[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd gets into a spin when using {SASL} password scheme (ITS#3048)

Full_Name: Paul Kranenburg
Version: 2.2.6
OS: Solaris 9
Submission from: (NULL) (

* Set an entry's userPassword attribute to {SASL}userid
* Configure slapd with a `sasl-regexp' that evaluates the SASL Auth DN to this
  entry's DN.
* Perform a simple bind on this DN.

slapd gets into a recursive loop while trying to authenticate the password:

  1) slap_passwd_check calls lutil_passwd() with `{SASL}userid'
  2) lutil_passwd() calls sasl_passcheck() for `userid'
  3) sasl_checkpass() calls back to slap_sasl_checkpass() passing (the
     canonicalized) `userid'
  4) slap_sasl_getdn() return the DN corresponding to `userid' through
     the `sasl-regexp' evalution.
  5) slap_sasl_passcheck() does a search for the DN and has it call back
     to sasl_cb_checkpass() for password verification.
  6) sasl_cb_checkpass() retrieves the userPassword attribute and calls

  Now the process repeats at step 2.

Possible resolution:  don't do the Auth DN dance for simple binds by applying
this patch to slapd/sasl.c:slap_sasl_checkpass:

*** sasl.c.orig	Wed Mar 31 16:39:51 2004
--- sasl.c	Wed Mar 31 16:40:13 2004
*** 665,670 ****
--- 665,680 ----
  	int rc;
  	checkpass_info ci;
+ 	/* This is a Simple Bind using SPASSWD. There's no point in
+ 	* evaluating the Auth DN.  If we did, we risk getting into a
+ 	* spin, since the search for a user DN will call back to
+ 	* lutil_passwd() for the same SASL user ID again through
+ 	* sasl_cb_checkpass() above.
+ 	*/
+ 	if (conn->c_sasl_bindop == NULL ||
+ 	    conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL)
+ 		return SASL_NOUSER;
  	ci.rc = SASL_NOUSER;
  	/* SASL will fallback to its own mechanisms if we don't