Bug 184585

Summary: Re-binding when using SASL is not handled correctly
Product: [Retired] 389 Reporter: Nathan Kinder <nkinder>
Component: Security - SASLAssignee: Nathan Kinder <nkinder>
Status: CLOSED NEXTRELEASE QA Contact: Orla Hegarty <ohegarty>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: jmoyer, ohegarty
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-26 20:14:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 152373, 159328, 182367, 205654, 240316    
Attachments:
Description Flags
CVS Diffs
none
Revised Diffs
none
Revised Diffs
none
Additional Diff none

Description Nathan Kinder 2006-03-10 00:06:45 UTC
The server does not allow you to re-bind using SASL on the same connection.  For
example, If I bind and authenticate to the server using DIGEST-MD5, then do
another SASL bind using DIGEST-MD5, the server will return an error 49.  It
should allow me to do this.

Comment 2 Nathan Kinder 2006-03-10 00:15:14 UTC
Created attachment 125910 [details]
CVS Diffs

These changes dispose of and create a new server-side SASL context when you
re-bind using SASL.

Comment 3 Nathan Kinder 2006-03-13 23:41:26 UTC
Created attachment 126078 [details]
Revised Diffs

Revised the fix to deal with the case where the SASL mechanism is changed in
the middle of an uncompleted SASL bind operation.

Comment 4 Nathan Kinder 2006-03-14 18:28:43 UTC
Created attachment 126115 [details]
Revised Diffs

An additional change was needed to reset the IO function pointers of the
connection before disposing of the sasl context.  This requires us to lock
pb->pb_conn.

Comment 5 Nathan Kinder 2006-03-14 19:13:47 UTC
Checked into HEAD.  Reviewed by Rich, Pete, and Noriko.

Checking in saslbind.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v  <--  saslbind.c
new revision: 1.15; previous revision: 1.14
done
Checking in slap.h;
/cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v  <--  slap.h
new revision: 1.12; previous revision: 1.11
done

Comment 6 Nathan Kinder 2006-03-14 19:29:33 UTC
Created attachment 126117 [details]
Additional Diff

Rich suggested a modification to the location where we aquire the connection
lock.  This diff has that additional change.  The change has been checked into
HEAD.

Checking in saslbind.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v	<--  saslbind.c
new revision: 1.16; previous revision: 1.15
done

Comment 12 Orla Hegarty 2006-05-26 17:49:19 UTC
Somehow the errata system did not automatically close these bugs even though DS
SP 2 is shipped and available live on RHN

Comment 13 Orla Hegarty 2006-05-26 17:53:13 UTC
trying to manually close

Comment 14 Orla Hegarty 2006-05-26 20:14:29 UTC
trying again

Comment 16 Rich Megginson 2006-06-29 12:14:45 UTC
*** Bug 195331 has been marked as a duplicate of this bug. ***