Bug#962968: libauthen-sasl-perl: Net::LDAP with GSSAPI SASL bind connecting with wrong sasl_ssf on Debian buster

[A. Lewenberg]

As a further test, here is a simple python script that does the same 
thing as the Perl script. It works fine and the LDAP logs show 
"sasl_ssf=256 ssf=256" when I run it:

#######
import ldap
import ldap.sasl
import os
ldap_server = 'ldap.example.com'
os.environ["KRB5CCNAME"] = "/tmp/testing.tkt"

conn = ldap.ldapobject.ReconnectLDAPObject('ldap://' + ldap_server, 
retry_max = 5)
auth = ldap.sasl.gssapi("")
conn.sasl_interactive_bind_s("", auth)

basedn          = 'dc=example,dc=com'
searchScope     = ldap.SCOPE_SUBTREE
searchFilter    = '(uid=johndoe)'
searchAttribute = [
    "uid",
    "sn",
]
ldap_result_id = conn.search(basedn, searchScope, searchFilter, 
searchAttribute)
result_type, result_data = conn.result(ldap_result_id, 0)
print(result_data)
#######

So, ldapsearch and the python script appear to connect with 
"sasl_ssf=256 ssf=256" but the Perl script connects with "sasl_ssf=1 
ssf=256". Why?



On Tue, 16 Jun 2020 08:25:51 -0700 Richard Landster 
<deb...@lewenberg.com> wrote:
Package: libauthen-sasl-perl
Version: 2.1600-1
Severity: important

Dear Maintainer,

I have a Perl script to read from an OpenLDAP instance using Net::LDAP
with a GSSAPI bind. The script works fine on Debian stretch but fails on
Debian buster.

Note that on both servers the line at the bottom of the Perl code that
runs ldapsearch produces the same correct results, so I am sure that the
Kerberos ticket cache is correct on both servers.

Looking at the OpenLDAP logs I see that the ldapsearch run shows up with
the strength factors sasl_ssf=256 ssf=256 while the Net::LDAP bind shows
up with the strength factors sasl_ssf=1 ssf=256. Since the Net::LDAP bind
is using Kerberos, the sasl_ssf should be 56, not 1.

#######

use strict;
use warnings;
use Authen::SASL;
use Net::LDAP;
use Data::Dumper;

my $server_name = 'ldap.example.com';
$ENV{'KRB5CCNAME'} = '/tmp/krb.tkt';

my $ld = Net::LDAP->new($server_name, version => '3');
$ld->start_tls(verify => 'require');

if (!$ld or $ld == -1) {
    die "Could not connect to directory server $server_name";
}

my $SASL = Authen::SASL->new('GSSAPI');
my $status = $ld->bind(sasl => $SASL);

if ($status->code) {
    die  'Bind error: (' . $status->error_name . ') ' . $status->error_text;
}

my $base   = 'dc=example,dc=com';
my $filter = '(uid=johndoe)';
my @attrs  = ('uid', 'sn');
$status = $ld->search(
    base    => 'dc=example,dc=com',
    filter  => $filter,
    attrs   => \@attrs,
    ) ;

my @entries = $status->all_entries;
# This results in nothing (but should result in the same data as the ldapsearch 
below):
warn Dumper @entries ;

my $attrs = join(' ', @attrs) ;
my $cmd = "ldapsearch -LLL -h $server_name -b $base '$filter' $attrs";
# This gives the correct result: