[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fixes for SASL KERBEROS_V4 mechanism (ITS#829)



Karsten,

We had a bit of prior discussion regarding this issue.  In
particular, please review:
  http://www.openldap.org/lists/openldap-devel/200007/msg00031.html
  http://www.openldap.org/lists/openldap-devel/200007/msg00039.html

Basically, we suggest compiling Cyrus SASL with
KRB4_IGNORE_IP_ADDRESS.  This works fine unless you desire
to use security layers.

If you want to use security layers, than, yes, both -lldap
and slapd need patching.  However, as OpenLDAP supports
multiple protocol families and Cyrus SASL only supports
AF_INET, special care must be taken.

Kurt

At 10:52 PM 10/11/00 +0000, karsten.kuenne@desy.de wrote:
>Full_Name: Karsten Kuenne
>Version: 2.0.6
>OS: Solaris 7
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (131.169.137.215)
>
>
>The KERBEROS_V4 SASL mechanism needs the local and remote IP address to be set
>with
>sasl_setprop in order to work. The following patch fixes it:
>
>*** ./libraries/libldap/cyrus.c.orig    Wed Oct 11 19:58:00 2000
>--- ./libraries/libldap/cyrus.c Thu Oct 12 00:07:29 2000
>***************
>*** 386,391 ****
>--- 386,394 ----
>  {
>        int rc;
>        sasl_conn_t *ctx;
>+       ber_socket_t            sd;
>+       struct sockaddr_in sinloc, sinrem;
>+       socklen_t socklen;
>  
>        sasl_callback_t *session_callbacks =
>                ber_memcalloc( 2, sizeof( sasl_callback_t ) );
>***************
>*** 420,425 ****
>--- 423,452 ----
>  
>        lc->lconn_sasl_ctx = ctx;
>  
>+       ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd );
>+       socklen = sizeof(sinloc);
>+       rc = getsockname(sd, (struct sockaddr *)&sinloc, &socklen);
>+       if (rc == -1) {
>+               ld->ld_errno = errno;
>+               return rc;
>+       }
>+       rc = sasl_setprop(ctx, SASL_IP_LOCAL, &sinloc);
>+       if ( rc != SASL_OK ) {
>+               ld->ld_errno = sasl_err2ldap( rc );
>+               return ld->ld_errno;
>+       }
>+       socklen = sizeof(sinrem);
>+       rc = getpeername(sd, (struct sockaddr *)&sinrem, &socklen);
>+       if (rc == -1) {
>+               ld->ld_errno = errno;
>+               return rc;
>+       }
>+       rc = sasl_setprop(ctx, SASL_IP_REMOTE, &sinrem);
>+       if ( rc != SASL_OK ) {
>+               ld->ld_errno = sasl_err2ldap( rc );
>+               return ld->ld_errno;
>+       }
>+ 
>        if( ssf ) {
>                sasl_external_properties_t extprops;
>                memset(&extprops, 0L, sizeof(extprops));
>*** ./servers/slapd/sasl.c.orig Wed Oct 11 18:51:14 2000
>--- ./servers/slapd/sasl.c      Thu Oct 12 00:08:01 2000
>***************
>*** 221,226 ****
>--- 221,229 ----
>  #ifdef HAVE_CYRUS_SASL
>        sasl_conn_t *ctx = NULL;
>        sasl_callback_t *session_callbacks;
>+       ber_socket_t sd;
>+       struct sockaddr_in sinloc, sinrem;
>+       socklen_t socklen;
>  
>        assert( conn->c_sasl_context == NULL );
>        assert( conn->c_sasl_extra == NULL );
>***************
>*** 259,264 ****
>--- 262,290 ----
>  
>        conn->c_sasl_context = ctx;
>  
>+       ber_sockbuf_ctrl( conn->c_sb, LBER_SB_OPT_GET_FD, &sd );
>+         socklen = sizeof(sinloc);
>+         sc = getsockname(sd, (struct sockaddr *)&sinloc, &socklen);
>+         if (sc == -1) {
>+                 return sc;
>+         }
>+         sc = sasl_setprop(ctx, SASL_IP_LOCAL, &sinloc);
>+         if ( sc != SASL_OK ) {
>+                 sc = slap_sasl_err2ldap( sc );
>+                 return sc;
>+         }
>+ 
>+         socklen = sizeof(sinrem);
>+         sc = getpeername(sd, (struct sockaddr *)&sinrem, &socklen);
>+         if (sc == -1) {
>+                 return sc;
>+         }
>+         sc = sasl_setprop(ctx, SASL_IP_REMOTE, &sinrem);
>+         if ( sc != SASL_OK ) {
>+                 sc = slap_sasl_err2ldap( sc );
>+                 return sc;
>+         }
>+ 
>        if( sc == SASL_OK ) {
>                sc = sasl_setprop( ctx,
>                        SASL_SEC_PROPS, &sasl_secprops );
>
>
>I tested that GSSAPI is still working with these changes applied but I didn't
>test
>whether it affects other mechanisms (it shouldn't).
>
>Karsten.