476891 – Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username.

Bug 476891 - Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username.

Summary: Replication: Server to Server Connection Error: SASL(-1): generic failure: Al...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Directory Server
Classification:	Red Hat
Component:	Security - SASL
Sub Component:
Version:	8.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Rich Megginson
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	249650 FDS1.2.0
TreeView+	depends on / blocked

Reported:	2008-12-17 19:37 UTC by Jenny Severance
Modified:	2015-01-04 23:35 UTC (History)
CC List:	2 users (show)
Fixed In Version:	8.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-29 23:08:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
diffs (3.45 KB, patch) 2008-12-17 20:13 UTC, Rich Megginson	no flags	Details \| Diff
cvs commit log (163 bytes, text/plain) 2008-12-17 20:48 UTC, Rich Megginson	no flags	Details
more diffs (1.05 KB, patch) 2008-12-19 18:51 UTC, Rich Megginson	no flags	Details \| Diff
cvs commit log - part deux (163 bytes, text/plain) 2008-12-19 19:26 UTC, Rich Megginson	no flags	Details
View All

Description Jenny Severance 2008-12-17 19:37:26 UTC

Description of problem:
Setting up Server to Server SASL/DIGEST-MD5 connection, results in the server's unable to connected with the following error:

slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=Replication Manager,cn=config] mech [DIGEST-MD5]: error 82 (Local error) (SASL(-1): generic failure: All-whitespace username.)

Appears to be due to trailing space after after replica binddn:
'cn=replication manager,cn=config '

Version-Release number of selected component (if applicable):
8.1

How reproducible:
Always

Steps to Reproduce:
1. Install at least 2 servers (instances) and enable replication
2. Add SASL mappings
3  change - passwordStorageScheme: CLEAR
4. Add replica bind users (cn=Replication Manager, cn=config)
5  Add replication agreements, defining 
   nsds5ReplicaTransportInfo: LDAP
   nsds5ReplicaBindMethod: SASL/DIGEST-MD5
6. Initialize
7. Check server's errors log.
  
Actual results:
Unable to replica due to bind error:
slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [cn=Replication Manager,cn=config] mech [DIGEST-MD5]: error 82 (Local error) (SASL(-1): generic failure: All-whitespace username.)

Expected results:
Successful connections.

Tested configuration ....

REPLICATION MANAGER:

# replication manager, config
dn:: Y249cmVwbGljYXRpb24gbWFuYWdlcixjbj1jb25maWcg
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword:: e1NTSEF9WGVBc2JJMmRaOEhrNWtXb0ExTS8xQk9TK0VkaVBJWDZTRVJkMXc9PQ=
 =

passwordStorageScheme: CLEAR

SASL MAPPINGS:

# replica, mapping, sasl, config
dn: cn=replica,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: replica
nsSaslMapRegexString: \(*\)
nsSaslMapBaseDNTemplate: cn=Replication Manager, cn=config
nsSaslMapFilterTemplate: (cn=*)

# rfc 2829 dn syntax, mapping, sasl, config
dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: rfc 2829 dn syntax
nsSaslMapRegexString: ^dn:\(.*\)
nsSaslMapBaseDNTemplate: \1
nsSaslMapFilterTemplate: (objectclass=*)

# rfc 2829 u syntax, mapping, sasl, config
dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: rfc 2829 u syntax
nsSaslMapRegexString: ^u:\(.*\)
nsSaslMapBaseDNTemplate: o=sasl.net
nsSaslMapFilterTemplate: (uid=\1)

# uid mapping, mapping, sasl, config
dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: uid mapping
nsSaslMapRegexString: ^[^:@]+$
nsSaslMapBaseDNTemplate: o=sasl.net
nsSaslMapFilterTemplate: (uid=&)

# y, mapping, sasl, config
dn: cn=y,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: y
nsSaslMapRegexString: ldap/jennyv1.bos.redhat.com
nsSaslMapBaseDNTemplate: cn=replication manager,cn=config
nsSaslMapFilterTemplate: (objectclass=*)

# z, mapping, sasl, config
dn: cn=z,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: z
nsSaslMapRegexString: ldap/jennyv1.bos.redhat.com
nsSaslMapBaseDNTemplate: cn=replication manager,cn=config
nsSaslMapFilterTemplate: (objectclass=*)


REPLICATION AGREEMENTS:

# S1 to C1, replica, o\3Dsasl.net, mapping tree, config
dn: cn=S1 to C1,cn=replica,cn="o=sasl.net",cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: S1 to C1
nsDS5ReplicaHost: jennyv1.bos.redhat.com
nsDS5ReplicaPort: 24206
nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
nsDS5ReplicaBindMethod: SASL/DIGEST-MD5
nsDS5ReplicaRoot: o=sasl.net
description: S1 to C1
nsDS5ReplicaUpdateSchedule: 0000-2359 0123456
nsDS5ReplicaTransportInfo: LDAP
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 82  - LDAP error: Local error
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

# S1 to S2 MMR, replica, o\3Dsasl.net, mapping tree, config
dn: cn=S1 to S2 MMR,cn=replica,cn="o=sasl.net",cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: S1 to S2 MMR
nsDS5ReplicaHost: jennyv1.bos.redhat.com
nsDS5ReplicaPort: 24204
nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
nsDS5ReplicaBindMethod: SASL/DIGEST-MD5
nsDS5ReplicaRoot: o=sasl.net
description: S1 to S2 MMR
nsDS5ReplicaUpdateSchedule: 0000-2359 0123456
nsDS5ReplicaTransportInfo: LDAP
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 82  - LDAP error: Local error
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

Comment 1 Rich Megginson 2008-12-17 20:13:26 UTC

Created attachment 327280 [details]
diffs

Comment 2 Rich Megginson 2008-12-17 20:48:18 UTC

Created attachment 327284 [details]
cvs commit log

Reviewed by: nkinder (Thanks!)
Fix Description: 1) SASL/DIGEST-MD5 needs both username and authid
2) The username and authid in this context are always a bind DN - they must have the "dn:" prefix in order for the SASL mapping to work
3) gssapi (kerberos) sets both username and authid to NULL
Platforms tested: RHEL5
Flag Day: no
Doc impact: no

Comment 3 Rich Megginson 2008-12-17 20:49:57 UTC

NOTE: In order to make this work with SASL/DIGEST-MD5, you have to edit the repl user entry to make the password cleartext.  Using
userPassword: {CLEAR}foo
will not work, you have to use
userPassword: foo
I don't know if it is possible to set the password like this using ldapmodify - you might have to shutdown the server, then edit dse.ldif.

Comment 4 Jenny Severance 2008-12-19 18:31:39 UTC

SASL/GSSAPI now broken after this fix applied.

Comment 5 Rich Megginson 2008-12-19 18:51:24 UTC

Created attachment 327485 [details]
more diffs

Comment 6 Rich Megginson 2008-12-19 19:26:28 UTC

Created attachment 327490 [details]
cvs commit log - part deux

Reviewed by: nkinder (Thanks!)
Fix Description: My earlier fix for this bug broke GSSAPI - it would cause the username and authid to only be freed under certain conditions e.g. if the krb creds were still valid, the code would not free the username and authid, so they would be passed via SASL instead of the principal name.  This fix just makes sure username and authid are always freed, under all circumstances.
Platforms tested: RHEL5, Fedora 9
Flag Day: no
Doc impact: no

Comment 7 Jenny Severance 2009-02-24 19:59:57 UTC

fix verified and being tested by automated acceptance testing

Comment 8 Chandrasekar Kannan 2009-04-29 23:08:57 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.