Bug 184585 - Re-binding when using SASL is not handled correctly
Summary: Re-binding when using SASL is not handled correctly
Alias: None
Product: 389
Classification: Retired
Component: Security - SASL
Version: 1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nathan Kinder
QA Contact: Orla Hegarty
: 195331 (view as bug list)
Depends On:
Blocks: 152373 159328 182367 205654 240316
TreeView+ depends on / blocked
Reported: 2006-03-10 00:06 UTC by Nathan Kinder
Modified: 2007-05-16 13:56 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2006-05-26 20:14:29 UTC

Attachments (Terms of Use)
CVS Diffs (2.34 KB, patch)
2006-03-10 00:15 UTC, Nathan Kinder
no flags Details | Diff
Revised Diffs (2.50 KB, patch)
2006-03-13 23:41 UTC, Nathan Kinder
no flags Details | Diff
Revised Diffs (2.76 KB, patch)
2006-03-14 18:28 UTC, Nathan Kinder
no flags Details | Diff
Additional Diff (1.04 KB, patch)
2006-03-14 19:29 UTC, Nathan Kinder
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0270 normal SHIPPED_LIVE Moderate: Red Hat Directory Server 7.1 security update 2006-05-17 04:00:00 UTC

Description Nathan Kinder 2006-03-10 00:06:45 UTC
The server does not allow you to re-bind using SASL on the same connection.  For
example, If I bind and authenticate to the server using DIGEST-MD5, then do
another SASL bind using DIGEST-MD5, the server will return an error 49.  It
should allow me to do this.

Comment 2 Nathan Kinder 2006-03-10 00:15:14 UTC
Created attachment 125910 [details]
CVS Diffs

These changes dispose of and create a new server-side SASL context when you
re-bind using SASL.

Comment 3 Nathan Kinder 2006-03-13 23:41:26 UTC
Created attachment 126078 [details]
Revised Diffs

Revised the fix to deal with the case where the SASL mechanism is changed in
the middle of an uncompleted SASL bind operation.

Comment 4 Nathan Kinder 2006-03-14 18:28:43 UTC
Created attachment 126115 [details]
Revised Diffs

An additional change was needed to reset the IO function pointers of the
connection before disposing of the sasl context.  This requires us to lock

Comment 5 Nathan Kinder 2006-03-14 19:13:47 UTC
Checked into HEAD.  Reviewed by Rich, Pete, and Noriko.

Checking in saslbind.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v  <--  saslbind.c
new revision: 1.15; previous revision: 1.14
Checking in slap.h;
/cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v  <--  slap.h
new revision: 1.12; previous revision: 1.11

Comment 6 Nathan Kinder 2006-03-14 19:29:33 UTC
Created attachment 126117 [details]
Additional Diff

Rich suggested a modification to the location where we aquire the connection
lock.  This diff has that additional change.  The change has been checked into

Checking in saslbind.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v	<--  saslbind.c
new revision: 1.16; previous revision: 1.15

Comment 12 Orla Hegarty 2006-05-26 17:49:19 UTC
Somehow the errata system did not automatically close these bugs even though DS
SP 2 is shipped and available live on RHN

Comment 13 Orla Hegarty 2006-05-26 17:53:13 UTC
trying to manually close

Comment 14 Orla Hegarty 2006-05-26 20:14:29 UTC
trying again

Comment 16 Rich Megginson 2006-06-29 12:14:45 UTC
*** Bug 195331 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.