[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: slapd gets into a spin when using {SASL} password scheme (ITS#3048)

To: openldap-its@OpenLDAP.org
Subject: RE: slapd gets into a spin when using {SASL} password scheme (ITS#3048)
From: hyc@highlandsun.com
Date: Wed, 31 Mar 2004 21:24:39 GMT

Thanks for the bug report, this was already fixed in 2.2.7. The current
release is 2.2.8, you should upgrade.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of pk@cs.few.eur.nl
> Sent: Wednesday, March 31, 2004 7:04 AM
> To: openldap-its@OpenLDAP.org
> Subject: slapd gets into a spin when using {SASL} password scheme
> (ITS#3048)
>
>
> Full_Name: Paul Kranenburg
> Version: 2.2.6
> OS: Solaris 9
> URL:
> Submission from: (NULL) (130.115.112.236)
>
>
> * Set an entry's userPassword attribute to {SASL}userid
> * Configure slapd with a `sasl-regexp' that evaluates the
> SASL Auth DN to this
>   entry's DN.
> * Perform a simple bind on this DN.
>
> slapd gets into a recursive loop while trying to authenticate
> the password:
>
>   1) slap_passwd_check calls lutil_passwd() with `{SASL}userid'
>   2) lutil_passwd() calls sasl_passcheck() for `userid'
>   3) sasl_checkpass() calls back to slap_sasl_checkpass() passing (the
>      canonicalized) `userid'
>   4) slap_sasl_getdn() return the DN corresponding to `userid' through
>      the `sasl-regexp' evalution.
>   5) slap_sasl_passcheck() does a search for the DN and has
> it call back
>      to sasl_cb_checkpass() for password verification.
>   6) sasl_cb_checkpass() retrieves the userPassword attribute
> and calls
>      lutil_passwd().
>
>   Now the process repeats at step 2.
>
>
> Possible resolution:  don't do the Auth DN dance for simple
> binds by applying
> this patch to slapd/sasl.c:slap_sasl_checkpass:
>
>
> *** sasl.c.orig	Wed Mar 31 16:39:51 2004
> --- sasl.c	Wed Mar 31 16:40:13 2004
> ***************
> *** 665,670 ****
> --- 665,680 ----
>   	int rc;
>   	checkpass_info ci;
>
> + 	/* This is a Simple Bind using SPASSWD. There's no point in
> + 	* evaluating the Auth DN.  If we did, we risk getting into a
> + 	* spin, since the search for a user DN will call back to
> + 	* lutil_passwd() for the same SASL user ID again through
> + 	* sasl_cb_checkpass() above.
> + 	*/
> + 	if (conn->c_sasl_bindop == NULL ||
> + 	    conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL)
> + 		return SASL_NOUSER;
> +
>   	ci.rc = SASL_NOUSER;
>
>   	/* SASL will fallback to its own mechanisms if we don't
>

Prev by Date: slapd gets into a spin when using {SASL} password scheme (ITS#3048)
Next by Date: JLDAP - LDAPUrl fails to parse attribute correctly (ITS#3049)
Index(es):
- Chronological
- Thread