[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-bugs
Subject:    SASL EXTERNAL fails with current slapd (ITS#2200)
From:       lukeh () padl ! com
Date:       2002-11-26 9:31:02
[Download RAW message or body]

Full_Name: Luke Howard
Version: HEAD
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (165.228.130.12)


The following change was recently made to slapd:

@@ -1515,7 +1510,7 @@
        if ( !conn->c_sasl_bind_in_progress ) {
                sc = START( ctx,
                        conn->c_sasl_bind_mech.bv_val,
-                       cred->bv_len ? cred->bv_val : "",
+                       cred->bv_len ? cred->bv_val : NULL,
                        cred->bv_len,
                        (SASL_CONST char **)&response.bv_val, &reslen, &errstr
);

This broke SASL EXTERNAL (testing with internal patch to support ldapi:// and
SO_PEERCRED), because the Cyrus SASL library's EXTERNAL implementation expects
to receive a non-NULL pointer for the input buffer, even if the length is zero.

If it receives a NULL pointer, then it will return SASL_CONTINUE which
ultimately results in SASL_BIND_IN_PROGRESS being returned to the client.

The client, obviously, is not binding with an authorization identity (otherwise
cred->bv_len would be non-zero). Our application is attempting to acquire
Administrator authorization through binding as root over a domain socket.

Presumably there was some reason that this change was introduced (I haven't
checked the commit logs), so it might be difficult to workaround if there is a
good reason for it being there. For our purposes, though, I 've changed it back.
:-)


[prev in list] [next in list] [prev in thread] [next in thread]