
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (65.213.85.53)
I tried 2.1.12 today and apparently SASL/CRAM-MD5 is broken. This is what I get
on the client side:
ldapsearch -h myldap -Y CRAM-MD5 uid=someone
SASL/CRAM-MD5 authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-5): bad protocol / cancel: Remote sent first but
mech does not allow it.
The server is also 2.1.12. The client from 2.1.8 works fine with the same
server. I tracked the issue down to the following change in sasl.c:
--- libraries/libldap/sasl.c 2002/07/11 18:33:26 1.44
+++ libraries/libldap/sasl.c 2002/11/28 15:15:27 1.45
@@ -105,7 +105,7 @@
ld->ld_version, dn, LDAP_AUTH_SIMPLE,
cred );
- } else if ( cred == NULL || !cred->bv_len ) {
+ } else if ( cred == NULL ) {
/* SASL bind w/o creditials */
rc = ber_printf( ber, "{it{ist{sN}N}" /*}*/,
++ld->ld_msgid, LDAP_REQ_BIND,
The annotation reads:
Fix ITS#2200, must send non-NULL cred even if it's zero-length.
If I change it back it apparently breaks SASL/EXTERNAL so that is not a good
idea. After I changed sasl.c in the following way both SASL/CRAM-MD5 and
SASL/EXTERNAL seem to work (and also SASL/DIGEST-MD5 and SASL/GSSAPI still work
fine):
--- libraries/libldap/sasl.c.orig Tue Jan 14 15:14:44 2003
+++ libraries/libldap/sasl.c Tue Jan 14 16:10:07 2003
@@ -105,7 +105,7 @@
ld->ld_version, dn, LDAP_AUTH_SIMPLE,
cred );
- } else if ( cred == NULL ) {
+ } else if ( cred == NULL || cred->bv_val == NULL ) {
/* SASL bind w/o creditials */
rc = ber_printf( ber, "{it{ist{sN}N}" /*}*/,
++ld->ld_msgid, LDAP_REQ_BIND,
I'm not sure if this is the correct fix but it seems to work fine for me.