Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication problem against MariaDB 10.4 with PAM #703

Closed
wollud1969 opened this issue Sep 23, 2019 · 12 comments
Closed

Authentication problem against MariaDB 10.4 with PAM #703

wollud1969 opened this issue Sep 23, 2019 · 12 comments

Comments

@wollud1969
Copy link

wollud1969 commented Sep 23, 2019

Authentication fails against MariaDB 10.4 with PAM. LDAP trace reveals that last character of password is swallowed.
Tests with HeidiSQL 10.1.0.5464 and MariaDB 10.3.13 CLI client (Windows) using the same credentials and against the same server work.

@bgrainger
Copy link
Member

bgrainger commented Sep 23, 2019

If this is a "non-standard" MariaDB configuration (the tests routinely pass against vanilla MariaDB 10.4, e.g., https://travis-ci.org/mysql-net/MySqlConnector/jobs/587524438), are you able to provide a Dockerfile (or similar) that reproduces the problem?

@wollud1969
Copy link
Author

wollud1969 commented Sep 23, 2019

I've prepare something to reproduce the scenario. You find it here: https://gitlab.com/wolutator/mariadb-with-ldap-pam. Use the branch forTestPurposes. In the directory test you find a script startEnv.sh to start an LDAP server with one user record and the MariaDB server configured to authenticate against that LDAP server. There are sleep statements in the script to give both the LDAP and the database server time to start before loading bootstrap data into it. On my laptop these sleep times are fine, on a really small Azure VM, which I just used to double check the script and the test they are still too short.
In the directory test/dotnet you find a small snippet of code which uses MySqlConnector to access the database. Just run dotnet build && dotnet run. Username, password and all the stuff is hardcoded.

I've attached a pcap file with the LDAP requests during the run of the dotnet test tool.

Here is also a screenshot with the interesting part from that trace:
image

Note in the authentication section the simple: test12, here the last character from the password is stripped.

The second pcap file in the archive is from a working database connection using the mariadb/mysql CLI.

The interesting part from the LDAP traffic is here:
image
Here, the password is complete.

Attached file with LDAP-traces:
ldap.zip

Thank you very much!

@wollud1969
Copy link
Author

wollud1969 commented Sep 25, 2019

I'm trying to track this down on my own. For this purpose I installed the most recent version of dotnet core (3.0.100) and tried to run the tests according to your contribution guide before trying to change anything: start the MySQL server using the docker command, copied the config.json.example, changed nothing within since I'm using your docker command to start the server and issue dotnet test -c Release from tests/SideBySide.
However, everything I'm seeing is:

C:\Users\dehottgw\workspaces\workspace-main\MySqlConnector-cloned\tests\SideBySide [master ≡]> dotnet test -c Release
C:\Program Files\dotnet\sdk\3.0.100\Microsoft.Common.CurrentVersion.targets(1175,5): error MSB3644: Die Verweisassemblys für ".NETFramework,Version=v4.5.2" wurden nicht gefunden. Installieren Sie zum Beheben dieses Problems das Developer Pack (SDK/Paket zur Festlegung von Zielversionen) für diese Frameworkversion, oder richten Sie Ihre Anwendung neu aus. Sie können .NET Framework Developer Packs unter https://aka.ms/msbuild/developerpacks herunterladen. [C:\Users\dehottgw\workspaces\workspace-main\MySqlConnector-cloned\tests\SideBySide\SideBySide.csproj]
C:\Program Files\dotnet\sdk\3.0.100\Microsoft.Common.CurrentVersion.targets(1175,5): error MSB3644: Die Verweisassemblys für ".NETFramework,Version=v4.6.1" wurden nicht gefunden. Installieren Sie zum Beheben dieses Problems das Developer Pack (SDK/Paket zur Festlegung von Zielversionen) für diese Frameworkversion, oder richten Sie Ihre Anwendung neu aus. Sie können .NET Framework Developer Packs unter https://aka.ms/msbuild/developerpacks herunterladen. [C:\Users\dehottgw\workspaces\workspace-main\MySqlConnector-cloned\tests\SideBySide\SideBySide.csproj]
C:\Program Files\dotnet\sdk\3.0.100\Microsoft.Common.CurrentVersion.targets(1175,5): error MSB3644: Die Verweisassemblys für ".NETFramework,Version=v4.7.2" wurden nicht gefunden. Installieren Sie zum Beheben dieses Problems das Developer Pack (SDK/Paket zur Festlegung von Zielversionen) für diese Frameworkversion, oder richten Sie Ihre Anwendung neu aus. Sie können .NET Framework Developer Packs unter https://aka.ms/msbuild/developerpacks herunterladen. [C:\Users\dehottgw\workspaces\workspace-main\MySqlConnector-cloned\tests\SideBySide\SideBySide.csproj]
C:\Users\dehottgw\workspaces\workspace-main\MySqlConnector-cloned\tests\SideBySide [master ≡]>

Is there anything else besides dotnet core I need to install?

@wollud1969
Copy link
Author

wollud1969 commented Sep 25, 2019

Is this related to #268?

@bgrainger
Copy link
Member

bgrainger commented Sep 25, 2019

It sounds like there are problems compiling for net452, etc. This block in the CSPROJ is supposed to address that (and it does, on Linux, where the tests pass):

https://github.com/mysql-net/MySqlConnector/blob/master/tests/SideBySide/SideBySide.csproj#L52-L57

Are you on Linux or macOS?

One workaround would be to change

<TargetFrameworks>net452;net461;net472;netcoreapp1.1.2;netcoreapp2.0;netcoreapp2.1;netcoreapp3.0</TargetFrameworks>
to just <TargetFramework>netcoreapp3.0</TargetFramework> so you're not compiling for the full .NET Framework.

@bgrainger
Copy link
Member

bgrainger commented Sep 25, 2019

Is this related to #268?

I suppose it could be. I haven't set up your test environment yet, but since (I assume) MariaDB is sending the password in clear text to the LDAP server, it must also have received it in clear text from MySqlConnector. The only way for that to happen is mysql_clear_password.

At a first glance, it looks like the client is sending the entire password, which must mean that MariaDB is truncating the last character. Is there supposed to be a NULL padding byte?

@bgrainger
Copy link
Member

bgrainger commented Sep 25, 2019

@bgrainger
Copy link
Member

bgrainger commented Sep 25, 2019

The mysql-connector-j client writes a trailing NULL: https://github.com/mysql/mysql-connector-j/blob/66459e9d39c8fd09767992bc592acd2053279be6/src/main/protocol-impl/java/com/mysql/cj/protocol/a/authentication/MysqlClearPasswordPlugin.java#L77-L80

Adding a NULL byte in MySqlConnector should be a simple fix (and would be compatible with any server that's performing a simple strcmp on the submitted password).

@bgrainger
Copy link
Member

bgrainger commented Sep 25, 2019

@wollud1969
Copy link
Author

wollud1969 commented Sep 25, 2019

I'm alternatively on Windows or on Linux. I suppose the failing tests concerning UnixDomainSockets on Windows are okay, aren't they.

That was a fast fix, thank you very much indeed. Will there be a new package on nuget shortly?

@bgrainger
Copy link
Member

bgrainger commented Sep 25, 2019

Yes, 0.59.0 should be shipping later today.

@bgrainger
Copy link
Member

bgrainger commented Sep 25, 2019

Fixed in 0.59.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants