Description of problem: Setting up Server to Server SASL/DIGEST-MD5 connection, results in the server's unable to connected with the following error: slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=Replication Manager,cn=config] mech [DIGEST-MD5]: error 82 (Local error) (SASL(-1): generic failure: All-whitespace username.) Appears to be due to trailing space after after replica binddn: 'cn=replication manager,cn=config ' Version-Release number of selected component (if applicable): 8.1 How reproducible: Always Steps to Reproduce: 1. Install at least 2 servers (instances) and enable replication 2. Add SASL mappings 3 change - passwordStorageScheme: CLEAR 4. Add replica bind users (cn=Replication Manager, cn=config) 5 Add replication agreements, defining nsds5ReplicaTransportInfo: LDAP nsds5ReplicaBindMethod: SASL/DIGEST-MD5 6. Initialize 7. Check server's errors log. Actual results: Unable to replica due to bind error: slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=Replication Manager,cn=config] mech [DIGEST-MD5]: error 82 (Local error) (SASL(-1): generic failure: All-whitespace username.) Expected results: Successful connections. Tested configuration .... REPLICATION MANAGER: # replication manager, config dn:: Y249cmVwbGljYXRpb24gbWFuYWdlcixjbj1jb25maWcg objectClass: inetorgperson objectClass: person objectClass: top objectClass: organizationalPerson cn: replication manager sn: RM userPassword:: e1NTSEF9WGVBc2JJMmRaOEhrNWtXb0ExTS8xQk9TK0VkaVBJWDZTRVJkMXc9PQ= = passwordStorageScheme: CLEAR SASL MAPPINGS: # replica, mapping, sasl, config dn: cn=replica,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: replica nsSaslMapRegexString: \(*\) nsSaslMapBaseDNTemplate: cn=Replication Manager, cn=config nsSaslMapFilterTemplate: (cn=*) # rfc 2829 dn syntax, mapping, sasl, config dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: rfc 2829 dn syntax nsSaslMapRegexString: ^dn:\(.*\) nsSaslMapBaseDNTemplate: \1 nsSaslMapFilterTemplate: (objectclass=*) # rfc 2829 u syntax, mapping, sasl, config dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: rfc 2829 u syntax nsSaslMapRegexString: ^u:\(.*\) nsSaslMapBaseDNTemplate: o=sasl.net nsSaslMapFilterTemplate: (uid=\1) # uid mapping, mapping, sasl, config dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: uid mapping nsSaslMapRegexString: ^[^:@]+$ nsSaslMapBaseDNTemplate: o=sasl.net nsSaslMapFilterTemplate: (uid=&) # y, mapping, sasl, config dn: cn=y,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: y nsSaslMapRegexString: ldap/jennyv1.bos.redhat.com nsSaslMapBaseDNTemplate: cn=replication manager,cn=config nsSaslMapFilterTemplate: (objectclass=*) # z, mapping, sasl, config dn: cn=z,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: z nsSaslMapRegexString: ldap/jennyv1.bos.redhat.com nsSaslMapBaseDNTemplate: cn=replication manager,cn=config nsSaslMapFilterTemplate: (objectclass=*) REPLICATION AGREEMENTS: # S1 to C1, replica, o\3Dsasl.net, mapping tree, config dn: cn=S1 to C1,cn=replica,cn="o=sasl.net",cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: S1 to C1 nsDS5ReplicaHost: jennyv1.bos.redhat.com nsDS5ReplicaPort: 24206 nsDS5ReplicaBindDN: cn=Replication Manager,cn=config nsDS5ReplicaBindMethod: SASL/DIGEST-MD5 nsDS5ReplicaRoot: o=sasl.net description: S1 to C1 nsDS5ReplicaUpdateSchedule: 0000-2359 0123456 nsDS5ReplicaTransportInfo: LDAP nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 0 nsds5replicaLastUpdateEnd: 0 nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 82 - LDAP error: Local error nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 # S1 to S2 MMR, replica, o\3Dsasl.net, mapping tree, config dn: cn=S1 to S2 MMR,cn=replica,cn="o=sasl.net",cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: S1 to S2 MMR nsDS5ReplicaHost: jennyv1.bos.redhat.com nsDS5ReplicaPort: 24204 nsDS5ReplicaBindDN: cn=Replication Manager,cn=config nsDS5ReplicaBindMethod: SASL/DIGEST-MD5 nsDS5ReplicaRoot: o=sasl.net description: S1 to S2 MMR nsDS5ReplicaUpdateSchedule: 0000-2359 0123456 nsDS5ReplicaTransportInfo: LDAP nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 0 nsds5replicaLastUpdateEnd: 0 nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: 82 - LDAP error: Local error nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0
Created attachment 327280 [details] diffs
Created attachment 327284 [details] cvs commit log Reviewed by: nkinder (Thanks!) Fix Description: 1) SASL/DIGEST-MD5 needs both username and authid 2) The username and authid in this context are always a bind DN - they must have the "dn:" prefix in order for the SASL mapping to work 3) gssapi (kerberos) sets both username and authid to NULL Platforms tested: RHEL5 Flag Day: no Doc impact: no
NOTE: In order to make this work with SASL/DIGEST-MD5, you have to edit the repl user entry to make the password cleartext. Using userPassword: {CLEAR}foo will not work, you have to use userPassword: foo I don't know if it is possible to set the password like this using ldapmodify - you might have to shutdown the server, then edit dse.ldif.
SASL/GSSAPI now broken after this fix applied.
Created attachment 327485 [details] more diffs
Created attachment 327490 [details] cvs commit log - part deux Reviewed by: nkinder (Thanks!) Fix Description: My earlier fix for this bug broke GSSAPI - it would cause the username and authid to only be freed under certain conditions e.g. if the krb creds were still valid, the code would not free the username and authid, so they would be passed via SASL instead of the principal name. This fix just makes sure username and authid are always freed, under all circumstances. Platforms tested: RHEL5, Fedora 9 Flag Day: no Doc impact: no
fix verified and being tested by automated acceptance testing
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html