Bug#962968: libauthen-sasl-perl: Net::LDAP with GSSAPI SASL bind connecting with wrong sasl_ssf on Debian buster

Thu Jun 18 22:38:39 BST 2020

As a further test, here is a simple python script that does the same 
thing as the Perl script. It works fine and the LDAP logs show 
"sasl_ssf=256 ssf=256" when I run it:

#######
import ldap
import ldap.sasl
import os

ldap_server = 'ldap.example.com'
os.environ["KRB5CCNAME"] = "/tmp/testing.tkt"

conn = ldap.ldapobject.ReconnectLDAPObject('ldap://' + ldap_server, 
retry_max = 5)
auth = ldap.sasl.gssapi("")
conn.sasl_interactive_bind_s("", auth)

basedn          = 'dc=example,dc=com'
searchScope     = ldap.SCOPE_SUBTREE
searchFilter    = '(uid=johndoe)'
searchAttribute = [
     "uid",
     "sn",
]
ldap_result_id = conn.search(basedn, searchScope, searchFilter, 
searchAttribute)
result_type, result_data = conn.result(ldap_result_id, 0)
print(result_data)
#######

So, ldapsearch and the python script appear to connect with 
"sasl_ssf=256 ssf=256" but the Perl script connects with "sasl_ssf=1 
ssf=256". Why?

On Tue, 16 Jun 2020 08:25:51 -0700 Richard Landster 
<deb251 at lewenberg.com> wrote:
> Package: libauthen-sasl-perl
> Version: 2.1600-1
> Severity: important
> 
> Dear Maintainer,
> 
> I have a Perl script to read from an OpenLDAP instance using Net::LDAP
> with a GSSAPI bind. The script works fine on Debian stretch but fails on
> Debian buster.
> 
> Note that on both servers the line at the bottom of the Perl code that
> runs ldapsearch produces the same correct results, so I am sure that the
> Kerberos ticket cache is correct on both servers.
> 
> Looking at the OpenLDAP logs I see that the ldapsearch run shows up with
> the strength factors sasl_ssf=256 ssf=256 while the Net::LDAP bind shows
> up with the strength factors sasl_ssf=1 ssf=256. Since the Net::LDAP bind
> is using Kerberos, the sasl_ssf should be 56, not 1.
> 
> #######
> 
> use strict;
> use warnings;
> use Authen::SASL;
> use Net::LDAP;
> use Data::Dumper;
> 
> my $server_name = 'ldap.example.com';
> $ENV{'KRB5CCNAME'} = '/tmp/krb.tkt';
> 
> my $ld = Net::LDAP->new($server_name, version => '3');
> $ld->start_tls(verify => 'require');
> 
> if (!$ld or $ld == -1) {
>     die "Could not connect to directory server $server_name";
> }
> 
> my $SASL = Authen::SASL->new('GSSAPI');
> my $status = $ld->bind(sasl => $SASL);
> 
> if ($status->code) {
>     die  'Bind error: (' . $status->error_name . ') ' . $status->error_text;
> }
> 
> my $base   = 'dc=example,dc=com';
> my $filter = '(uid=johndoe)';
> my @attrs  = ('uid', 'sn');
> $status = $ld->search(
>     base    => 'dc=example,dc=com',
>     filter  => $filter,
>     attrs   => \@attrs,
>     ) ;
> 
> my @entries = $status->all_entries;
> # This results in nothing (but should result in the same data as the ldapsearch below):
> warn Dumper @entries ;
> 
> my $attrs = join(' ', @attrs) ;
> my $cmd = "ldapsearch -LLL -h $server_name -b $base '$filter' $attrs";
> # This gives the correct result: