[Pkg-openldap-devel] Bug#604122: libldap-2.4-2: libldap open a the TCP connection before validating the SASL mechanism

Daniel Dehennin daniel.dehennin at baby-gnu.org
Sat Nov 20 12:49:49 UTC 2010 

Package: libldap-2.4-2
Version: 2.4.23-6
Severity: minor

Hello,

During some tests for nslcd[1], I found that if the SASL_SECPROPS in
/etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
library:

- open a useless TCP connection to the server
- check the mechanism and fail
- close the TCP connection

===== /etc/ldap/ldap.conf
BASE    dc=baby-gnu,dc=org
URI     ldap://192.168.122.4

SASL_MECH DIGEST-MD5
SASL_SECPROPS noactive
===== /etc/ldap/ldap.conf

===== Wireshark capture
No. Time      Source         Destination    Protocol Info
3   2.728967  192.168.122.3  192.168.122.4  TCP      51521 > ldap [SYN] Seq=0 [...]
4   2.729699  192.168.122.4  192.168.122.3  TCP      ldap > 51521 [SYN, ACK] Seq=0 [...]
5   2.729714  192.168.122.3  192.168.122.4  TCP      51521 > ldap [ACK] Seq=1 [...]
6   2.739576  192.168.122.3  192.168.122.4  TCP      51521 > ldap [FIN, ACK] Seq=1 [...]
7   2.740686  192.168.122.4  192.168.122.3  TCP      ldap > 51521 [FIN, ACK] Seq=1 [...]
8   2.740702  192.168.122.3  192.168.122.4  TCP      51521 > ldap [ACK] Seq=2 [...]
===== Wireshark capture

===== ldapsearch
ldapsearch -U dad -s base -LLL supportedSASLMechanisms
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available: No worthy
        mechs found
===== ldapsearch

As the problem is found in a software using the libldap, I conclude the
problem is in the lib and not in ldapsearc.

Regards.

-- System Information:
Debian Release: squeeze/sid
  APT prefers sid
  APT policy: (500, 'sid'), (500, 'unstable'), (500, 'testing'), (90, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35+hati.2 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libldap-2.4-2 depends on:
ii  libc6                     2.11.2-7       Embedded GNU C Library: Shared lib
ii  libgnutls26               2.8.6-1        the GNU TLS library - runtime libr
ii  libsasl2-2                2.1.23.dfsg1-6 Cyrus SASL - authentication abstra

libldap-2.4-2 recommends no packages.

libldap-2.4-2 suggests no packages.

-- no debconf information


Footnotes: 
[1]  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586532#112

-- 
Daniel Dehennin
Récupérer ma clef GPG:
gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20101120/ca3acbcb/attachment.pgp>

More information about the Pkg-openldap-devel mailing list