[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: cram-md5 as mech returns sasl error



There was a bug in how SASL parameters were passed to the auth mechanisms.
This bug was fixed in OpenLDAP 2.1.13. The current release is 2.1.14, you
need to upgrade.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com <http://www.symas.com/>
http://highlandsun.com/hyc <http://highlandsun.com/hyc> 
  Symas: Premier OpenSource Development and Support 

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Chapman, Kyle
Sent: Wednesday, March 05, 2003 3:28 PM
To: openldap-software@OpenLDAP.org
Subject: cram-md5 as mech returns sasl error


env:
solaris 8
openldap 2.1.12
sasl 2.1.12
openssl 0.9.6i
 

NOTE:
i know cram-md5 is deprecated in favor of digest-md5, i have a use for it for
some mail applications.
 
PROBLEM:
CRAM-MD5 is listed as a sasl mech but fails quite fast when used during a
sasl bind.  i thank you for any help in advance
 
 
when i try to use cram-md5 as a sasl mech in ldapsearch, i receive this
error:
ldapsearch -Y CRAM-MD5 -U test5678@g1.com <mailto:test5678@g1.com>  -ZZ -H
ldap://suntest3.g1.com <ldap://suntest3.g1.com>  -s base -b "" "+"
SASL/CRAM-MD5 authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-5): bad protocol / cancel: Remote sent first
but mech does not allow it.
 
the sample client/server for sasl2 allows me to auth:
./client -p 4444 -m CRAM-MD5 suntest3
receiving capability list... recv: {46}
OTP CRAM-MD5 ANONYMOUS PLAIN GSSAPI DIGEST-MD5
OTP CRAM-MD5 ANONYMOUS PLAIN GSSAPI DIGEST-MD5
send: {8}
CRAM-MD5
send: {1}
N
recv: {29}
< 1652518915.6724388@suntest3 <mailto:1652518915.6724388@suntest3> >
please enter an authentication id: test5678@g1.com <mailto:test5678@g1.com> 
Password:
send: {48}
test5678@g1.com <mailto:test5678@g1.com>  613ee9eebff7fd2d0102a41c025d6dd0
successful authentication
closing connection
 
the following sasl mechs work without problem using openldap client tools:
OTP, DIGEST-MD5, GSSAPI, EXTERNAL
here is the supported sasl mech list for the server:
ldapsearch -Y GSSAPI -ZZ -H  ldap://suntest3.g1.com <ldap://suntest3.g1.com>
-s base -b "" supportedSASLMechanisms
SASL/GSSAPI authentication started
SASL username: sand4444@G1.COM <mailto:sand4444@G1.COM> 
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#
 
#
dn:
supportedSASLMechanisms: OTP
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
 
debug output from ldapsearch as posted above (-d 1, cut a bit short):
ldap_interactive_sasl_bind_s: user selected: CRAM-MD5
ldap_int_sasl_bind: CRAM-MD5
SASL/CRAM-MD5 authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 26 bytes to sd 4
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: suntest3.g1.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar  5 20:09:09 2003
 
** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 2, all 1
ber_get_next
ber_get_next: tag 0x30 len 90 contents:
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ldap_msgfree
ldap_perror
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-5): bad protocol / cancel: Remote sent first
but mech does not allow it.
 
the error seems to be thrown in server.c (sasl_server_start)
 
KSC
Network/Systems Engineer
www.g1.com <http://www.g1.com/> 
 
 
Here is a really great OS
www.freebsd.org <http://www.freebsd.org/>  
 
NOTICE: This E-mail may contain confidential information. If you are not the
addressee or the intended recipient please do not read this E-mail and please
immediately delete this e-mail message and any attachments from your
workstation or network mail system. If you are the addressee or the intended
recipient and you save or print a copy of this E-mail, please place it in an
appropriate file, depending on whether confidential information is contained
in the message.

<<attachment: winmail.dat>>