389-ds-base

Clone
Source Code
GIT

#49051 Add SASL Plain support
Closed: wontfix None Opened 7 years ago by firstyear.

Closed: wontfix
Reopen Issue

In order to support https://fedorahosted.org/389/ticket/48707 we need to be able to handle the SASL callback for userdb auth (SASL_CB_SERVER_USERDB_CHECKPASS).

If we are handling this call back we have an issue: PLAIN/LOGIN uses this too. We would be giving out broken PLAIN/LOGIN support if we used this!

To prevent that happening, this implements PLAIN/LOGIN support into saslbind.c. To do so, we extract part of the user bind code from bind.c to pw_verify.c. This allows us to reuse the same code for checking if a password attempt was a success. This properly does the mapping, referrals and other handling required.

Some of the complexity here is the way that ldbm_bind is so deeply ingrained in the login process, it does make the verification harder. In a sense, this is also an extension of #48876, as we are starting to allow us to share code between bind and saslbind.

There is a good reason to support this change: minssf. Minssf for binds when set to 1 or greater, the issue is that the first packet to ldap is always a bind request. So when you do:

Open Connection
Send BindRequest --> 
                     ssf < minssf
                 <-- Return UNWILLING_TO_PERFORM minssf not met
Close

The issue is that the BindRequest already has the password in it, so even though the minsff requirement wasn't met, we still cleartext the password on the wireanyway!

SASL LOGIN will not allow the bind to proceed if the SSF is 0, so for high security environments, this prevents the leak.

This passed the dirsrvtest/tests/suites/ without issue.

Looks good to me (I'm assuming the java style comments will be removed as discussed in email exchange).

Yes they will, I'll fix those up before I merge. Thanks for the review!

commit eb358a5
Writing objects: 100% (11/11), 5.01 KiB | 0 bytes/s, done.
Total 11 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
16c2bb2..eb358a5 master -> master

Metadata Update from @mreynolds:
- Issue assigned to firstyear
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
7 years ago

Metadata Update from @mreynolds:
- Issue close_status updated to: None (was: Fixed)
6 years ago

Metadata Update from @vashirov:
- Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)
4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2110

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
major
None
ack
None
Community
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.