[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP clients dump core in SSL mode (ITS#889)



At 08:32 PM 11/15/00 +0000, klasen@zdv.uni-tuebingen.de wrote:
>del@babel.com.au wrote:
>> Version: 2.0.7
>> ldapsearch -H ldaps://<servername>/ -x
>> also, Julio Sanchez Fernandez wrote:
>> 
>> > It seems to fail in ldap_int_sasl_external in cyrus.c, possibly
>> > because ld_defconn is garbage.
>> >
>> > But I don't quite understand why it is trying to do an external
>> > sasl bind, if that is what it is doing...
>
>I think that ldap_int_sasl_external is to set the sasl external ssf
>value and auth_id to those of the external mechanism. 
>
>It tries to access ld->ld_defconn->lconn_sasl_ctx which is not there
>yet. 
>
>ldap_pvt_tls_start (which calls ldap_int_sasl_external) is also called
>when establishing TLS. In this context, ld->ld_defconn is already valid.
>
>But in a SSL connect, ld->ld_defconn is set to the return value of
>ldap_new_connection in ldap_open_defconn. ldap_new_connection first
>allocates lc to which ld->defconn is set. But ldap_new_connection calls
>ldap_int_open_connection -> ldap_pvt_tls_start ->
>ldap_int_sasl_external, which then tries to access the non existent
>ld->ld_defconn.
>
>I suggest adding another parameter to ldap_pvt_tls_start which
>explicitly holds ldap_conn and then calling ldap_int_sasl_external with
>"LDAPConn *conn" instead of "LDAP *ld":

A simple and quick solution is just to have ldap_int_sasl_external do
nothing if there is no SASL context.  ldaps:// is really pre-LDAP SASL
and deprecated.  LDAP SASL (RFC 2829) is designed to be used with
Start TLS (RFC 2830).  

However, I have no objection to fixing this such that SASL/EXTERNAL
can be used with ldaps://.  Likely here the fix is to establish
the SASL context prior to starting TLS.

Kurt