[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL/CRAM-MD5 broken in 2.1.12 (ITS#2267)
The suggested fix has been applied to HEAD. Thanks, Kurt
At 04:30 AM 1/14/2003, kuenne@rentec.com wrote:
>Full_Name: Karsten Kuenne
>Version: 2.1.12
>OS: Solaris 8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (65.213.85.53)
>
>
>I tried 2.1.12 today and apparently SASL/CRAM-MD5 is broken. This is what I get
>on the client side:
>
>ldapsearch -h myldap -Y CRAM-MD5 uid=someone
>SASL/CRAM-MD5 authentication started
>ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
> additional info: SASL(-5): bad protocol / cancel: Remote sent first but
>mech does not allow it.
>
>The server is also 2.1.12. The client from 2.1.8 works fine with the same
>server. I tracked the issue down to the following change in sasl.c:
>
>--- libraries/libldap/sasl.c 2002/07/11 18:33:26 1.44
>+++ libraries/libldap/sasl.c 2002/11/28 15:15:27 1.45
>@@ -105,7 +105,7 @@
> ld->ld_version, dn, LDAP_AUTH_SIMPLE,
> cred );
>
>- } else if ( cred == NULL || !cred->bv_len ) {
>+ } else if ( cred == NULL ) {
> /* SASL bind w/o creditials */
> rc = ber_printf( ber, "{it{ist{sN}N}" /*}*/,
> ++ld->ld_msgid, LDAP_REQ_BIND,
>
>The annotation reads:
>Fix ITS#2200, must send non-NULL cred even if it's zero-length.
>
>If I change it back it apparently breaks SASL/EXTERNAL so that is not a good
>idea. After I changed sasl.c in the following way both SASL/CRAM-MD5 and
>SASL/EXTERNAL seem to work (and also SASL/DIGEST-MD5 and SASL/GSSAPI still work
>fine):
>
>--- libraries/libldap/sasl.c.orig Tue Jan 14 15:14:44 2003
>+++ libraries/libldap/sasl.c Tue Jan 14 16:10:07 2003
>@@ -105,7 +105,7 @@
> ld->ld_version, dn, LDAP_AUTH_SIMPLE,
> cred );
>
>- } else if ( cred == NULL ) {
>+ } else if ( cred == NULL || cred->bv_val == NULL ) {
> /* SASL bind w/o creditials */
> rc = ber_printf( ber, "{it{ist{sN}N}" /*}*/,
> ++ld->ld_msgid, LDAP_REQ_BIND,
>
>I'm not sure if this is the correct fix but it seems to work fine for me.