[Date Prev][Date Next] [Chronological] [Thread] [Top]

sasl-regexp problems in 2.1.22 (bug found in servers/slapd/saslauthz.c:slap_parseURI())

To: openldap-software@OpenLDAP.org
Subject: sasl-regexp problems in 2.1.22 (bug found in servers/slapd/saslauthz.c:slap_parseURI())
From: Turbo Fredriksson <turbo@bayour.com>
Date: 29 Jul 2003 14:30:52 +0200
Organization: LDAP/Kerberos expert wannabe
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

I'm running 2.1.22 on my test system at home, but it
seems like I'm having trouble with the sasl-regexp.

----- s n i p -----
sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
                        ldap://127.0.0.1:389/c=SE??sub?(krb5PrincipalName=$1@BAYOUR.COM)
[...]
access to attrs=uid,cn,accountStatus,uidNumber,gidNumber,gecos,homeDirectory,loginShell,krb5PrincipalName,dc,o,ou,objectClass,entry
        by aci write
        by domain=.*\.bayour\.com read
        by peername="IP=127\.0\.0\.1:.*" read
[...]
access to *
        by dn="cn=Turbo Fredriksson,ou=People,o=Fredriksson,c=SE" write
        by aci write
        by * none
----- s n i p -----

To make this work, I thing I have to make the krb5PrincipalName
readable to anonymous (?).

----- s n i p -----
[tuzjfi.tty2]$ ldapsearch -x -LLL -h localhost -b c=SE krb5PrincipalName=turbo@BAYOUR.COM krb5PrincipalName
dn: cn=Turbo Fredriksson,ou=People,o=Fredriksson,c=SE
krb5PrincipalName: turbo@BAYOUR.COM
----- s n i p -----

Doing the same search non-anonymous, the LDAP server with '-d -1'
shows:
----- s n i p -----
do_sasl_bind: dn () mech GSSAPI
conn=0 op=3 BIND dn="" method=163
==> sasl_bind: dn="" mech=<continuing> datalen=65
SASL Canonicalize [conn=0]: authcid="turbo"
slap_sasl_getdn: id=turbo [len=5]
getdn: u:id converted to uid=turbo,cn=BAYOUR.COM,cn=GSSAPI,cn=auth
>>> dnNormalize: <uid=turbo,cn=BAYOUR.COM,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=turbo,cn=BAYOUR.COM,cn=GSSAPI,cn=auth,0)
<= ldap_bv2dn(uid=turbo,cn=BAYOUR.COM,cn=GSSAPI,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=turbo,cn=bayour.com,cn=gssapi,cn=auth,272)=0
<<< dnNormalize: <uid=turbo,cn=bayour.com,cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name uid=turbo,cn=bayour.com,cn=gssapi,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=turbo,cn=bayour.com,cn=gssapi,cn=auth
slap_sasl_regexp: converted SASL name to ldap://127.0.0.1:389/c=SE??sub?(krb5PrincipalName=turbo@BAYOUR.COM)
slap_parseURI: parsing ldap://127.0.0.1:389/c=SE??sub?(krb5PrincipalName=turbo@BAYOUR.COM)
ldap_url_parse_ext(ldap://127.0.0.1:389/c=SE??sub?(krb5PrincipalName=turbo@BAYOUR.COM))
slap_sasl2dn: slap_parseURI returned 2 (base=(null), scope=-1).
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authcDN="uid=turbo,cn=bayour.com,cn=gssapi,cn=auth"
----- s n i p -----

The third line from the end is my extra debugging in the code,
just to try to find the problem.

When looking through the code (code is better than manuals :),
I saw that I _should_ have gotten the logg message
'slap_sasl2dn: performing internal search', but extra debugging
code added show that slap_parseURI() returns 2 (LDAP_PROTOCOL_ERROR).



More debuging added, I found that the following code snippet was
'used'...
----- s n i p -----
        if (( ludp->lud_host && *ludp->lud_host )
                || ludp->lud_attrs || ludp->lud_exts )
        {
                /* host part should be empty */
                /* attrs and extensions parts should be empty */
/* Extra debugging by Turbo */
#ifdef NEW_LOGGING
          LDAP_LOG( TRANSPORT, ENTRY,
                    "slap_parseURI: Returning LDAP_PROTOCOL_ERROR. (host=%s, attrs=%s, exts=%s).\n",
                    ludp->lud_host, ludp->lud_attrs, ludp->lud_exts);
#else
        Debug( LDAP_DEBUG_TRACE,
               "slap_parseURI: Returning LDAP_PROTOCOL_ERROR. (host=%s, attrs=%s, exts=%s).\n",
               ludp->lud_host, ludp->lud_attrs, ludp->lud_exts);
#endif
                return LDAP_PROTOCOL_ERROR;
        }
----- s n i p -----

This is/was proved by the following log message (third line from the end):
----- s n i p -----
==>slap_sasl2dn: converting SASL name uid=turbo,cn=bayour.com,cn=gssapi,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=turbo,cn=bayour.com,cn=gssapi,cn=auth
slap_sasl_regexp: converted SASL name to ldap://127.0.0.1:389/c=SE??sub?(krb5PrincipalName=turbo@BAYOUR.COM)
slap_parseURI: parsing ldap://127.0.0.1:389/c=SE??sub?(krb5PrincipalName=turbo@BAYOUR.COM)
ldap_url_parse_ext(ldap://127.0.0.1:389/c=SE??sub?(krb5PrincipalName=turbo@BAYOUR.COM))
ldap_url_parse: ldap_url_parse_ext returned: 0 (0).
slap_parseURI: ldap_url_parse returned: 0 (host=127.0.0.1, filter=(krb5PrincipalName=turbo@BAYOUR.COM)).
slap_parseURI: Returning LDAP_PROTOCOL_ERROR. (host=127.0.0.1, attrs=(null), exts=(null)).
slap_sasl2dn: slap_parseURI returned 2 (base=(null), scope=-1).
<==slap_sasl2dn: Converted SASL name to <nothing>
----- s n i p -----


With this in mind, I changed the sasl-regexp to the following,
and then it worked. Why!?
----- s n i p -----
# URI format: ldap://<host>/<base>[?[<attrs>][?[<scope>][?[<filter>]]]]
sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
                        ldap:///c=SE??sub?(krb5PrincipalName=$1@BAYOUR.COM)
----- s n i p -----

So it seems that I can't use the host part!
-- 
assassination plutonium 747 attack strategic Cuba Noriega Soviet pits
Iran ammunition spy supercomputer smuggle domestic disruption
[See http://www.aclu.org/echelonwatch/index.html for more about this]

Prev by Date: Re: SAMBA and LDAP
Next by Date: Re: OpenLDAP segfaults when used with ssl
Index(es):
- Chronological
- Thread