[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL EXTERNAL fails with current slapd (ITS#2200)

Full_Name: Luke Howard
Version: HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

The following change was recently made to slapd:

@@ -1515,7 +1510,7 @@
        if ( !conn->c_sasl_bind_in_progress ) {
                sc = START( ctx,
-                       cred->bv_len ? cred->bv_val : "",
+                       cred->bv_len ? cred->bv_val : NULL,
                        (SASL_CONST char **)&response.bv_val, &reslen, &errstr

This broke SASL EXTERNAL (testing with internal patch to support ldapi:// and
SO_PEERCRED), because the Cyrus SASL library's EXTERNAL implementation expects
to receive a non-NULL pointer for the input buffer, even if the length is zero.

If it receives a NULL pointer, then it will return SASL_CONTINUE which
ultimately results in SASL_BIND_IN_PROGRESS being returned to the client.

The client, obviously, is not binding with an authorization identity (otherwise
cred->bv_len would be non-zero). Our application is attempting to acquire
Administrator authorization through binding as root over a domain socket.

Presumably there was some reason that this change was introduced (I haven't
checked the commit logs), so it might be difficult to workaround if there is a
good reason for it being there. For our purposes, though, I 've changed it back.