Bug 476891 - Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username.
Replication: Server to Server Connection Error: SASL(-1): generic failure: Al...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Directory Server
Classification: Red Hat
Component: Security - SASL (Show other bugs)
8.1
All Linux
low Severity high
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
:
Depends On:
Blocks: 249650 FDS1.2.0
  Show dependency treegraph
 
Reported: 2008-12-17 14:37 EST by Jenny Galipeau
Modified: 2015-01-04 18:35 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 19:08:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
diffs (3.45 KB, patch)
2008-12-17 15:13 EST, Rich Megginson
no flags Details | Diff
cvs commit log (163 bytes, text/plain)
2008-12-17 15:48 EST, Rich Megginson
no flags Details
more diffs (1.05 KB, patch)
2008-12-19 13:51 EST, Rich Megginson
no flags Details | Diff
cvs commit log - part deux (163 bytes, text/plain)
2008-12-19 14:26 EST, Rich Megginson
no flags Details

  None (edit)
Description Jenny Galipeau 2008-12-17 14:37:26 EST
Description of problem:
Setting up Server to Server SASL/DIGEST-MD5 connection, results in the server's unable to connected with the following error:

slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=Replication Manager,cn=config] mech [DIGEST-MD5]: error 82 (Local error) (SASL(-1): generic failure: All-whitespace username.)

Appears to be due to trailing space after after replica binddn:
'cn=replication manager,cn=config '

Version-Release number of selected component (if applicable):
8.1

How reproducible:
Always

Steps to Reproduce:
1. Install at least 2 servers (instances) and enable replication
2. Add SASL mappings
3  change - passwordStorageScheme: CLEAR
4. Add replica bind users (cn=Replication Manager, cn=config)
5  Add replication agreements, defining 
   nsds5ReplicaTransportInfo: LDAP
   nsds5ReplicaBindMethod: SASL/DIGEST-MD5
6. Initialize
7. Check server's errors log.
  
Actual results:
Unable to replica due to bind error:
slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=Replication Manager,cn=config] mech [DIGEST-MD5]: error 82 (Local error) (SASL(-1): generic failure: All-whitespace username.)

Expected results:
Successful connections.

Tested configuration ....

REPLICATION MANAGER:

# replication manager, config
dn:: Y249cmVwbGljYXRpb24gbWFuYWdlcixjbj1jb25maWcg
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword:: e1NTSEF9WGVBc2JJMmRaOEhrNWtXb0ExTS8xQk9TK0VkaVBJWDZTRVJkMXc9PQ=
 =

passwordStorageScheme: CLEAR

SASL MAPPINGS:

# replica, mapping, sasl, config
dn: cn=replica,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: replica
nsSaslMapRegexString: \(*\)
nsSaslMapBaseDNTemplate: cn=Replication Manager, cn=config
nsSaslMapFilterTemplate: (cn=*)

# rfc 2829 dn syntax, mapping, sasl, config
dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: rfc 2829 dn syntax
nsSaslMapRegexString: ^dn:\(.*\)
nsSaslMapBaseDNTemplate: \1
nsSaslMapFilterTemplate: (objectclass=*)

# rfc 2829 u syntax, mapping, sasl, config
dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: rfc 2829 u syntax
nsSaslMapRegexString: ^u:\(.*\)
nsSaslMapBaseDNTemplate: o=sasl.net
nsSaslMapFilterTemplate: (uid=\1)

# uid mapping, mapping, sasl, config
dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: uid mapping
nsSaslMapRegexString: ^[^:@]+$
nsSaslMapBaseDNTemplate: o=sasl.net
nsSaslMapFilterTemplate: (uid=&)

# y, mapping, sasl, config
dn: cn=y,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: y
nsSaslMapRegexString: ldap/jennyv1.bos.redhat.com
nsSaslMapBaseDNTemplate: cn=replication manager,cn=config
nsSaslMapFilterTemplate: (objectclass=*)

# z, mapping, sasl, config
dn: cn=z,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: z
nsSaslMapRegexString: ldap/jennyv1.bos.redhat.com@EXAMPLE.COM
nsSaslMapBaseDNTemplate: cn=replication manager,cn=config
nsSaslMapFilterTemplate: (objectclass=*)


REPLICATION AGREEMENTS:

# S1 to C1, replica, o\3Dsasl.net, mapping tree, config
dn: cn=S1 to C1,cn=replica,cn="o=sasl.net",cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: S1 to C1
nsDS5ReplicaHost: jennyv1.bos.redhat.com
nsDS5ReplicaPort: 24206
nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
nsDS5ReplicaBindMethod: SASL/DIGEST-MD5
nsDS5ReplicaRoot: o=sasl.net
description: S1 to C1
nsDS5ReplicaUpdateSchedule: 0000-2359 0123456
nsDS5ReplicaTransportInfo: LDAP
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 82  - LDAP error: Local error
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

# S1 to S2 MMR, replica, o\3Dsasl.net, mapping tree, config
dn: cn=S1 to S2 MMR,cn=replica,cn="o=sasl.net",cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: S1 to S2 MMR
nsDS5ReplicaHost: jennyv1.bos.redhat.com
nsDS5ReplicaPort: 24204
nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
nsDS5ReplicaBindMethod: SASL/DIGEST-MD5
nsDS5ReplicaRoot: o=sasl.net
description: S1 to S2 MMR
nsDS5ReplicaUpdateSchedule: 0000-2359 0123456
nsDS5ReplicaTransportInfo: LDAP
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 82  - LDAP error: Local error
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
Comment 1 Rich Megginson 2008-12-17 15:13:26 EST
Created attachment 327280 [details]
diffs
Comment 2 Rich Megginson 2008-12-17 15:48:18 EST
Created attachment 327284 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: 1) SASL/DIGEST-MD5 needs both username and authid
2) The username and authid in this context are always a bind DN - they must have the "dn:" prefix in order for the SASL mapping to work
3) gssapi (kerberos) sets both username and authid to NULL
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Comment 3 Rich Megginson 2008-12-17 15:49:57 EST
NOTE: In order to make this work with SASL/DIGEST-MD5, you have to edit the repl user entry to make the password cleartext.  Using
userPassword: {CLEAR}foo
will not work, you have to use
userPassword: foo
I don't know if it is possible to set the password like this using ldapmodify - you might have to shutdown the server, then edit dse.ldif.
Comment 4 Jenny Galipeau 2008-12-19 13:31:39 EST
SASL/GSSAPI now broken after this fix applied.
Comment 5 Rich Megginson 2008-12-19 13:51:24 EST
Created attachment 327485 [details]
more diffs
Comment 6 Rich Megginson 2008-12-19 14:26:28 EST
Created attachment 327490 [details]
cvs commit log - part deux

Reviewed by: nkinder (Thanks!)
Fix Description: My earlier fix for this bug broke GSSAPI - it would cause the username and authid to only be freed under certain conditions e.g. if the krb creds were still valid, the code would not free the username and authid, so they would be passed via SASL instead of the principal name.  This fix just makes sure username and authid are always freed, under all circumstances.
Platforms tested: RHEL5, Fedora 9
Flag Day: no
Doc impact: no
Comment 7 Jenny Galipeau 2009-02-24 14:59:57 EST
fix verified and being tested by automated acceptance testing
Comment 8 Chandrasekar Kannan 2009-04-29 19:08:57 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.