Debian Bug report logs - #604122
libldap-2.4-2: libldap open a the TCP connection before validating the SASL mechanism

version graph

Package: libldap-2.4-2; Maintainer for libldap-2.4-2 is Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>; Source for libldap-2.4-2 is src:openldap.

Reported by: Daniel Dehennin <daniel.dehennin@baby-gnu.org>

Date: Sat, 20 Nov 2010 13:39:03 UTC

Severity: minor

Found in version openldap/2.4.23-6

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to daniel.dehennin@baby-gnu.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#604122; Package libldap-2.4-2. (Sat, 20 Nov 2010 13:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Dehennin <daniel.dehennin@baby-gnu.org>:
New Bug report received and forwarded. Copy sent to daniel.dehennin@baby-gnu.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Sat, 20 Nov 2010 13:39:06 GMT) Full text and rfc822 format available.

Message #5 received at maintonly@bugs.debian.org (full text, mbox):

From: Daniel Dehennin <daniel.dehennin@baby-gnu.org>
To: Debian Bug Tracking System <maintonly@bugs.debian.org>
Subject: libldap-2.4-2: libldap open a the TCP connection before validating the SASL mechanism
Date: Sat, 20 Nov 2010 13:49:49 +0100
[Message part 1 (text/plain, inline)]
Package: libldap-2.4-2
Version: 2.4.23-6
Severity: minor

Hello,

During some tests for nslcd[1], I found that if the SASL_SECPROPS in
/etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
library:

- open a useless TCP connection to the server
- check the mechanism and fail
- close the TCP connection

===== /etc/ldap/ldap.conf
BASE    dc=baby-gnu,dc=org
URI     ldap://192.168.122.4

SASL_MECH DIGEST-MD5
SASL_SECPROPS noactive
===== /etc/ldap/ldap.conf

===== Wireshark capture
No. Time      Source         Destination    Protocol Info
3   2.728967  192.168.122.3  192.168.122.4  TCP      51521 > ldap [SYN] Seq=0 [...]
4   2.729699  192.168.122.4  192.168.122.3  TCP      ldap > 51521 [SYN, ACK] Seq=0 [...]
5   2.729714  192.168.122.3  192.168.122.4  TCP      51521 > ldap [ACK] Seq=1 [...]
6   2.739576  192.168.122.3  192.168.122.4  TCP      51521 > ldap [FIN, ACK] Seq=1 [...]
7   2.740686  192.168.122.4  192.168.122.3  TCP      ldap > 51521 [FIN, ACK] Seq=1 [...]
8   2.740702  192.168.122.3  192.168.122.4  TCP      51521 > ldap [ACK] Seq=2 [...]
===== Wireshark capture

===== ldapsearch
ldapsearch -U dad -s base -LLL supportedSASLMechanisms
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available: No worthy
        mechs found
===== ldapsearch

As the problem is found in a software using the libldap, I conclude the
problem is in the lib and not in ldapsearc.

Regards.

-- System Information:
Debian Release: squeeze/sid
  APT prefers sid
  APT policy: (500, 'sid'), (500, 'unstable'), (500, 'testing'), (90, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35+hati.2 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libldap-2.4-2 depends on:
ii  libc6                     2.11.2-7       Embedded GNU C Library: Shared lib
ii  libgnutls26               2.8.6-1        the GNU TLS library - runtime libr
ii  libsasl2-2                2.1.23.dfsg1-6 Cyrus SASL - authentication abstra

libldap-2.4-2 recommends no packages.

libldap-2.4-2 suggests no packages.

-- no debconf information


Footnotes: 
[1]  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586532#112

-- 
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#604122; Package libldap-2.4-2. (Sat, 20 Nov 2010 23:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to maintainer. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Sat, 20 Nov 2010 23:36:03 GMT) Full text and rfc822 format available.

Message #10 received at 604122-maintonly@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Daniel Dehennin <daniel.dehennin@baby-gnu.org>, 604122-maintonly@bugs.debian.org, Debian Bug Tracking System <maintonly@bugs.debian.org>
Subject: Re: [Pkg-openldap-devel] Bug#604122: libldap-2.4-2: libldap open a the TCP connection before validating the SASL mechanism
Date: Sat, 20 Nov 2010 15:22:44 -0800
--On Saturday, November 20, 2010 1:49 PM +0100 Daniel Dehennin 
<daniel.dehennin@baby-gnu.org> wrote:

> Package: libldap-2.4-2
> Version: 2.4.23-6
> Severity: minor
>
> Hello,
>
> During some tests for nslcd[1], I found that if the SASL_SECPROPS in
> /etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
> library:

I suggest you file this as a bug with the OpenLDAP foundation:

http://www.openldap.org/its/

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#604122; Package libldap-2.4-2. (Mon, 29 Nov 2010 17:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Quanah Gibson-Mount <quanah@zimbra.com>:
Extra info received and forwarded to maintainer. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 29 Nov 2010 17:03:04 GMT) Full text and rfc822 format available.

Message #15 received at 604122-maintonly@bugs.debian.org (full text, mbox):

From: Quanah Gibson-Mount <quanah@zimbra.com>
To: 604122-maintonly@bugs.debian.org, Daniel Dehennin <daniel.dehennin@baby-gnu.org>
Subject: Re: [Pkg-openldap-devel] Bug#604122: Bug#604122: libldap-2.4-2: libldap open a the TCP connection before validating the SASL mechanism
Date: Mon, 29 Nov 2010 09:00:47 -0800
--On Saturday, November 20, 2010 3:22 PM -0800 Quanah Gibson-Mount 
<quanah@zimbra.com> wrote:

> --On Saturday, November 20, 2010 1:49 PM +0100 Daniel Dehennin
> <daniel.dehennin@baby-gnu.org> wrote:
>
>> Package: libldap-2.4-2
>> Version: 2.4.23-6
>> Severity: minor
>>
>> Hello,
>>
>> During some tests for nslcd[1], I found that if the SASL_SECPROPS in
>> /etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
>> library:
>
> I suggest you file this as a bug with the OpenLDAP foundation:
>
> http://www.openldap.org/its/

I went ahead and filed <http://www.openldap.org/its/index.cgi/?findid=6728> 
for you.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration




Information forwarded to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#604122; Package libldap-2.4-2. (Mon, 29 Nov 2010 17:45:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dan White <dwhite@olp.net>:
Extra info received and forwarded to maintainer. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 29 Nov 2010 17:45:15 GMT) Full text and rfc822 format available.

Message #20 received at 604122-maintonly@bugs.debian.org (full text, mbox):

From: Dan White <dwhite@olp.net>
To: Quanah Gibson-Mount <quanah@zimbra.com>, 604122-maintonly@bugs.debian.org
Cc: Daniel Dehennin <daniel.dehennin@baby-gnu.org>
Subject: Re: Bug#604122: Bug#604122: Bug#604122: libldap-2.4-2: libldap open a the TCP connection before validating the SASL mechanism
Date: Mon, 29 Nov 2010 11:16:30 -0600
On 29/11/10 09:00 -0800, Quanah Gibson-Mount wrote:
>--On Saturday, November 20, 2010 3:22 PM -0800 Quanah Gibson-Mount 
><quanah@zimbra.com> wrote:
>
>>--On Saturday, November 20, 2010 1:49 PM +0100 Daniel Dehennin
>><daniel.dehennin@baby-gnu.org> wrote:
>>
>>>Package: libldap-2.4-2
>>>Version: 2.4.23-6
>>>Severity: minor
>>>
>>>Hello,
>>>
>>>During some tests for nslcd[1], I found that if the SASL_SECPROPS in
>>>/etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
>>>library:
>>
>>I suggest you file this as a bug with the OpenLDAP foundation:
>>
>>http://www.openldap.org/its/
>
>I went ahead and filed 
><http://www.openldap.org/its/index.cgi/?findid=6728> for you.

Isn't that to be expected?

Typically, you wouldn't 'know' that there are no worthy mechs until Cyrus
attempts to negotiate, at runtime, a common mechanism which meets both the
server and the client's SASL criteria.

the 'no worthy mechs' error is most likely coming from libsasl.

For instance, specifying a mechanism that the server does not offer (e.g.
EXTERNAL) should produce a similar error, and there's no way for
(lisasl on) the client to magically know that it should use another
mechanism, because it was told to be too picky about the SASL negotiation
by the local administrator.

The same would go for SASL_SECPROPS, e.g. setting your min_ssf to something
too high would probably produce the same error even if you didn't specify a
mechanism.

-- 
Dan White




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 18:59:12 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.