The base DN in SASL mapping is not normalized properly causing a problem during SASL bind. For example, the base DN in the following SASL mapping contains an extra space after the comma. dn: cn=y,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: y nsSaslMapRegexString: ldap/.* nsSaslMapBaseDNTemplate: cn=replication manager, cn=config nsSaslMapFilterTemplate: (objectclass=*) The actual user does not have any extra space after the comma: cn=replication manager,cn=config SASL bind operation will fail because the server cannot find the user. If the extra space is removed from the SASL mapping, the bind operation will work.
Error log: [25/May/2010:12:58:14 -0700] - => ids_sasl_server_new (dsrhel5-64vma.idm.lab.bos.redh at.com) [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=log_level [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=auto_transition [25/May/2010:12:58:14 -0700] - <= ids_sasl_server_new [25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0xab80ba10, handle=3 [25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL UE [25/May/2010:12:58:14 -0700] - add_pb [25/May/2010:12:58:14 -0700] - get_pb [25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0xab80ba10, handle=3 [25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL UE [25/May/2010:12:58:14 -0700] - do_bind [25/May/2010:12:58:14 -0700] - BIND dn="cn=replication manager,cn=config" method=163 version=3 [25/May/2010:12:58:14 -0700] - => get_ldapmessage_controls [25/May/2010:12:58:14 -0700] - <= get_ldapmessage_controls no controls [25/May/2010:12:58:14 -0700] - => slapi_control_present (looking for 2.16.840.1.11373 0.3.4.16) [25/May/2010:12:58:14 -0700] - <= slapi_control_present 0 (NO CONTROLS) [25/May/2010:12:58:14 -0700] - do_bind: version 3 method 0xa3 dn cn=replication manag er,cn=config [25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind [25/May/2010:12:58:14 -0700] - => ids_sasl_mech_supported [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - <= ids_sasl_mech_supported [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - => send_ldap_result 14:: [25/May/2010:12:58:14 -0700] - <= send_ldap_result [25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind [25/May/2010:12:58:14 -0700] - Calling plugin 'Multimaster replication postoperation plugin' #5 type 501 [25/May/2010:12:58:14 -0700] - add_pb [25/May/2010:12:58:14 -0700] - get_pb [25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0xab80ba10, handle=3 [25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL UE [25/May/2010:12:58:14 -0700] - do_bind [25/May/2010:12:58:14 -0700] - BIND dn="cn=replication manager,cn=config" method=163 version=3 [25/May/2010:12:58:14 -0700] - => get_ldapmessage_controls [25/May/2010:12:58:14 -0700] - <= get_ldapmessage_controls no controls [25/May/2010:12:58:14 -0700] - => slapi_control_present (looking for 2.16.840.1.11373 0.3.4.16) [25/May/2010:12:58:14 -0700] - <= slapi_control_present 0 (NO CONTROLS) [25/May/2010:12:58:14 -0700] - do_bind: version 3 method 0xa3 dn cn=replication manag er,cn=config [25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind [25/May/2010:12:58:14 -0700] - => ids_sasl_mech_supported [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - <= ids_sasl_mech_supported [25/May/2010:12:58:14 -0700] - => send_ldap_result 14:: [25/May/2010:12:58:14 -0700] - <= send_ldap_result [25/May/2010:12:58:14 -0700] - add_pb [25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind [25/May/2010:12:58:14 -0700] - Calling plugin 'Multimaster replication postoperation plugin' #5 type 501 [25/May/2010:12:58:14 -0700] - get_pb [25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0xab80ba10, handle=3 [25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL UE [25/May/2010:12:58:14 -0700] - do_bind [25/May/2010:12:58:14 -0700] - BIND dn="cn=replication manager,cn=config" method=163 version=3 [25/May/2010:12:58:14 -0700] - => get_ldapmessage_controls [25/May/2010:12:58:14 -0700] - <= get_ldapmessage_controls no controls [25/May/2010:12:58:14 -0700] - => slapi_control_present (looking for 2.16.840.1.11373 0.3.4.16) [25/May/2010:12:58:14 -0700] - <= slapi_control_present 0 (NO CONTROLS) [25/May/2010:12:58:14 -0700] - do_bind: version 3 method 0xa3 dn cn=replication manag er,cn=config [25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind [25/May/2010:12:58:14 -0700] - => ids_sasl_mech_supported [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - ids_sasl_getopt: plugin= option=mech_list [25/May/2010:12:58:14 -0700] - <= ids_sasl_mech_supported [25/May/2010:12:58:14 -0700] - ids_sasl_canon_user(user=ldap/dsrhel5-64vma.idm.lab.bo s.redhat.com, realm=) [25/May/2010:12:58:14 -0700] - -> sasl_map_domap [25/May/2010:12:58:14 -0700] - sasl_map_domap - trying map [z] [25/May/2010:12:58:14 -0700] - -> sasl_map_check [25/May/2010:12:58:14 -0700] - regex: ldap/.*@EXAMPLE.COM, id: ldap/dsrhel5-64vma.idm .lab.bos.redhat.com, didn't match [25/May/2010:12:58:14 -0700] - <- sasl_map_check [25/May/2010:12:58:14 -0700] - sasl_map_domap - trying map [y] [25/May/2010:12:58:14 -0700] - -> sasl_map_check [25/May/2010:12:58:14 -0700] - regex: ldap/.*, id: ldap/dsrhel5-64vma.idm.lab.bos.red hat.com, matched [25/May/2010:12:58:14 -0700] - mapped base dn: cn=replication manager, cn=config, fil ter: (objectclass=*) [25/May/2010:12:58:14 -0700] - <- sasl_map_check [25/May/2010:12:58:14 -0700] - <- sasl_map_domap (mapped) [25/May/2010:12:58:14 -0700] - sasl user search basedn="cn=replication manager, cn=co nfig" filter="(objectclass=*)" [25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0x0, handle =2 [25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL UE [25/May/2010:12:58:14 -0700] - => slapi_reslimit_get_integer_limit() conn=0x0, handle =1 [25/May/2010:12:58:14 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VAL UE [25/May/2010:12:58:14 -0700] - => compute_limits: sizelimit=-1, timelimit=-1 [25/May/2010:12:58:14 -0700] - Calling plugin 'ACL preoperation' #1 type 403 [25/May/2010:12:58:14 -0700] - Calling plugin 'deref' #2 type 403 [25/May/2010:12:58:14 -0700] deref-plugin - --> deref_pre_search [25/May/2010:12:58:14 -0700] deref-plugin - <-- deref_pre_op [25/May/2010:12:58:14 -0700] - Calling plugin 'Legacy replication preoperation plugin ' #4 type 403 [25/May/2010:12:58:14 -0700] - Calling plugin 'Multimaster replication preoperation p lugin' #6 type 403 [25/May/2010:12:58:14 -0700] - defbackend_default [25/May/2010:12:58:14 -0700] - => send_ldap_result 32:: [25/May/2010:12:58:14 -0700] - <= send_ldap_result [25/May/2010:12:58:14 -0700] - sasl user search failed basedn="cn=replication manager , cn=config" filter="(objectclass=*)": No such object [25/May/2010:12:58:14 -0700] - sasl user search found no entries matching filter=(obj ectclass=*) [25/May/2010:12:58:14 -0700] - => send_ldap_result 49::SASL(-14): authorization failu re: [25/May/2010:12:58:14 -0700] - <= send_ldap_result [25/May/2010:12:58:14 -0700] - => ids_sasl_check_bind [25/May/2010:12:58:14 -0700] - Calling plugin 'Multimaster replication postoperation plugin' #5 type 501 [25/May/2010:12:58:14 -0700] - add_pb [25/May/2010:12:58:14 -0700] - get_pb [25/May/2010:12:58:14 -0700] - do_unbind [25/May/2010:12:58:14 -0700] - => get_ldapmessage_controls [25/May/2010:12:58:14 -0700] - <= get_ldapmessage_controls no controls [25/May/2010:12:58:14 -0700] - defbackend_noop
Created attachment 416568 [details] test patch (9.0) Endi, could it be possible to apply this patch and run the test? Do you need a patch for 8.2?
Reviewed by Rich (Thank you!!) Pushe to master: commit 50d1c0aaa081a6e2ead6518e992b18e3a12521b3 Author: Noriko Hosoi <nhosoi> Date: Tue May 25 16:54:46 2010 -0700 595893 - Base DN in SASL mapping is not normalized https://bugzilla.redhat.com/show_bug.cgi?id=595893 Fix Description: It must be guaranteed that ndn returned from slapi_sdn_get_ndn is normalized. Putting back the normalization code in slapi_sdn_get_ndn. $ git merge work Updating 08a38d3..50d1c0a Fast forward ldap/servers/slapd/dn.c | 22 +++++++++++++++++++--- 1 files changed, 19 insertions(+), 3 deletions(-) $ git push Counting objects: 11, done. Delta compression using 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 929 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 08a38d3..50d1c0a master -> master Pushed to Directory_Server_8_2_Branch, as well: $ git push origin ds82-local:Directory_Server_8_2_Branch Counting objects: 11, done. Delta compression using 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 936 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 14fc7fc..1ebcfd4 ds82-local -> Directory_Server_8_2_Branch
Created attachment 434761 [details] scripts.tar.gz To reproduce the problem, unpack scripts.tar.gz, then execute run.sh. It will execute the following operations: 1. Create slapd. 2. Set password encryption to clear text. 3. Add SASL mapping containing spaces in the nsSaslMapBaseDNTemplate. 4. Restart slapd. 5. Add test user without any space in the DN. 6. Perform SASL bind as test user. Step #6 will fail with the following message: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-14): authorization failure: unable canonify user and get auxprops If the spaces are removed in step #3 (by editing sasl.ldif) step #6 will succeed. The correct behavior is that SASL bind should succeed regardless of the spaces in the DN.
Result: START sasl104 Exporting KRB5_KTNAME=/tet/tetframework8.2/ds82-branch/tet/../testcases/DS/6.0/sasl/etc/ldap.apoc.dsdev.sjc.redhat.com.keytab Add a sasl mapping entry Adding dn: cn=mymap1,cn=mapping,cn=sasl,cn=config TestCase [sasl104] result-> [PASS] Varified