Bug 1034451

Summary: Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms
Product: Red Hat Enterprise Linux 7 Reporter: Ján Rusnačko <jrusnack>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Sankar Ramalingam <sramling>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: mkubik, mreynolds, nhosoi, nkinder
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.1.6-12.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:41:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ján Rusnačko 2013-11-25 21:07:01 UTC 
Description of problem:
Currently it is possible to add invalid SASL mechanism to nsslapd-allowed-sasl-mechanisms. 

Version-Release number of selected component (if applicable):
389-ds-base-1.3.1.6-8.el7.x86_64

How reproducible:
always

Steps to Reproduce:

[jrusnack@localhost slapd-dstet]$ ldapmodify -h $HOST -p $PORT -D "cn=directory
manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: GSSAPI šáľýčž
EOF

modifying entry "cn=config"

[jrusnack@localhost slapd-dstet]$ ldapsearch -h $HOST -p $PORT -D "cn=directory
manager" -w Secret123 -b "cn=config" -s base -LLL nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms:: xaHDocS+w73EjcW+

As per RFC 4422:
SASL mechanisms are named by character strings, from 1 to 20
characters in length, consisting of ASCII [ASCII] uppercase letters,
digits, hyphens, and/or underscores.

http://tools.ietf.org/html/rfc4422#page-8

Additional info:
Note that in this scenario GSSAPI actually works as allowed mechanism.
Comment 2 Nathan Kinder 2013-12-02 15:45:20 UTC 
Upstream ticket:
https://fedorahosted.org/389/ticket/47614
Comment 3 mreynolds 2013-12-03 20:56:03 UTC 
Fixed upstream
Comment 5 Milan Kubík 2014-01-29 13:09:30 UTC 
$ cat invalid_sasl_mech_name.sh 
#!/bin/bash

LDAPhost=localhost
LDAPport=2222
ROOTDN="cn=directory manager"
ROOTDNPW=Secret123

ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: GSSAPI +ľščť DIGEST-MD5
EOF

ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: GSSAPI, +ľščť, DIGEST-MD5
EOF

ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: lowercase
EOF

ldapmodify -x -h $LDAPhost -p $LDAPport -D "$ROOTDN" -w "$ROOTDNPW" <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: MECHANISM-WITH-TOO-LONG-NAME
EOF

$ ./invalid_sasl_mech_name.sh 
modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)

modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)

modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)

modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)

Bug verified on 389-ds-base-1.3.1.6-15.

Tests in sasl suite sasl_allowed_mapping_[1..13]
Comment 6 Ludek Smid 2014-06-13 09:41:29 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.