[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd gets into a spin when using {SASL} password scheme (ITS#3048)
Full_Name: Paul Kranenburg
Version: 2.2.6
OS: Solaris 9
URL:
Submission from: (NULL) (130.115.112.236)
* Set an entry's userPassword attribute to {SASL}userid
* Configure slapd with a `sasl-regexp' that evaluates the SASL Auth DN to this
entry's DN.
* Perform a simple bind on this DN.
slapd gets into a recursive loop while trying to authenticate the password:
1) slap_passwd_check calls lutil_passwd() with `{SASL}userid'
2) lutil_passwd() calls sasl_passcheck() for `userid'
3) sasl_checkpass() calls back to slap_sasl_checkpass() passing (the
canonicalized) `userid'
4) slap_sasl_getdn() return the DN corresponding to `userid' through
the `sasl-regexp' evalution.
5) slap_sasl_passcheck() does a search for the DN and has it call back
to sasl_cb_checkpass() for password verification.
6) sasl_cb_checkpass() retrieves the userPassword attribute and calls
lutil_passwd().
Now the process repeats at step 2.
Possible resolution: don't do the Auth DN dance for simple binds by applying
this patch to slapd/sasl.c:slap_sasl_checkpass:
*** sasl.c.orig Wed Mar 31 16:39:51 2004
--- sasl.c Wed Mar 31 16:40:13 2004
***************
*** 665,670 ****
--- 665,680 ----
int rc;
checkpass_info ci;
+ /* This is a Simple Bind using SPASSWD. There's no point in
+ * evaluating the Auth DN. If we did, we risk getting into a
+ * spin, since the search for a user DN will call back to
+ * lutil_passwd() for the same SASL user ID again through
+ * sasl_cb_checkpass() above.
+ */
+ if (conn->c_sasl_bindop == NULL ||
+ conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL)
+ return SASL_NOUSER;
+
ci.rc = SASL_NOUSER;
/* SASL will fallback to its own mechanisms if we don't