Bug 476891

Summary: Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username.
Product: Red Hat Directory Server Reporter: Jenny Severance <jgalipea>
Component: Security - SASLAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: low    
Version: 8.1CC: benl, nkinder
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 8.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-29 23:08:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 249650, 493682    
Attachments:
Description Flags
diffs
none
cvs commit log
none
more diffs
none
cvs commit log - part deux none

Description Jenny Severance 2008-12-17 19:37:26 UTC
Description of problem:
Setting up Server to Server SASL/DIGEST-MD5 connection, results in the server's unable to connected with the following error:

slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=Replication Manager,cn=config] mech [DIGEST-MD5]: error 82 (Local error) (SASL(-1): generic failure: All-whitespace username.)

Appears to be due to trailing space after after replica binddn:
'cn=replication manager,cn=config '

Version-Release number of selected component (if applicable):
8.1

How reproducible:
Always

Steps to Reproduce:
1. Install at least 2 servers (instances) and enable replication
2. Add SASL mappings
3  change - passwordStorageScheme: CLEAR
4. Add replica bind users (cn=Replication Manager, cn=config)
5  Add replication agreements, defining 
   nsds5ReplicaTransportInfo: LDAP
   nsds5ReplicaBindMethod: SASL/DIGEST-MD5
6. Initialize
7. Check server's errors log.
  
Actual results:
Unable to replica due to bind error:
slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=Replication Manager,cn=config] mech [DIGEST-MD5]: error 82 (Local error) (SASL(-1): generic failure: All-whitespace username.)

Expected results:
Successful connections.

Tested configuration ....

REPLICATION MANAGER:

# replication manager, config
dn:: Y249cmVwbGljYXRpb24gbWFuYWdlcixjbj1jb25maWcg
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword:: e1NTSEF9WGVBc2JJMmRaOEhrNWtXb0ExTS8xQk9TK0VkaVBJWDZTRVJkMXc9PQ=
 =

passwordStorageScheme: CLEAR

SASL MAPPINGS:

# replica, mapping, sasl, config
dn: cn=replica,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: replica
nsSaslMapRegexString: \(*\)
nsSaslMapBaseDNTemplate: cn=Replication Manager, cn=config
nsSaslMapFilterTemplate: (cn=*)

# rfc 2829 dn syntax, mapping, sasl, config
dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: rfc 2829 dn syntax
nsSaslMapRegexString: ^dn:\(.*\)
nsSaslMapBaseDNTemplate: \1
nsSaslMapFilterTemplate: (objectclass=*)

# rfc 2829 u syntax, mapping, sasl, config
dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: rfc 2829 u syntax
nsSaslMapRegexString: ^u:\(.*\)
nsSaslMapBaseDNTemplate: o=sasl.net
nsSaslMapFilterTemplate: (uid=\1)

# uid mapping, mapping, sasl, config
dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: uid mapping
nsSaslMapRegexString: ^[^:@]+$
nsSaslMapBaseDNTemplate: o=sasl.net
nsSaslMapFilterTemplate: (uid=&)

# y, mapping, sasl, config
dn: cn=y,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: y
nsSaslMapRegexString: ldap/jennyv1.bos.redhat.com
nsSaslMapBaseDNTemplate: cn=replication manager,cn=config
nsSaslMapFilterTemplate: (objectclass=*)

# z, mapping, sasl, config
dn: cn=z,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: z
nsSaslMapRegexString: ldap/jennyv1.bos.redhat.com@EXAMPLE.COM
nsSaslMapBaseDNTemplate: cn=replication manager,cn=config
nsSaslMapFilterTemplate: (objectclass=*)


REPLICATION AGREEMENTS:

# S1 to C1, replica, o\3Dsasl.net, mapping tree, config
dn: cn=S1 to C1,cn=replica,cn="o=sasl.net",cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: S1 to C1
nsDS5ReplicaHost: jennyv1.bos.redhat.com
nsDS5ReplicaPort: 24206
nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
nsDS5ReplicaBindMethod: SASL/DIGEST-MD5
nsDS5ReplicaRoot: o=sasl.net
description: S1 to C1
nsDS5ReplicaUpdateSchedule: 0000-2359 0123456
nsDS5ReplicaTransportInfo: LDAP
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 82  - LDAP error: Local error
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

# S1 to S2 MMR, replica, o\3Dsasl.net, mapping tree, config
dn: cn=S1 to S2 MMR,cn=replica,cn="o=sasl.net",cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: S1 to S2 MMR
nsDS5ReplicaHost: jennyv1.bos.redhat.com
nsDS5ReplicaPort: 24204
nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
nsDS5ReplicaBindMethod: SASL/DIGEST-MD5
nsDS5ReplicaRoot: o=sasl.net
description: S1 to S2 MMR
nsDS5ReplicaUpdateSchedule: 0000-2359 0123456
nsDS5ReplicaTransportInfo: LDAP
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 82  - LDAP error: Local error
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

Comment 1 Rich Megginson 2008-12-17 20:13:26 UTC
Created attachment 327280 [details]
diffs

Comment 2 Rich Megginson 2008-12-17 20:48:18 UTC
Created attachment 327284 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: 1) SASL/DIGEST-MD5 needs both username and authid
2) The username and authid in this context are always a bind DN - they must have the "dn:" prefix in order for the SASL mapping to work
3) gssapi (kerberos) sets both username and authid to NULL
Platforms tested: RHEL5
Flag Day: no
Doc impact: no

Comment 3 Rich Megginson 2008-12-17 20:49:57 UTC
NOTE: In order to make this work with SASL/DIGEST-MD5, you have to edit the repl user entry to make the password cleartext.  Using
userPassword: {CLEAR}foo
will not work, you have to use
userPassword: foo
I don't know if it is possible to set the password like this using ldapmodify - you might have to shutdown the server, then edit dse.ldif.

Comment 4 Jenny Severance 2008-12-19 18:31:39 UTC
SASL/GSSAPI now broken after this fix applied.

Comment 5 Rich Megginson 2008-12-19 18:51:24 UTC
Created attachment 327485 [details]
more diffs

Comment 6 Rich Megginson 2008-12-19 19:26:28 UTC
Created attachment 327490 [details]
cvs commit log - part deux

Reviewed by: nkinder (Thanks!)
Fix Description: My earlier fix for this bug broke GSSAPI - it would cause the username and authid to only be freed under certain conditions e.g. if the krb creds were still valid, the code would not free the username and authid, so they would be passed via SASL instead of the principal name.  This fix just makes sure username and authid are always freed, under all circumstances.
Platforms tested: RHEL5, Fedora 9
Flag Day: no
Doc impact: no

Comment 7 Jenny Severance 2009-02-24 19:59:57 UTC
fix verified and being tested by automated acceptance testing

Comment 8 Chandrasekar Kannan 2009-04-29 23:08:57 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html