[Pkg-openldap-devel] Bug#604122: libldap-2.4-2: libldap open a the TCP connection before validating the SASL mechanism
Ryan Tandy
ryan at nardis.ca
Wed Sep 2 17:54:17 UTC 2015
Control: reassign -1 libsasl2-dev 2.1.26.dfsg1-13
Control: affects -1 libldap-2.4-2
Control: severity -1 wishlist
Hi Daniel, hi cyrus-sasl2 maintainers,
On Sat, Nov 20, 2010 at 01:49:49PM +0100, Daniel Dehennin wrote:
>During some tests for nslcd[1], I found that if the SASL_SECPROPS in
>/etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
>library:
>
>- open a useless TCP connection to the server
>- check the mechanism and fail
>- close the TCP connection
>
>===== /etc/ldap/ldap.conf
>BASE dc=baby-gnu,dc=org
>URI ldap://192.168.122.4
>
>SASL_MECH DIGEST-MD5
>SASL_SECPROPS noactive
>===== /etc/ldap/ldap.conf
Currently the chosen mechanisms are validated inside sasl_client_start,
after the network connection has been opened and TLS possibly
established.
https://cgit.cyrus.foundation/cyrus-sasl/tree/lib/client.c#n794
I don't see another place where mechs can be filtered against security
flags. I'm not sure it even makes sense, since as you can see from that
code, it can depend on the current situations in some ways, for example
whether or not there is a TLS layer active. I'm not really familiar with
cyrus-sasl2, though, so I could easily have missed something.
I'm reassigning this to cyrus-sasl2 as a wishlist item for a way to
validate the client setup before opening a network connection.
Feel free to reassign back to libldap-2.4-2 if I'm wrong and there is
already a way to validate the chosen mechs/flags before calling
sasl_client_start.
thanks,
Ryan
More information about the Pkg-openldap-devel
mailing list