Bug 476891
Summary: | Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username. | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Directory Server | Reporter: | Jenny Severance <jgalipea> | ||||||||||
Component: | Security - SASL | Assignee: | Rich Megginson <rmeggins> | ||||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||||||
Severity: | high | Docs Contact: | |||||||||||
Priority: | low | ||||||||||||
Version: | 8.1 | CC: | benl, nkinder | ||||||||||
Target Milestone: | --- | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | 8.1 | Doc Type: | Bug Fix | ||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2009-04-29 23:08:57 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | |||||||||||||
Bug Blocks: | 249650, 493682 | ||||||||||||
Attachments: |
|
Description
Jenny Severance
2008-12-17 19:37:26 UTC
Created attachment 327280 [details]
diffs
Created attachment 327284 [details]
cvs commit log
Reviewed by: nkinder (Thanks!)
Fix Description: 1) SASL/DIGEST-MD5 needs both username and authid
2) The username and authid in this context are always a bind DN - they must have the "dn:" prefix in order for the SASL mapping to work
3) gssapi (kerberos) sets both username and authid to NULL
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
NOTE: In order to make this work with SASL/DIGEST-MD5, you have to edit the repl user entry to make the password cleartext. Using userPassword: {CLEAR}foo will not work, you have to use userPassword: foo I don't know if it is possible to set the password like this using ldapmodify - you might have to shutdown the server, then edit dse.ldif. SASL/GSSAPI now broken after this fix applied. Created attachment 327485 [details]
more diffs
Created attachment 327490 [details]
cvs commit log - part deux
Reviewed by: nkinder (Thanks!)
Fix Description: My earlier fix for this bug broke GSSAPI - it would cause the username and authid to only be freed under certain conditions e.g. if the krb creds were still valid, the code would not free the username and authid, so they would be passed via SASL instead of the principal name. This fix just makes sure username and authid are always freed, under all circumstances.
Platforms tested: RHEL5, Fedora 9
Flag Day: no
Doc impact: no
fix verified and being tested by automated acceptance testing An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html |