Bug#962968: libauthen-sasl-perl: Net::LDAP with GSSAPI SASL bind connecting with wrong sasl_ssf on Debian buster
Richard Landster
deb251 at lewenberg.com
Tue Jun 16 16:25:51 BST 2020
Package: libauthen-sasl-perl
Version: 2.1600-1
Severity: important
Dear Maintainer,
I have a Perl script to read from an OpenLDAP instance using Net::LDAP
with a GSSAPI bind. The script works fine on Debian stretch but fails on
Debian buster.
Note that on both servers the line at the bottom of the Perl code that
runs ldapsearch produces the same correct results, so I am sure that the
Kerberos ticket cache is correct on both servers.
Looking at the OpenLDAP logs I see that the ldapsearch run shows up with
the strength factors sasl_ssf=256 ssf=256 while the Net::LDAP bind shows
up with the strength factors sasl_ssf=1 ssf=256. Since the Net::LDAP bind
is using Kerberos, the sasl_ssf should be 56, not 1.
#######
use strict;
use warnings;
use Authen::SASL;
use Net::LDAP;
use Data::Dumper;
my $server_name = 'ldap.example.com';
$ENV{'KRB5CCNAME'} = '/tmp/krb.tkt';
my $ld = Net::LDAP->new($server_name, version => '3');
$ld->start_tls(verify => 'require');
if (!$ld or $ld == -1) {
die "Could not connect to directory server $server_name";
}
my $SASL = Authen::SASL->new('GSSAPI');
my $status = $ld->bind(sasl => $SASL);
if ($status->code) {
die 'Bind error: (' . $status->error_name . ') ' . $status->error_text;
}
my $base = 'dc=example,dc=com';
my $filter = '(uid=johndoe)';
my @attrs = ('uid', 'sn');
$status = $ld->search(
base => 'dc=example,dc=com',
filter => $filter,
attrs => \@attrs,
) ;
my @entries = $status->all_entries;
# This results in nothing (but should result in the same data as the ldapsearch below):
warn Dumper @entries ;
my $attrs = join(' ', @attrs) ;
my $cmd = "ldapsearch -LLL -h $server_name -b $base '$filter' $attrs";
# This gives the correct result:
warn `$cmd`;
-- System Information:
Debian Release: 10.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-8-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages libauthen-sasl-perl depends on:
ii perl 5.28.1-6
libauthen-sasl-perl recommends no packages.
Versions of packages libauthen-sasl-perl suggests:
ii libdigest-hmac-perl 1.03+dfsg-2
ii libgssapi-perl 0.28-3+b1
-- no debconf information
More information about the pkg-perl-maintainers
mailing list