Issue 7419 - sasl with auxprop-hashed always authenticated no matter what the username and password is provided
Summary: sasl with auxprop-hashed always authenticated no matter what the username and...
Status: VERIFIED SUSPENDED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.33
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-19 12:43 UTC by ptomulik@meil.pw.edu.pl
Modified: 2021-08-03 17:59 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description ptomulik@meil.pw.edu.pl 2012-10-19 12:43:40 UTC 
Full_Name: Pawel Tomulik
Version: 2.4.33
OS: debian
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (46.227.109.205)


Hi, 

this bug was also reported to syrus-sasl bugzilla, see

https://bugzilla.cyrusimap.org/show_bug.cgi?id=3743

where configs, ldif files and some logs are provided.

If I set:

auxprop_plugin: slapd
pwcheck_method: auxprop-hashed

in my /usr/lib/sasl2/slapd.conf, then the ldapwhoami always gives positive
response,
no matter what username (-U) and password (-w) is provided. The bug may be
reproduced 
easily on debian wheezy/sid by following instructions provided in 

https://bugzilla.cyrusimap.org/attachment.cgi?id=1503

these instructions reproduce bug on slapd 2.4.31 from debian package,
however I reproduced it also on slapd from openlap 2.4.33 compiled from sources.


It was said by Alaxey Melnikov (Cyrus) that the bug may be in libsasl code (part
of Cyrus SASL), slapd (OpenLDAP) or both, so I report it also here.
Comment 1 Howard Chu 2012-10-19 14:46:28 UTC 
changed notes
changed state Open to Suspended
Comment 2 Howard Chu 2012-10-19 14:50:58 UTC 
As discussed in private email with Pawel and Alexey, this is no bug. 
"auxprop-hashed" is an undocumented feature first added in Cyrus SASL 2.1.24 
and not yet completely implemented in any published code. It appears to only 
be supported internally by ISODE at this point. There is no action for us to 
take until Cyrus completes the public implementation and documentation.

ptomulik@meil.pw.edu.pl wrote:
> Full_Name: Pawel Tomulik
> Version: 2.4.33
> OS: debian
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (46.227.109.205)
>
>
> Hi,
>
> this bug was also reported to syrus-sasl bugzilla, see
>
> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3743
>
> where configs, ldif files and some logs are provided.
>
> If I set:
>
> auxprop_plugin: slapd
> pwcheck_method: auxprop-hashed
>
> in my /usr/lib/sasl2/slapd.conf, then the ldapwhoami always gives positive
> response,
> no matter what username (-U) and password (-w) is provided. The bug may be
> reproduced
> easily on debian wheezy/sid by following instructions provided in
>
> https://bugzilla.cyrusimap.org/attachment.cgi?id=1503
>
> these instructions reproduce bug on slapd 2.4.31 from debian package,
> however I reproduced it also on slapd from openlap 2.4.33 compiled from sources.
>
>
> It was said by Alaxey Melnikov (Cyrus) that the bug may be in libsasl code (part
> of Cyrus SASL), slapd (OpenLDAP) or both, so I report it also here.
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
Comment 3 Howard Chu 2012-11-01 14:02:21 UTC 
changed notes
Comment 4 Howard Chu 2012-11-01 14:02:22 UTC 
published 7419
marked public
Comment 5 OpenLDAP project 2014-08-01 21:03:56 UTC 
no bug, auxprop-hashed is an undocumented SASL feature introduced in 2.1.24
No action from us until Cyrus properly documents it.