Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 595893 - Base DN in SASL mapping is not normalized
Base DN in SASL mapping is not normalized
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Retired
Component: Security - SASL (Show other bugs)
1.2.6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Viktor Ashirov
:
Depends On:
Blocks: 434914 389_1.2.6
  Show dependency treegraph
 
Reported: 2010-05-25 17:00 EDT by Endi Sukma Dewata
Modified: 2015-12-07 11:46 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 11:46:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
test patch (9.0) (1.78 KB, patch)
2010-05-25 17:51 EDT, Noriko Hosoi
rmeggins: review+
Details | Diff
scripts.tar.gz (1.53 KB, application/x-gzip)
2010-07-27 13:27 EDT, Endi Sukma Dewata
no flags Details

  None (edit)
Description Endi Sukma Dewata 2010-05-25 17:00:15 EDT
The base DN in SASL mapping is not normalized properly causing
a problem during SASL bind.

For example, the base DN in the following SASL mapping contains
an extra space after the comma.

dn: cn=y,cn=mapping,cn=sasl,cn=config
objectclass: top
objectclass: nsSaslMapping
cn: y
nsSaslMapRegexString: ldap/.*
nsSaslMapBaseDNTemplate: cn=replication manager, cn=config
nsSaslMapFilterTemplate: (objectclass=*)

The actual user does not have any extra space after the comma:
cn=replication manager,cn=config

SASL bind operation will fail because the server cannot find
the user. If the extra space is removed from the SASL mapping,
the bind operation will work.
Comment 1 Endi Sukma Dewata 2010-05-25 17:01:34 EDT
Error log:

[25/May/2010:12:58:14 -0700] - => ids_sasl_server_new (dsrhel5-64vma.idm.lab.bos.redh
at.com)
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=log_level
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=auto_transition
[25/May/2010:12:58:14 -0700] - <= ids_sasl_server_new
[25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0xab80ba10,
 handle=3
[25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL
UE
[25/May/2010:12:58:14 -0700] - add_pb
[25/May/2010:12:58:14 -0700] - get_pb
[25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0xab80ba10,
 handle=3
[25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL
UE
[25/May/2010:12:58:14 -0700] - do_bind
[25/May/2010:12:58:14 -0700] - BIND dn="cn=replication manager,cn=config" method=163
version=3
[25/May/2010:12:58:14 -0700] - => get_ldapmessage_controls
[25/May/2010:12:58:14 -0700] - <= get_ldapmessage_controls no controls
[25/May/2010:12:58:14 -0700] - => slapi_control_present (looking for 2.16.840.1.11373
0.3.4.16)
[25/May/2010:12:58:14 -0700] - <= slapi_control_present 0 (NO CONTROLS)
[25/May/2010:12:58:14 -0700] - do_bind: version 3 method 0xa3 dn cn=replication manag
er,cn=config
[25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind
[25/May/2010:12:58:14 -0700] - => ids_sasl_mech_supported
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - <= ids_sasl_mech_supported
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - => send_ldap_result 14::
[25/May/2010:12:58:14 -0700] - <= send_ldap_result
[25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind
[25/May/2010:12:58:14 -0700] - Calling plugin 'Multimaster replication postoperation
plugin' #5 type 501
[25/May/2010:12:58:14 -0700] - add_pb
[25/May/2010:12:58:14 -0700] - get_pb
[25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0xab80ba10,
 handle=3
[25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL
UE
[25/May/2010:12:58:14 -0700] - do_bind
[25/May/2010:12:58:14 -0700] - BIND dn="cn=replication manager,cn=config" method=163
version=3
[25/May/2010:12:58:14 -0700] - => get_ldapmessage_controls
[25/May/2010:12:58:14 -0700] - <= get_ldapmessage_controls no controls
[25/May/2010:12:58:14 -0700] - => slapi_control_present (looking for 2.16.840.1.11373
0.3.4.16)
[25/May/2010:12:58:14 -0700] - <= slapi_control_present 0 (NO CONTROLS)
[25/May/2010:12:58:14 -0700] - do_bind: version 3 method 0xa3 dn cn=replication manag
er,cn=config
[25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind
[25/May/2010:12:58:14 -0700] - => ids_sasl_mech_supported
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - <= ids_sasl_mech_supported
[25/May/2010:12:58:14 -0700] - => send_ldap_result 14::
[25/May/2010:12:58:14 -0700] - <= send_ldap_result
[25/May/2010:12:58:14 -0700] - add_pb
[25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind
[25/May/2010:12:58:14 -0700] - Calling plugin 'Multimaster replication postoperation
plugin' #5 type 501
[25/May/2010:12:58:14 -0700] - get_pb
[25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0xab80ba10,
 handle=3
[25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL
UE
[25/May/2010:12:58:14 -0700] - do_bind
[25/May/2010:12:58:14 -0700] - BIND dn="cn=replication manager,cn=config" method=163
version=3
[25/May/2010:12:58:14 -0700] - => get_ldapmessage_controls
[25/May/2010:12:58:14 -0700] - <= get_ldapmessage_controls no controls
[25/May/2010:12:58:14 -0700] - => slapi_control_present (looking for 2.16.840.1.11373
0.3.4.16)
[25/May/2010:12:58:14 -0700] - <= slapi_control_present 0 (NO CONTROLS)
[25/May/2010:12:58:14 -0700] - do_bind: version 3 method 0xa3 dn cn=replication manag
er,cn=config
[25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind
[25/May/2010:12:58:14 -0700] - => ids_sasl_mech_supported
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list
[25/May/2010:12:58:14 -0700] - <= ids_sasl_mech_supported
[25/May/2010:12:58:14 -0700] - ids_sasl_canon_user(user=ldap/dsrhel5-64vma.idm.lab.bo
s.redhat.com, realm=)
[25/May/2010:12:58:14 -0700] - -> sasl_map_domap
[25/May/2010:12:58:14 -0700] - sasl_map_domap - trying map [z]
[25/May/2010:12:58:14 -0700] - -> sasl_map_check
[25/May/2010:12:58:14 -0700] - regex: ldap/.*@EXAMPLE.COM, id: ldap/dsrhel5-64vma.idm
.lab.bos.redhat.com, didn't match
[25/May/2010:12:58:14 -0700] - <- sasl_map_check
[25/May/2010:12:58:14 -0700] - sasl_map_domap - trying map [y]
[25/May/2010:12:58:14 -0700] - -> sasl_map_check
[25/May/2010:12:58:14 -0700] - regex: ldap/.*, id: ldap/dsrhel5-64vma.idm.lab.bos.red
hat.com, matched
[25/May/2010:12:58:14 -0700] - mapped base dn: cn=replication manager, cn=config, fil
ter: (objectclass=*)
[25/May/2010:12:58:14 -0700] - <- sasl_map_check
[25/May/2010:12:58:14 -0700] - <- sasl_map_domap (mapped)
[25/May/2010:12:58:14 -0700] - sasl user search basedn="cn=replication manager, cn=co
nfig" filter="(objectclass=*)"
[25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0x0, handle
=2
[25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL
UE
[25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0x0, handle
=1
[25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL
UE
[25/May/2010:12:58:14 -0700] - => compute_limits: sizelimit=-1, timelimit=-1
[25/May/2010:12:58:14 -0700] - Calling plugin 'ACL preoperation' #1 type 403
[25/May/2010:12:58:14 -0700] - Calling plugin 'deref' #2 type 403
[25/May/2010:12:58:14 -0700] deref-plugin - --> deref_pre_search
[25/May/2010:12:58:14 -0700] deref-plugin - <-- deref_pre_op
[25/May/2010:12:58:14 -0700] - Calling plugin 'Legacy replication preoperation plugin
' #4 type 403
[25/May/2010:12:58:14 -0700] - Calling plugin 'Multimaster replication preoperation p
lugin' #6 type 403
[25/May/2010:12:58:14 -0700] - defbackend_default
[25/May/2010:12:58:14 -0700] - => send_ldap_result 32::
[25/May/2010:12:58:14 -0700] - <= send_ldap_result
[25/May/2010:12:58:14 -0700] - sasl user search failed basedn="cn=replication manager
, cn=config" filter="(objectclass=*)": No such object
[25/May/2010:12:58:14 -0700] - sasl user search found no entries matching filter=(obj
ectclass=*)
[25/May/2010:12:58:14 -0700] - => send_ldap_result 49::SASL(-14): authorization failu
re:
[25/May/2010:12:58:14 -0700] - <= send_ldap_result
[25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind
[25/May/2010:12:58:14 -0700] - Calling plugin 'Multimaster replication postoperation
plugin' #5 type 501
[25/May/2010:12:58:14 -0700] - add_pb
[25/May/2010:12:58:14 -0700] - get_pb
[25/May/2010:12:58:14 -0700] - do_unbind
[25/May/2010:12:58:14 -0700] - => get_ldapmessage_controls
[25/May/2010:12:58:14 -0700] - <= get_ldapmessage_controls no controls
[25/May/2010:12:58:14 -0700] - defbackend_noop
Comment 2 Noriko Hosoi 2010-05-25 17:51:23 EDT
Created attachment 416568 [details]
test patch (9.0)

Endi, could it be possible to apply this patch and run the test?

Do you need a patch for 8.2?
Comment 3 Noriko Hosoi 2010-05-25 20:04:36 EDT
Reviewed by Rich (Thank you!!)

Pushe to master:

commit 50d1c0aaa081a6e2ead6518e992b18e3a12521b3
Author: Noriko Hosoi <nhosoi@redhat.com>
Date:   Tue May 25 16:54:46 2010 -0700

    595893 - Base DN in SASL mapping is not normalized
    
    https://bugzilla.redhat.com/show_bug.cgi?id=595893
    
    Fix Description: It must be guaranteed that ndn returned
    from slapi_sdn_get_ndn is normalized.  Putting back the
    normalization code in slapi_sdn_get_ndn.

$ git merge work
Updating 08a38d3..50d1c0a
Fast forward
 ldap/servers/slapd/dn.c |   22 +++++++++++++++++++---
 1 files changed, 19 insertions(+), 3 deletions(-)
$ git push
Counting objects: 11, done.
Delta compression using 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 929 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   08a38d3..50d1c0a  master -> master

Pushed to Directory_Server_8_2_Branch, as well:

$ git push origin ds82-local:Directory_Server_8_2_Branch
Counting objects: 11, done.
Delta compression using 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 936 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   14fc7fc..1ebcfd4  ds82-local -> Directory_Server_8_2_Branch
Comment 6 Endi Sukma Dewata 2010-07-27 13:27:42 EDT
Created attachment 434761 [details]
scripts.tar.gz

To reproduce the problem, unpack scripts.tar.gz, then execute run.sh. It will execute the following operations:
1. Create slapd.
2. Set password encryption to clear text.
3. Add SASL mapping containing spaces in the nsSaslMapBaseDNTemplate.
4. Restart slapd.
5. Add test user without any space in the DN.
6. Perform SASL bind as test user.

Step #6 will fail with the following message:

SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-14): authorization failure: unable canonify user and get auxprops

If the spaces are removed in step #3 (by editing sasl.ldif) step #6 will succeed. The correct behavior is that SASL bind should succeed regardless of the spaces in the DN.
Comment 8 Michael Gregg 2010-07-28 17:09:48 EDT
Result:
START sasl104
Exporting
KRB5_KTNAME=/tet/tetframework8.2/ds82-branch/tet/../testcases/DS/6.0/sasl/etc/ldap.apoc.dsdev.sjc.redhat.com.keytab
Add a sasl mapping entry
Adding dn: cn=mymap1,cn=mapping,cn=sasl,cn=config
TestCase [sasl104] result-> [PASS] 

Varified

Note You need to log in before you can comment on or make changes to this bug.