Bug 43732 – new supportedSASLMechanisms default in openldap

Bug 43732 - new supportedSASLMechanisms default in openldap


Summary:	new supportedSASLMechanisms default in openldap

Status:	REOPENED

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:	https://www.openldap.org/lists/openld...
Keywords:

Duplicates:	44283 (view as bug list)
Depends on:
Blocks:	44164 53448 53449
	Show dependency tree / graph

Reported:	2017-03-06 16:56 CET by Felix Botner
Modified:	2023-11-29 11:15 CET (History)
CC List:	4 users (show)

See Also:	20051 31967 43730 46862 56868
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	4: Will affect most installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.091
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2017-03-06 16:56:07 CET

-> ldapsearch -LLLx -b '' -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5


So now GSS-SPNEGO seems to be the default (GSS-SPNEGO was not supported in UCS prior 4.2). This means ldapsearch tries GSS-SPNEGO by default, which fails:

-> klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@FOUR.TWO

  Issued                Expires               Principal
Mar  6 16:02:10 2017  Mar  7 02:02:09 2017  krbtgt/FOUR.TWO@FOUR.TWO
Mar  6 16:02:11 2017  Mar  7 02:02:09 2017  ldap/master.four.two@FOUR.TWO


-> ldapsearch cn=a
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_canonicalize_name

If the SASL mechanism is explicitly set, it works as expected:

-> ldapsearch -Y GSSAPI cn=a
SASL/GSSAPI authentication started
SASL username: Administrator@FOUR.TWO
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
...

And in 4.1 ldapsearch (without -Y) worked as the default sasl mech was GSSAPI.

This new sasl mech is part of the libgssapi sasl lib:

-> strings /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so| grep SPNE
GSS-SPNEGO
-> dpkg -S /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so
libsasl2-modules-gssapi-heimdal:amd64: /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so

What is GSS-SPNEGO anyway?
Do we need this?
Is this something we want to support?

Comment 1 Arvid Requate

2017-03-06 17:58:45 CET

The potential problem is the changed default. Currently I don't know if the change is in cyrus-sasl2 or in OpenLDAP. See Bug 20051 Comment 2, where Philipp already researched a lot about the configuration options.

See also

http://www.openldap.org/lists/openldap-technical/201412/msg00208.html

Comment 2 Felix Botner

2017-03-07 09:36:34 CET

(In reply to Arvid Requate from comment #1)
> The potential problem is the changed default. Currently I don't know if the
> change is in cyrus-sasl2 or in OpenLDAP. See Bug 20051 Comment 2, where
> Philipp already researched a lot about the configuration options.
> 
> See also
> 
> http://www.openldap.org/lists/openldap-technical/201412/msg00208.html

This is a change in the /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so sasl module (package cyrus-sasl2)

> See Bug 20051 Comment 2,

ah yes, with the following config i restored the old behavior:

-> more /etc/ldap/sasl2/slapd.conf 
mech_list: EXTERNAL gssapi DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN SAML

Maybe we need a template for /etc/ldap/sasl2/slapd.conf?

Comment 3 Arvid Requate

2017-03-07 12:35:47 CET

> Maybe we need a template for /etc/ldap/sasl2/slapd.conf?


That's one of those moments where you realize that we are actually sooo good :-)

root@master10:~# head /etc/ldap/sasl2/slapd.conf
## Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry überschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
# 
#       /etc/univention/templates/files/etc/ldap/sasl2/slapd.conf
#

Comment 4 Florian Best

2017-03-07 12:37:35 CET

I added /etc/ldap/sasl2/slapd.conf in UCS 4.1. Is something wrong with it?

Comment 5 Felix Botner

2017-03-07 12:44:10 CET

(In reply to Florian Best from comment #4)
> I added /etc/ldap/sasl2/slapd.conf in UCS 4.1. Is something wrong with it?

ah, ok
but mech_list is missing, one way to fix this bug would be to add "mech_list" to the template

mech_list: EXTERNAL gssapi DIGEST-MD5 NTLM CRAM-MD5 LOGIN PLAIN SAML

Comment 6 Arvid Requate

2017-03-07 13:01:40 CET

Please keep GSS-SPNEGO in the list, if there is no compelling reason against it.

Comment 7 Erik Damrose

2017-03-07 13:06:50 CET

It at least breaks one UCC feature: bug 43730. We could fix it in UCC or here...

Comment 8 Felix Botner

2017-03-07 13:12:56 CET

(In reply to Arvid Requate from comment #6)
> Please keep GSS-SPNEGO in the list, if there is no compelling reason against
> it.

It does not work currently, 

-> ldapsearch cn=a
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_canonicalize_name

Comment 9 Arvid Requate

2017-03-07 22:13:04 CET

> It does not work currently, 

Ok, I did not understand this properly. mech_list determines the list of mechanisms offered by the server. I'd prefer to configure the ldap client libraries to choose what they need instead:

echo "SASL_MECH GSSAPI" >> /etc/ldap/ldap.conf

Comment 10 Erik Damrose

2017-04-04 14:01:27 CEST

*** Bug 44283 has been marked as a duplicate of this bug. ***

Comment 11 Ingo Steuwer

2020-07-03 20:54:19 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.

Comment 12 Florian Best

2023-10-23 14:38:11 CEST

We list NTLM in "supportedSASLMechanisms: NTLM" but don't support it, afaics, so we should also remove it from the list.