[Date Prev][Date Next] [Chronological] [Thread] [Top]

sasl authorization problem && sasl auxprop plugin always used



Hi!

1./ Seems that sasl authorization is broken with DIGEST-MD5,
NTLM and LOGIN sasl mech's. PLAIN GSSAPI seems to be works,
CRAM-MD5 and KERBEROS_V4 was not tested.

# ldapwhoami -U sasl -X u:balsa -Y DIGEST-MD5 -ZZ
SASL/DIGEST-MD5 authentication started
Please enter your password: 
SASL username: u:balsa
SASL SSF: 128
SASL installing layers
dn:uid=sasl,ou=people,dc=mydomain
Result: Success (0)

# ldapwhoami -U sasl -X u:balsa -Y PLAIN -ZZ
SASL/PLAIN authentication started
Please enter your password: 
SASL username: u:balsa
SASL SSF: 0
dn:uid=balsa,ou=people,dc=mydomain
Result: Success (0)

# ldapsearch -U sasl -Y PLAIN -ZZ -LLL uid=sasl saslAuthzTo
SASL/PLAIN authentication started
Please enter your password: 
SASL username: sasl
SASL SSF: 0
dn: uid=sasl,ou=People,dc=mydomain
saslAuthzTo: uid=.*,ou=people,dc=mydomain


sasl-regexp
    uid=(.*),cn=.*,cn=.*,cn=auth
    uid=$1,ou=people,dc=mydomain


Tested with openldap 2.1.12 and sasl 2.1.10.
log is at http://www.rit.bme.hu/~balsa/sasl/sasl_authz.log.


2./ The problem is, that all sasl auxprop plugin
(and because it the slapd external sasl plugin too)
seems to be used by slapd if the auxprop_plugin sasl option is not set.
(seems as a sasl misbehavior)

Because it, if You have a valid sasl-regexp which maps a sasl id to
a valid dn (e.g an admin dn which have read right to userPassword
attrib), then if you use an auxprop based mech, you can authenticate to
that dn with the dn's userPassword attrib as password as it is.

e.g: ldapsearch -U sasl -Y DIGEST-MD5 -ZZ userPassword

and you can use password hash's as password
{SSHA}sVBSuRsZ+Iq2GrJcXFon0pCseOG7SA7J
much worse
{SASL}uid@YOUR.DOMAIN

I think it would be nice, that without auxprop_plugin option
only sasldb plugin or none of them to be used by slapd.

Thanks

balsa

p.s: modified ldapdb auxprop plugin to works with cyrus-imapd at
http://www.rit.bme.hu/~balsa/sasl/ldapdb.patch