Bug 202872
| Summary: | Allow the password modify extended op when using SASL privacy layer | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Nathan Kinder <nkinder> | ||||||||
| Component: | Security - SASL | Assignee: | Nathan Kinder <nkinder> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Viktor Ashirov <vashirov> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 1.0.2 | CC: | nhosoi, rmeggins | ||||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2015-12-07 16:54:55 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 152373, 208654, 240316 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Nathan Kinder
2006-08-16 20:56:59 UTC
Created attachment 134347 [details]
CVS Diffs
I added a new internal function "int ids_sasl_privacy_enabled(Connection
*conn)" that will check if a SASL security layer supporting privacy has been
netogiated for a particular connection. This function uses the sasl_getprop()
function to check the SSF (security strength factor) to see if privacy has been
negotiated.
This function allows us to have the password modify extop code check if privacy
is enabled so it can allow the operation to be processed. The new server
behavior is to allow the password modify extended operation if using SSL, TLS,
or a SASL privacy layer. All other attempts will return
LDAP_CONFIDENTIALITY_REQUIRED.
I think knowing if the user authenticated via sasl and if there was a privacy layer negotiated is a generally useful thing to know i.e. we can use it in the aci code, other preop plugin code, etc. I think it should be slapi-plugin.h function, or perhaps a pblock item - we already have SLAPI_CONN_IS_SSL_SESSION in the pblock, maybe a SLAPI_CONN_HAS_SASL_PRIVACY or something like that. Created attachment 134355 [details]
Revised Diffs
I like the idea of being able to expose if a SASL privacy layer is in use to
plugins, etc. I think it would be most useful if we just exposed the SASL SSF
itself. This would allow us to do things such as enhance the aci's to be able
to specify a minimum SSF.
The attached diffs implement a new Connection parameter for the SASL SSF. This
is exposed via the pblock as the SLAPI_CONN_SASL_SSF parameter. We initialize
this to 0, and we update the SSF right after we install the SASL IO layer. We
reset the SSF to 0 in the sasl_io_cleanup() function.
Ok. Created attachment 134393 [details]
CVS Commit
Checked into ldapserver (HEAD).
I have created a documentation bug to add this new pblock parameter to the "Plug-In Programmers Guide". The doc bug is bug 202976. To verify the fix for this bug, perform the following tests: - Use the ldappasswd tool to attempt to modify a user's password using simple auth with no SSL. The server should return a message stating "Confidentiality required". - Use the ldappasswd tool to attempt to modify a user's password using simple auth with SSL. The password change should succeed. - Use the ldappasswd tool to attempt to modify a user's password using simple auth with startTLS. The password change should succeed. - Use the ldappasswd tool to attempt to modify a user's password using SASL auth with the CRAM-MD5 mechanism (this mechanism does not use provide privacy). The server should return a message stating "Confidentiality required". - Use the ldappasswd tool to attempt to modify a user's password using SASL auth with the CRAM-MD5 mechanism over SSL. The password change should succeed. - Use the ldappasswd tool to attempt to modify a user's password using SASL auth with the CRAM-MD5 mechanism with startTLS. The password change should succeed. - Use the ldappasswd tool to attempt to modify a user's password using SASL auth with the DIGEST-MD5 mechanism. The password change should succeed. - Use the ldappasswd tool to attempt to modify a user's password using simple auth with no SSL. The server should return a message stating "Confidentiality required". /usr/bin/ldappasswd -w redhat -D"cn=directory manager" -h localhost -p 1111 -s 9998 -x "uid=mgreggtest,ou=people,o=redhat" Result: Confidentiality required (13) Additional info: Operation requires a secure connection. - Use the ldappasswd tool to attempt to modify a user's password using simple auth with SSL. The password change should succeed. /usr/lib/mozldap6/ldappasswd -w redhat -D "cn=directory manager" -h brandywine.dsqa.sjc2.redhat.com -p 1112 -Z -s 9998 -a netscape -P /etc/dirsrv/slapd-MAIN/cert8.db -K /etc/dirsrv/slapd-MAIN/key3.db "uid=mgreggtest,ou=people,o=redhat" -a 9998 ldappasswd-bin: password successfully changed - Use the ldappasswd tool to attempt to modify a user's password using simple auth with startTLS. The password change should succeed. /usr/lib/mozldap6/ldappasswd -w redhat -D"cn=directory manager" -h localhost -p 1111 -ZZZ -s 9998 "uid=mgreggtest,ou=people,o=redhat" - Use the ldappasswd tool to attempt to modify a user's password using SASL auth with the CRAM-MD5 mechanism (this mechanism does not use provide privacy). The server should return a message stating "Confidentiality required". /usr/lib/mozldap6/ldappasswd -h brandywine.dsqa.sjc2.redhat.com -p 1111 -s 9998 "uid=mgreggtest,ou=people,o=redhat" -a 1234 -m CRAM-M5 -o "mech=CRAM-MD5" -o "authid=ttest1" -w 1234 - Use the ldappasswd tool to attempt to modify a user's password using SASL auth with the CRAM-MD5 mechanism over SSL. The password change should succeed. /usr/lib/mozldap6/ldappasswd -h brandywine.dsqa.sjc2.redhat.com -p 1112 -s 9998 -a 9998 -o "mech=CRAM-MD5" -o "authid=ttest1" -w 9998 -Z -P /etc/dirsrv/slapd-MAIN/cert8.db -K /etc/dirsrv/slapd-MAIN/key3.db "uid=ttest1,ou=testpeople,o=sasl.com" ldappasswd-bin: password successfully changed - Use the ldappasswd tool to attempt to modify a user's password using SASL auth with the CRAM-MD5 mechanism with startTLS. The password change should succeed. /usr/lib/mozldap6/ldappasswd -h brandywine.dsqa.sjc2.redhat.com -p 1111 -s 9998 "uid=ttest1,ou=testpeople,o=sasl.com" -a 1234 -m CRAM-M5 -o "mech=CRAM-MD5" -o "authid=ttest1" -w 1234 -ZZ ldappasswd-bin: password successfully changed Verified aginst: 1199305764 idm-console-framework-1.1.0-7.el4idm Wed Jan 02 2008 1199305765 redhat-ds-console-8.0.0-9.el4dsrv Wed Jan 02 2008 1199305766 redhat-admin-console-8.0.0-9.el4dsrv Wed Jan 02 2008 1199305768 redhat-idm-console-1.0.0-21.el4idm Wed Jan 02 2008 1199390834 net-snmp-libs-5.1.2-11.el4_6.11.1 Thu Jan 03 2008 1199390890 net-snmp-5.1.2-11.el4_6.11.1 Thu Jan 03 2008 1199391027 db4-4.2.52-7.3.el4 Thu Jan 03 2008 1199391030 db4-utils-4.2.52-7.3.el4 Thu Jan 03 2008 1199391031 db4-tcl-4.2.52-7.3.el4 Thu Jan 03 2008 1199391034 db4-java-4.2.52-7.3.el4 Thu Jan 03 2008 1199391044 db4-devel-4.2.52-7.3.el4 Thu Jan 03 2008 1199391134 cyrus-sasl-2.1.19-14 Thu Jan 03 2008 1199391137 cyrus-sasl-md5-2.1.19-14 Thu Jan 03 2008 1199391138 cyrus-sasl-gssapi-2.1.19-14 Thu Jan 03 2008 1199391138 cyrus-sasl-plain-2.1.19-14 Thu Jan 03 2008 1199391138 cyrus-sasl-sql-2.1.19-14 Thu Jan 03 2008 1199391139 cyrus-sasl-ntlm-2.1.19-14 Thu Jan 03 2008 1199391140 cyrus-sasl-devel-2.1.19-14 Thu Jan 03 2008 |