[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: slapd gets into a spin when using {SASL} password scheme (ITS#3048)
Thanks for the bug report, this was already fixed in 2.2.7. The current
release is 2.2.8, you should upgrade.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of pk@cs.few.eur.nl
> Sent: Wednesday, March 31, 2004 7:04 AM
> To: openldap-its@OpenLDAP.org
> Subject: slapd gets into a spin when using {SASL} password scheme
> (ITS#3048)
>
>
> Full_Name: Paul Kranenburg
> Version: 2.2.6
> OS: Solaris 9
> URL:
> Submission from: (NULL) (130.115.112.236)
>
>
> * Set an entry's userPassword attribute to {SASL}userid
> * Configure slapd with a `sasl-regexp' that evaluates the
> SASL Auth DN to this
> entry's DN.
> * Perform a simple bind on this DN.
>
> slapd gets into a recursive loop while trying to authenticate
> the password:
>
> 1) slap_passwd_check calls lutil_passwd() with `{SASL}userid'
> 2) lutil_passwd() calls sasl_passcheck() for `userid'
> 3) sasl_checkpass() calls back to slap_sasl_checkpass() passing (the
> canonicalized) `userid'
> 4) slap_sasl_getdn() return the DN corresponding to `userid' through
> the `sasl-regexp' evalution.
> 5) slap_sasl_passcheck() does a search for the DN and has
> it call back
> to sasl_cb_checkpass() for password verification.
> 6) sasl_cb_checkpass() retrieves the userPassword attribute
> and calls
> lutil_passwd().
>
> Now the process repeats at step 2.
>
>
> Possible resolution: don't do the Auth DN dance for simple
> binds by applying
> this patch to slapd/sasl.c:slap_sasl_checkpass:
>
>
> *** sasl.c.orig Wed Mar 31 16:39:51 2004
> --- sasl.c Wed Mar 31 16:40:13 2004
> ***************
> *** 665,670 ****
> --- 665,680 ----
> int rc;
> checkpass_info ci;
>
> + /* This is a Simple Bind using SPASSWD. There's no point in
> + * evaluating the Auth DN. If we did, we risk getting into a
> + * spin, since the search for a user DN will call back to
> + * lutil_passwd() for the same SASL user ID again through
> + * sasl_cb_checkpass() above.
> + */
> + if (conn->c_sasl_bindop == NULL ||
> + conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL)
> + return SASL_NOUSER;
> +
> ci.rc = SASL_NOUSER;
>
> /* SASL will fallback to its own mechanisms if we don't
>