SASL/PLAIN binds do not work

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/27

• Created at 2012-01-04 19:20:54 by mkosek
• Closed as Fixed
• Assigned to nhosoi (@nhosoi)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=741999

---

https://bugzilla.redhat.com/show_bug.cgi?id=741999

I have tried to use a SASL/PLAIN bind in order to do binds with a user id that
is not a DN.
Because SASL mappings can resolve an arbitrary uid into a DN I was hoping to
use that to bind to a directory where anonymous searches are disabled
(therefore the client can't use an anonymous bind to search the DN itself.

Unfortunately it appears the current DS code is not able to perform SASL/PLAIN
authentication. Sasl mapping is incorrectly performed. It happens twice, the
first time it properly maps the provided user name to a DN the second time it
tries to map the found DN again as if it were a user name.

Rich says DS may no be able to properly provide SASL with callback to handle
checking the password.

[389-ds-bot]

Comment from rmeggins (@richm) at 2012-01-07 05:56:23

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=742054

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-02-08 07:19:19

Bug description: ids_sasl_canon_user failed to set "dn: " in front
of the dn string in the output argument out_user. The dn string
is used in the next session and the corresponding entry was not
found due to the bad dn format (missing "dn: ").

Fix description: This patch adds the proper prefix.

[389-ds-bot]

Comment from rmeggins (@richm) at 2012-02-08 21:49:12

PR_snprintf guarantees the buffer is properly NULL terminated, so you don't have to set the '\0' in the string. Also, PR_snprintf will return the number of characters written to the string (i.e. the string length) so you can use the return value rather than doing another strlen().

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-02-09 00:42:15

revised git patch file (master)
0001-Trac-Ticket-27-SASL-PLAIN-binds-do-not-work.patch

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-02-09 01:58:09

Reviewed by Rich (Thanks!!!)

Pushed to master.

$ git merge trac27
Updating 3e60f7f..d962cea
Fast-forward
ldap/servers/slapd/saslbind.c | 14 +++++++-------
1 files changed, 7 insertions(+), 7 deletions(-)

$ git push
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 865 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
3e60f7f..d962cea master -> master

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2012-02-09 02:04:31

Bug verification info is in bz741999.

[389-ds-bot]

Comment from nkinder (@nkinder) at 2012-08-28 04:14:25

Added initial screened field value.

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2017-02-11 23:11:15

Metadata Update from @nhosoi:

• Issue assigned to nhosoi
• Issue set to the milestone: 1.2.11.a1