This bug was fixed in the package cyrus-sasl2 - 2.1.27+dfsg2-3ubuntu1.1
---
cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1.1) jammy; urgency=medium
* Add SASL channel binding support for GSSAPI and GSS-SPNEGO
(LP: #1912256):
- d/p/0034-channel-binding-gssapi-gss-spnego.patch: add SASL c
The tests are green now.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1912256
Title:
Missing channel binding prevents authentication to ActiveDirectory
Status in cyrus
Thanks for verifying Robert! Making sure the above tests pass then the
package should migrate to jammy soon
** Tags removed: verification-needed verification-needed-jammy
** Tags added: verification-done verification-done-jammy
--
You received this bug notification because you are a member of Ub
This package fixes the bug for me, thank you very much :)
Tested version:
libsasl2-modules:amd642.1.27+dfsg2-3ubuntu1.1
libsasl2-modules-db:amd64 2.1.27+dfsg2-3ubuntu1.1
libsasl2-2:amd64 2.1.27+dfsg2-3ubuntu1.1
libsasl2-modules-gssapi-mit:amd64 2.1.27+dfsg2-3ub
Hello Robert, or anyone else affected,
Accepted cyrus-sasl2 into jammy-proposed. The package will build now and
be available at https://launchpad.net/ubuntu/+source/cyrus-
sasl2/2.1.27+dfsg2-3ubuntu1.1 in a few hours, and then in the -proposed
repository.
Please help us by testing this new packag
** Description changed:
[Impact]
When attempting to authenticate against a Windows Active Directory
server configured to require SASL channel binding over SSL/TLS ldap
connections (ldaps), authentication will fail stating invalid
credentials as the cause.
This is due to cyrus-sas
** Tags removed: server-todo
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1912256
Title:
Missing channel binding prevents authentication to ActiveDirectory
Status i
** Description changed:
[Impact]
When attempting to authenticate against a Windows Active Directory
server configured to require SASL channel binding over SSL/TLS ldap
connections (ldaps), authentication will fail stating invalid
credentials as the cause.
This is due to cyrus-sas
** Description changed:
[Impact]
- When attempting to bind to a SASL channel using GSSAPI or GSS-SPNEGO for
- Windows Active Directory, authentication will fail stating invalid
+ When attempting to authenticate against a Windows Active Directory
+ server configured to require SASL channel bin
** Merge proposal linked:
https://code.launchpad.net/~lvoytek/ubuntu/+source/cyrus-sasl2/+git/cyrus-sasl2/+merge/430580
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/19
** Description changed:
+ [Impact]
+
+ When attempting to bind to a SASL channel using GSSAPI or GSS-SPNEGO for
+ Windows Active Directory, authentication will fail stating invalid
+ credentials as the cause.
+
+ This is due to cyrus-sasl2 missing the feature of GSSAPI/GSS-SPNEGO
+ channel bindi
** Changed in: cyrus-sasl2 (Ubuntu Jammy)
Assignee: (unassigned) => Lena Voytek (lvoytek)
** Changed in: cyrus-sasl2 (Ubuntu Jammy)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to op
** Changed in: cyrus-sasl2 (Ubuntu Jammy)
Assignee: Andreas Hasenack (ahasenack) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1912256
Title:
Missin
** Changed in: cyrus-sasl2 (Ubuntu Jammy)
Assignee: (unassigned) => Andreas Hasenack (ahasenack)
** Changed in: cyrus-sasl2 (Ubuntu Jammy)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ope
This bug was fixed in the package cyrus-sasl2 - 2.1.28+dfsg-6ubuntu2
---
cyrus-sasl2 (2.1.28+dfsg-6ubuntu2) kinetic; urgency=medium
* Add SASL channel binding support for GSSAPI and GSS-SPNEGO
(LP: #1912256):
- d/p/0034-channel-binding-gssapi-gss-spnego.patch: add SASL chann
openldap@jammy also needs no further changes
** Changed in: openldap (Ubuntu Jammy)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/191225
openldap in kinetic needs no further changes, marking that task as fix
released.
** Changed in: openldap (Ubuntu)
Status: Confirmed => Fix Released
** Also affects: cyrus-sasl2 (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: openldap (Ubuntu Jammy)
Importanc
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/cyrus-sasl2/+git/cyrus-sasl2/+merge/428422
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/
Ok, got it working in jammy, it was a local problem. I had installed the
heimdal sasl gssapi module, instead of MIT. Heimdal is another issue to
fix later at some point, but now I'm concentrating on MIT.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded package
I tried the same set of patches on jammy's cyrus-sasl (2.1.27). They
applied, but I couldn't get gssapi + ldaps to work against AD 2016. It
kept complaining that the channel binding token was not there. Weird. I
then tried fedora 36, and centos 9, which I thought were the "benchmark"
for this, but
I'm concerned about interoperability issues...
https://github.com/cyrusimap/cyrus-imapd/issues/3317
** Bug watch added: github.com/cyrusimap/cyrus-imapd/issues #3317
https://github.com/cyrusimap/cyrus-imapd/issues/3317
--
You received this bug notification because you are a member of Ubuntu
Ok, the -o SASL_CBINDING command-line parameter seems to work. Against
that window 2016 server the ldapwhoami command only works when I set the
channel binding mode to tls-unique:
ubuntu@k1:~$ ldapwhoami -H ldaps://WIN-KRIET1E5ELO.internal.example.fake -Y
GSSAPI -O maxssf=0 -o SASL_CBINDING=none
I have a build for kinetic which has two changes:
- enable channel binding
- allow setting maxssf=0 when using GSS-SPNEGO
The later might not be needed, as GSSAPI already supports maxssf=0, and
adcli will forcibly select GSSAPI instead of GSS-SPNEGO if ldaps (ssl)
is being used, exactly because no
** Changed in: cyrus-sasl2 (Ubuntu)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1912256
Title:
Missing channel binding prevents
Thank you, Christian.
As discussed with Andreas, I've added a cyrus-sasl2 task to this bug and
assigned him to it. This bug is probably going to involve modifications
on cyrus-sasl2 only; after channel binding has been implemented there,
we should be able to enable it in openldap by just rebuildi
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openldap (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad
** Also affects: cyrus-sasl2 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: cyrus-sasl2 (Ubuntu)
Assignee: (unassigned) => Sergio Durigan Junior (sergiodj)
** Changed in: cyrus-sasl2 (Ubuntu)
Assignee: Sergio Durigan Junior (sergiodj) => Andreas Hasenack (ahasenack)
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: cyrus-sasl2 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launch
Hi,
I'm revisiting bugs that have been dormant for too long trying to retriage them.
In this case the current situation to me looks like:
- openldap change 3cd50fa having landed in v2.5.8 and later
- cyrus-sasl change 975edbb6 still isn't in any release AFAICS
- that is odd as https://github.com
I should maybe add the following detail:
Channel binding, from all I can tell, is only available via TLS (even
conceptually). That is, the issue mentioned in the bug report only
happens when using ldaps.
In certain cases, it is therefore possible to work around the lack of
channel binding by _not
Thanks for taking the time to file this bug and try to make Ubuntu
better.
I subscribed ubuntu-server and Sergio who has been working on this stack
recently to investigate what you described.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
Might have been confusing to write
# kinit
$ export LDAPSASL_CBINDING=tls-endpoint
Both are supposed to be called from the same user. I meant to imply that
an existing, valid ticket in the current user's credential cache is
required for krb5 authentication via SASL in the ldapwhoami step.
--
Yo
32 matches
Mail list logo