In order to support https://fedorahosted.org/389/ticket/48707 we need to be able to handle the SASL callback for userdb auth (SASL_CB_SERVER_USERDB_CHECKPASS).
If we are handling this call back we have an issue: PLAIN/LOGIN uses this too. We would be giving out broken PLAIN/LOGIN support if we used this!
To prevent that happening, this implements PLAIN/LOGIN support into saslbind.c. To do so, we extract part of the user bind code from bind.c to pw_verify.c. This allows us to reuse the same code for checking if a password attempt was a success. This properly does the mapping, referrals and other handling required.
Some of the complexity here is the way that ldbm_bind is so deeply ingrained in the login process, it does make the verification harder. In a sense, this is also an extension of #48876, as we are starting to allow us to share code between bind and saslbind.
There is a good reason to support this change: minssf. Minssf for binds when set to 1 or greater, the issue is that the first packet to ldap is always a bind request. So when you do:
Open Connection Send BindRequest --> ssf < minssf <-- Return UNWILLING_TO_PERFORM minssf not met Close
The issue is that the BindRequest already has the password in it, so even though the minsff requirement wasn't met, we still cleartext the password on the wireanyway!
SASL LOGIN will not allow the bind to proceed if the SSF is 0, so for high security environments, this prevents the leak.
attachment 0001-Ticket-49051-Enable-SASL-LOGIN-PLAIN-support-as-a-pr.patch
This passed the dirsrvtest/tests/suites/ without issue.
Looks good to me (I'm assuming the java style comments will be removed as discussed in email exchange).
Yes they will, I'll fix those up before I merge. Thanks for the review!
commit eb358a5 Writing objects: 100% (11/11), 5.01 KiB | 0 bytes/s, done. Total 11 (delta 7), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 16c2bb2..eb358a5 master -> master
Metadata Update from @mreynolds: - Issue assigned to firstyear - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @mreynolds: - Issue close_status updated to: None (was: Fixed)
Metadata Update from @vashirov: - Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2110
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix
Login to comment on this ticket.