Univention Bugzilla – Bug 43732
new supportedSASLMechanisms default in openldap
Last modified: 2023-11-29 11:15:07 CET
-> ldapsearch -LLLx -b '' -s base supportedSASLMechanisms dn: supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: CRAM-MD5 So now GSS-SPNEGO seems to be the default (GSS-SPNEGO was not supported in UCS prior 4.2). This means ldapsearch tries GSS-SPNEGO by default, which fails: -> klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: Administrator@FOUR.TWO Issued Expires Principal Mar 6 16:02:10 2017 Mar 7 02:02:09 2017 krbtgt/FOUR.TWO@FOUR.TWO Mar 6 16:02:11 2017 Mar 7 02:02:09 2017 ldap/master.four.two@FOUR.TWO -> ldapsearch cn=a SASL/GSS-SPNEGO authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_canonicalize_name If the SASL mechanism is explicitly set, it works as expected: -> ldapsearch -Y GSSAPI cn=a SASL/GSSAPI authentication started SASL username: Administrator@FOUR.TWO SASL SSF: 56 SASL data security layer installed. # extended LDIF ... And in 4.1 ldapsearch (without -Y) worked as the default sasl mech was GSSAPI. This new sasl mech is part of the libgssapi sasl lib: -> strings /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so| grep SPNE GSS-SPNEGO -> dpkg -S /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so libsasl2-modules-gssapi-heimdal:amd64: /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so What is GSS-SPNEGO anyway? Do we need this? Is this something we want to support?
The potential problem is the changed default. Currently I don't know if the change is in cyrus-sasl2 or in OpenLDAP. See Bug 20051 Comment 2, where Philipp already researched a lot about the configuration options. See also http://www.openldap.org/lists/openldap-technical/201412/msg00208.html
(In reply to Arvid Requate from comment #1) > The potential problem is the changed default. Currently I don't know if the > change is in cyrus-sasl2 or in OpenLDAP. See Bug 20051 Comment 2, where > Philipp already researched a lot about the configuration options. > > See also > > http://www.openldap.org/lists/openldap-technical/201412/msg00208.html This is a change in the /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so sasl module (package cyrus-sasl2) > See Bug 20051 Comment 2, ah yes, with the following config i restored the old behavior: -> more /etc/ldap/sasl2/slapd.conf mech_list: EXTERNAL gssapi DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN SAML Maybe we need a template for /etc/ldap/sasl2/slapd.conf?
> Maybe we need a template for /etc/ldap/sasl2/slapd.conf? That's one of those moments where you realize that we are actually sooo good :-) root@master10:~# head /etc/ldap/sasl2/slapd.conf ## Warning: This file is auto-generated and might be overwritten by # univention-config-registry. # Please edit the following file(s) instead: # Warnung: Diese Datei wurde automatisch generiert und kann durch # univention-config-registry überschrieben werden. # Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en): # # /etc/univention/templates/files/etc/ldap/sasl2/slapd.conf #
I added /etc/ldap/sasl2/slapd.conf in UCS 4.1. Is something wrong with it?
(In reply to Florian Best from comment #4) > I added /etc/ldap/sasl2/slapd.conf in UCS 4.1. Is something wrong with it? ah, ok but mech_list is missing, one way to fix this bug would be to add "mech_list" to the template mech_list: EXTERNAL gssapi DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN SAML
Please keep GSS-SPNEGO in the list, if there is no compelling reason against it.
It at least breaks one UCC feature: bug 43730. We could fix it in UCC or here...
(In reply to Arvid Requate from comment #6) > Please keep GSS-SPNEGO in the list, if there is no compelling reason against > it. It does not work currently, -> ldapsearch cn=a SASL/GSS-SPNEGO authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_canonicalize_name
> It does not work currently, Ok, I did not understand this properly. mech_list determines the list of mechanisms offered by the server. I'd prefer to configure the ldap client libraries to choose what they need instead: echo "SASL_MECH GSSAPI" >> /etc/ldap/ldap.conf
*** Bug 44283 has been marked as a duplicate of this bug. ***
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
We list NTLM in "supportedSASLMechanisms: NTLM" but don't support it, afaics, so we should also remove it from the list.