Debian Bug report logs - #604122
libldap-2.4-2: libldap open a the TCP connection before validating the SASL mechanism

Package: libsasl2-dev; Maintainer for libsasl2-dev is Debian Cyrus Team <[email protected]>; Source for libsasl2-dev is src:cyrus-sasl2 (PTS, buildd, popcon).

Affects: libldap-2.4-2

Reported by: Daniel Dehennin <[email protected]>

Date: Sat, 20 Nov 2010 13:39:03 UTC

Severity: wishlist

Found in version cyrus-sasl2/2.1.26.dfsg1-13

Reply or subscribe to this bug.

Display info messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Debian OpenLDAP Maintainers <[email protected]>:
Bug#604122; Package libldap-2.4-2. (Sat, 20 Nov 2010 13:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Dehennin <[email protected]>:
New Bug report received and forwarded. Copy sent to [email protected], Debian OpenLDAP Maintainers <[email protected]>. (Sat, 20 Nov 2010 13:39:06 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: libldap-2.4-2
Version: 2.4.23-6
Severity: minor

Hello,

During some tests for nslcd[1], I found that if the SASL_SECPROPS in
/etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
library:

- open a useless TCP connection to the server
- check the mechanism and fail
- close the TCP connection

===== /etc/ldap/ldap.conf
BASE    dc=baby-gnu,dc=org
URI     ldap://192.168.122.4

SASL_MECH DIGEST-MD5
SASL_SECPROPS noactive
===== /etc/ldap/ldap.conf

===== Wireshark capture
No. Time      Source         Destination    Protocol Info
3   2.728967  192.168.122.3  192.168.122.4  TCP      51521 > ldap [SYN] Seq=0 [...]
4   2.729699  192.168.122.4  192.168.122.3  TCP      ldap > 51521 [SYN, ACK] Seq=0 [...]
5   2.729714  192.168.122.3  192.168.122.4  TCP      51521 > ldap [ACK] Seq=1 [...]
6   2.739576  192.168.122.3  192.168.122.4  TCP      51521 > ldap [FIN, ACK] Seq=1 [...]
7   2.740686  192.168.122.4  192.168.122.3  TCP      ldap > 51521 [FIN, ACK] Seq=1 [...]
8   2.740702  192.168.122.3  192.168.122.4  TCP      51521 > ldap [ACK] Seq=2 [...]
===== Wireshark capture

===== ldapsearch
ldapsearch -U dad -s base -LLL supportedSASLMechanisms
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available: No worthy
        mechs found
===== ldapsearch

As the problem is found in a software using the libldap, I conclude the
problem is in the lib and not in ldapsearc.

Regards.

-- System Information:
Debian Release: squeeze/sid
  APT prefers sid
  APT policy: (500, 'sid'), (500, 'unstable'), (500, 'testing'), (90, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35+hati.2 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libldap-2.4-2 depends on:
ii  libc6                     2.11.2-7       Embedded GNU C Library: Shared lib
ii  libgnutls26               2.8.6-1        the GNU TLS library - runtime libr
ii  libsasl2-2                2.1.23.dfsg1-6 Cyrus SASL - authentication abstra

libldap-2.4-2 recommends no packages.

libldap-2.4-2 suggests no packages.

-- no debconf information


Footnotes: 
[1]  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586532#112

-- 
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to Debian OpenLDAP Maintainers <[email protected]>:
Bug#604122; Package libldap-2.4-2. (Sat, 20 Nov 2010 23:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Quanah Gibson-Mount <[email protected]>:
Extra info received and forwarded to maintainer. Copy sent to Debian OpenLDAP Maintainers <[email protected]>. (Sat, 20 Nov 2010 23:36:03 GMT) (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

--On Saturday, November 20, 2010 1:49 PM +0100 Daniel Dehennin 
<[email protected]> wrote:

> Package: libldap-2.4-2
> Version: 2.4.23-6
> Severity: minor
>
> Hello,
>
> During some tests for nslcd[1], I found that if the SASL_SECPROPS in
> /etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
> library:

I suggest you file this as a bug with the OpenLDAP foundation:

http://www.openldap.org/its/

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Information forwarded to Debian OpenLDAP Maintainers <[email protected]>:
Bug#604122; Package libldap-2.4-2. (Mon, 29 Nov 2010 17:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Quanah Gibson-Mount <[email protected]>:
Extra info received and forwarded to maintainer. Copy sent to Debian OpenLDAP Maintainers <[email protected]>. (Mon, 29 Nov 2010 17:03:04 GMT) (full text, mbox, link).

Message #15 received at [email protected] (full text, mbox, reply):

--On Saturday, November 20, 2010 3:22 PM -0800 Quanah Gibson-Mount 
<[email protected]> wrote:

> --On Saturday, November 20, 2010 1:49 PM +0100 Daniel Dehennin
> <[email protected]> wrote:
>
>> Package: libldap-2.4-2
>> Version: 2.4.23-6
>> Severity: minor
>>
>> Hello,
>>
>> During some tests for nslcd[1], I found that if the SASL_SECPROPS in
>> /etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
>> library:
>
> I suggest you file this as a bug with the OpenLDAP foundation:
>
> http://www.openldap.org/its/

I went ahead and filed <http://www.openldap.org/its/index.cgi/?findid=6728> 
for you.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Information forwarded to Debian OpenLDAP Maintainers <[email protected]>:
Bug#604122; Package libldap-2.4-2. (Mon, 29 Nov 2010 17:45:14 GMT) (full text, mbox, link).

Acknowledgement sent to Dan White <[email protected]>:
Extra info received and forwarded to maintainer. Copy sent to Debian OpenLDAP Maintainers <[email protected]>. (Mon, 29 Nov 2010 17:45:15 GMT) (full text, mbox, link).

Message #20 received at [email protected] (full text, mbox, reply):

On 29/11/10 09:00 -0800, Quanah Gibson-Mount wrote:
>--On Saturday, November 20, 2010 3:22 PM -0800 Quanah Gibson-Mount 
><[email protected]> wrote:
>
>>--On Saturday, November 20, 2010 1:49 PM +0100 Daniel Dehennin
>><[email protected]> wrote:
>>
>>>Package: libldap-2.4-2
>>>Version: 2.4.23-6
>>>Severity: minor
>>>
>>>Hello,
>>>
>>>During some tests for nslcd[1], I found that if the SASL_SECPROPS in
>>>/etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
>>>library:
>>
>>I suggest you file this as a bug with the OpenLDAP foundation:
>>
>>http://www.openldap.org/its/
>
>I went ahead and filed 
><http://www.openldap.org/its/index.cgi/?findid=6728> for you.

Isn't that to be expected?

Typically, you wouldn't 'know' that there are no worthy mechs until Cyrus
attempts to negotiate, at runtime, a common mechanism which meets both the
server and the client's SASL criteria.

the 'no worthy mechs' error is most likely coming from libsasl.

For instance, specifying a mechanism that the server does not offer (e.g.
EXTERNAL) should produce a similar error, and there's no way for
(lisasl on) the client to magically know that it should use another
mechanism, because it was told to be too picky about the SASL negotiation
by the local administrator.

The same would go for SASL_SECPROPS, e.g. setting your min_ssf to something
too high would probably produce the same error even if you didn't specify a
mechanism.

-- 
Dan White

Set Bug forwarded-to-address to 'http://www.openldap.org/its/?findid=6728'. Request was from Ryan Tandy <[email protected]> to [email protected]. (Fri, 29 Aug 2014 05:39:05 GMT) (full text, mbox, link).

Information forwarded to [email protected], Debian OpenLDAP Maintainers <[email protected]>:
Bug#604122; Package libldap-2.4-2. (Wed, 02 Sep 2015 17:57:07 GMT) (full text, mbox, link).

Acknowledgement sent to Ryan Tandy <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <[email protected]>. (Wed, 02 Sep 2015 17:57:07 GMT) (full text, mbox, link).

Message #27 received at [email protected] (full text, mbox, reply):

Control: reassign -1 libsasl2-dev 2.1.26.dfsg1-13
Control: affects -1 libldap-2.4-2
Control: severity -1 wishlist

Hi Daniel, hi cyrus-sasl2 maintainers,

On Sat, Nov 20, 2010 at 01:49:49PM +0100, Daniel Dehennin wrote:
>During some tests for nslcd[1], I found that if the SASL_SECPROPS in
>/etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
>library:
>
>- open a useless TCP connection to the server
>- check the mechanism and fail
>- close the TCP connection
>
>===== /etc/ldap/ldap.conf
>BASE    dc=baby-gnu,dc=org
>URI     ldap://192.168.122.4
>
>SASL_MECH DIGEST-MD5
>SASL_SECPROPS noactive
>===== /etc/ldap/ldap.conf

Currently the chosen mechanisms are validated inside sasl_client_start, 
after the network connection has been opened and TLS possibly 
established.

https://cgit.cyrus.foundation/cyrus-sasl/tree/lib/client.c#n794

I don't see another place where mechs can be filtered against security 
flags. I'm not sure it even makes sense, since as you can see from that 
code, it can depend on the current situations in some ways, for example 
whether or not there is a TLS layer active. I'm not really familiar with 
cyrus-sasl2, though, so I could easily have missed something.

I'm reassigning this to cyrus-sasl2 as a wishlist item for a way to 
validate the client setup before opening a network connection.

Feel free to reassign back to libldap-2.4-2 if I'm wrong and there is 
already a way to validate the chosen mechs/flags before calling 
sasl_client_start.

thanks,
Ryan

Bug reassigned from package 'libldap-2.4-2' to 'libsasl2-dev'. Request was from Ryan Tandy <[email protected]> to [email protected]. (Wed, 02 Sep 2015 17:57:08 GMT) (full text, mbox, link).

No longer marked as found in versions openldap/2.4.23-6. Request was from Ryan Tandy <[email protected]> to [email protected]. (Wed, 02 Sep 2015 17:57:08 GMT) (full text, mbox, link).

Marked as found in versions cyrus-sasl2/2.1.26.dfsg1-13. Request was from Ryan Tandy <[email protected]> to [email protected]. (Wed, 02 Sep 2015 17:57:09 GMT) (full text, mbox, link).

Added indication that 604122 affects libldap-2.4-2 Request was from Ryan Tandy <[email protected]> to [email protected]. (Wed, 02 Sep 2015 17:57:09 GMT) (full text, mbox, link).

Severity set to 'wishlist' from 'minor' Request was from Ryan Tandy <[email protected]> to [email protected]. (Wed, 02 Sep 2015 17:57:10 GMT) (full text, mbox, link).

Unset Bug forwarded-to-address Request was from Ryan Tandy <[email protected]> to [email protected]. (Wed, 02 Sep 2015 18:03:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 15:36:31 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #604122 libldap-2.4-2: libldap open a the TCP connection before validating the SASL mechanism

Debian Bug report logs - #604122
libldap-2.4-2: libldap open a the TCP connection before validating the SASL mechanism