[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5266) "authorization failure: invalid authcid" during SASL auto_transition

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5266) "authorization failure: invalid authcid" during SASL auto_transition
From: hyc@symas.com
Date: Sun, 23 Dec 2007 01:53:33 GMT

This is a multi-part message in MIME format.
--------------040002000303080307090101
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

dwhite@olp.net wrote:
> Full_Name: Dan White
> Version: 2.3.39
> OS: Linux
> URL: http://support.olp.net/ldap/log2.txt
> Submission from: (NULL) (65.161.252.42)
> 
> 
> If I enable SASL auto_transition, I receive the following error during
> authentication:
> 
> SASL(-14): authorization failure: invalid authcid
> 
> I'm using openldap version 2.3.39 for both slapd and my ldap utils
> (ldapsearch).
> I'm using the bdb backend.
> 
> I'm also using Debian Etch with the following versions of software:
> 
> Cyrus SASL 2.1.22(.dfsg1-8)
> libdb 4.2.52(+dfsg-2)
> libc6 2.3.6(.ds1-13etch2)
> PAM 0.79(-4)
> pam_ldap 184(-2)
> 
> I'm using saslauthd's PAM backend, and in turn using pam_ldap for
> authentication, although I don't believe the problem is related to the
> saslauthd/pam configuration.
> 
> Here's the client side output from the attempted bind:
> 
> hiro:~# ldapsearch -LLL -Y PLAIN -U abrown@olp.net uid=n/a
> SASL/PLAIN authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Insufficient access (50)
>         additional info: SASL(-14): authorization failure: invalid authcid
> 
> If I turn off auto_transition, it works:
> 
> hiro:~# ldapsearch -LLL -Y PLAIN -U abrown@olp.net uid=n/a
> SASL/PLAIN authentication started
> Please enter your password:
> SASL username: abrown@olp.net
> SASL SSF: 0
> hiro:~#
> 
> My slapd.conf SASL service file looks like:
> 
> hiro:~# cat /usr/lib/sasl2/slapd.conf
> keytab: /etc/krb5.keytab-ldap
> pwcheck_method: saslauthd
> auxprop_plugin: slapd
> auto_transition: yes
> log_level: 7
> 
> And the server log (loglevel -1) is located at:
> 
> http://support.olp.net/ldap/log2.txt
> 
> The error appears to be occurring while transitioning the password to the
> auxprop store, in the slap_sasl_authorize function:
> 
>         /* Skip SLAP_SASL_PROP_CONN */
>         prop_getnames( props, slap_propnames+1, auxvals );
> 
>         /* Should not happen */
>         if ( !auxvals[0].values ) {
>                 sasl_seterror( sconn, 0, "invalid authcid" );
>                 return SASL_NOAUTHZ;
>         }
> 
> What I'm expecting to happen during the bind, is to have SASL overwrite my
> userPassword and cmusaslsecretOTP attributes, via the slapd auxprop plugin.
> 
> I have a lot of passwords in crypted form (which PAM authenticates), and I'm
> aiming towards a clear-text password store by using this functionality.

This is a bug in Cyrus SASL; the setpass function is zeroing out the 
connection state when it should be leaving it intact. The attached patch will 
fix the problem. (Verified using saslauthd and most of the above components.)
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

--------------040002000303080307090101
Content-Type: text/plain;
 name="dif.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="dif.txt"

Index: server.c
===================================================================
RCS file: /cvs/src/sasl/lib/server.c,v
retrieving revision 1.147
diff -u -r1.147 server.c
--- server.c	3 Jul 2006 14:43:16 -0000	1.147
+++ server.c	23 Dec 2007 01:52:25 -0000
@@ -129,6 +129,7 @@
     int result = SASL_OK, tmpresult;
     sasl_server_conn_t *s_conn = (sasl_server_conn_t *) conn;
     const char *password_request[] = { SASL_AUX_PASSWORD_PROP, NULL };
+    struct propctx *propctx = NULL;
     sasl_server_userdb_setpass_t *setpass_cb = NULL;
     void *context = NULL;
     int tried_setpass = 0;
@@ -172,14 +173,18 @@
 	    pass = NULL;
 	    passlen = 0;
 	}
-
-	result = prop_request(s_conn->sparams->propctx, password_request);
+ 
+	propctx = prop_new(0);
+	if ( !propctx ) {
+		RETURN(conn, SASL_NOMEM);
+	}
+	result = prop_request(propctx, password_request);
 	if (result == SASL_OK) {
-	    result = prop_set(s_conn->sparams->propctx, SASL_AUX_PASSWORD_PROP,
+	    result = prop_set(propctx, SASL_AUX_PASSWORD_PROP,
 			      pass, passlen);
 	}
 	if (result == SASL_OK) {
-	    result = sasl_auxprop_store(conn, s_conn->sparams->propctx, user);
+	    result = sasl_auxprop_store(conn, propctx, user);
 	}
 	if (result != SASL_OK) {
 	    _sasl_log(conn, SASL_LOG_ERR,
@@ -189,6 +194,7 @@
 	    _sasl_log(conn, SASL_LOG_NOTE,
 		      "setpass succeeded for %s", user);
 	}
+	prop_dispose(&propctx);
     }
 
     /* We want to preserve the current value of result, so we use tmpresult below */

--------------040002000303080307090101--

Prev by Date: (ITS#5298) multi-step SASL binds are unsafe
Next by Date: Re: (ITS#5266) "authorization failure: invalid authcid" during SASL auto_transition
Index(es):
- Chronological
- Thread