Issue #47614: Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms - 389-ds-base

389-ds-base

#47614 Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms

Closed: wontfix None Opened 10 years ago by nkinder.

Currently it is possible to add invalid SASL mechanism to
nsslapd-allowed-sasl-mechanisms.

Steps to Reproduce:

[jrusnack@localhost slapd-dstet]$ ldapmodify -h $HOST -p $PORT -D "cn=directory
manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: GSSAPI ??????
EOF

modifying entry "cn=config"

[jrusnack@localhost slapd-dstet]$ ldapsearch -h $HOST -p $PORT -D "cn=directory
manager" -w Secret123 -b "cn=config" -s base -LLL
nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms:: xaHDocS+w73EjcW+

As per RFC 4422:
SASL mechanisms are named by character strings, from 1 to 20
characters in length, consisting of ASCII [ASCII] uppercase letters,
digits, hyphens, and/or underscores.

http://tools.ietf.org/html/rfc4422#page-8

Additional info:
Note that in this scenario GSSAPI actually works as allowed mechanism.

mreynolds commented 10 years ago

attachment
0001-Ticket-47614-Possible-to-specify-invalid-SASL-mechan.patch

mreynolds commented 10 years ago

git merge ticket47614
Updating 0cb6de1..7e8a5fc
Fast-forward
ldap/servers/slapd/libglobs.c | 60 +++++++++++++++++++++++++++++++++++++++++
1 files changed, 60 insertions(+), 0 deletions(-)

git push origin master
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.56 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
0cb6de1..7e8a5fc master -> master

commit 7e8a5fc
Author: Mark Reynolds mreynolds@redhat.com
Date: Mon Dec 2 17:13:55 2013 -0500

0dd81fc..158795a 389-ds-base-1.3.2 -> 389-ds-base-1.3.2

f146131..f00321f 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.1.17

7 years ago

spichugi commented 3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/951

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Metadata

Assignee

mreynolds

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

1.3.1.17

reviewstatus

ack

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1034451

origin

389-ds-base

Source Code

#47614 Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms Closed: wontfix None Opened 10 years ago by nkinder.

Metadata

#47614 Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms

Closed: wontfix None Opened 10 years ago by nkinder.