--On Thursday, May 10, 2018 9:28 PM -0400 Ken Murchison
<mu...@fastmail.com> wrote:
All,
I have built a eighth (and hopefully last) release candidate of SASL
2.1.27 which can be downloaded from here:
Hi Ken,
I've done some testing of the 2.1.27 RC8 and found some issues:
1) While there is the configure option --enable-sample (which defaults to
yes), the corresponding --disable-sample option doesn't work. I've opened
<https://github.com/cyrusimap/cyrus-sasl/issues/524> to track this issue,
and <https://github.com/cyrusimap/cyrus-sasl/pull/530> to fix it.
2) The sample/server.c code hasn't been updated to match the changes to the
Heimdal API that were made in 2011. I opened
<https://github.com/cyrusimap/cyrus-sasl/issues/525> to track this issue
and <https://github.com/cyrusimap/cyrus-sasl/pull/527> to fix it.
3) The value supplied to --plugindir is not honored due to the value being
hard coded in the Makefile. I opened
<https://github.com/cyrusimap/cyrus-sasl/issues/528> to track this issue
and <https://github.com/cyrusimap/cyrus-sasl/pull/529> to fix it.
4) There is no corresponding tag in the git repository for 2.1.27-RC8, so
it's difficult to know exactly what it was generated from (although I
assumed master). 2.1.27-RC7 was tagged in the git repo, so that's why I
make a note of this.
5) One of the major features of Cyrus-SASL 2.1.27 for applications using it
was that it was supposed to provide the underlying SSF information back out
instead of hard coding it to the value of "56" for Kerberos based
mechanisms. Unfortunatley, I'm seeing it still report "56" (Carson also
repoted this):
Aug 20 11:16:15 anvil1 slapd[19854]: conn=1005 op=3 BIND
dn="krb5PrincipalName=b...@symas.net,ou=kerberosprincipals,dc=example,dc=com"
mech=GSSAPI sasl_ssf=56 ssf=256
Various other bits work as desired although in this case forcing me to deal
with the limitation of the SASL SSF being hard coded:
GSSAPI only:
root@anvil1:/opt/symas/etc/openldap# ldapsearch -Q -LLL -Y GSSAPI -H
ldap:/// -s base -b dc=example,dc=com
dn: dc=example,dc=com
GSSAPI+TLS:
root@anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H
ldap:/// -s base -b dc=example,dc=com
dn: dc=example,dc=com
GSSAPI+TLS+MAXSSF=0:
root@anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H
ldap:/// -s base -b dc=example,dc=com -O maxssf=0
dn: dc=example,dc=com
GSSAPI+TLS+MAXSSF=512:
root@anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H
ldap:/// -s base -b dc=example,dc=com -O maxssf=512
dn: dc=example,dc=com
GSSAPI+TLS+MINSSF=56:
root@anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H
ldap:/// -s base -b dc=example,dc=com -O minssf=56
dn: dc=example,dc=com
GSSAPI+TLS+MINSSF=256 (The TLS SSF):
root@anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H
ldap:/// -s base -b dc=example,dc=com -O minssf=256
dn: dc=example,dc=com
GSSAPI+TLS+MINSSF=512 (Should fail and does):
root@anvil1:/opt/symas/etc/openldap# ldapsearch -ZZ -Q -LLL -Y GSSAPI -H
ldap:/// -s base -b dc=example,dc=com -O minssf=512
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-15): mechanism too weak for this user:
Unable to find a callback: 32775
GSSAPI+MINSSF=56:
root@anvil1:/opt/symas/etc/openldap# ldapsearch -Q -LLL -Y GSSAPI -H
ldap:/// -s base -b dc=example,dc=com -O minssf=56
dn: dc=example,dc=com
GSSAPI+MINSSF+57 (fails, technically it shouldn't but does due to the hard
coded value):
root@anvil1:/opt/symas/etc/openldap# ldapsearch -Q -LLL -Y GSSAPI -H
ldap:/// -s base -b dc=example,dc=com -O minssf=57
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-15): mechanism too weak for this user:
Unable to find a callback: 32775
So it seems like issue#5 is a major one that needs fixing for the release.
It *might* work with MIT Kerberos (via
4b0306dcd76031460246b2dabcb7db766d6b04d8) but it definitely does *not* work
with Heimdal. I'll see if I can dig into this further.
Warm regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
