Control: reassign -1 libsasl2-2 2.1.25.dfsg1-6+deb7u1 On Mi, 30 oct 13, 20:58:16, Christian Schwamborn wrote: > Package: libsasl2 > Version: 2.1.25.dfsg1-6+deb7u1 > Severity: important > > A quote from the upstream bugreport: > > Formerly (as of 2.1.23) SASL library did not care if there was no > auxprop plugin set up/present, current (2.1.25) library _requires_ > the presence of properly comfigured and working auxprop plugin, > making SASL usesless as an auth provider in daily operations. > > The following configuration works with cyrus-sasl 2.1.23 and fails > miserably with "no mechs available" with cyrus-sasl 2.1.25: > > - run saslauthd with pam as an auth mechanism > - run postfix (or any other daemon) with pwcheck_method set to saslauthd > > The root cause is the call to _sasl_auxprop_lookup_user_props that > has been added to _sasl_canon_user(_lookup) which causes > authentication to fail if no auxprop plugin in configured. > <end of quote> > > This issue is known in the cyrus-sasl and ubuntu bugtracker aswell: > https://bugzilla.cyrusimap.org/show_bug.cgi?id=3590 > https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/875440 > > I attached the patch from revision d1b57852247641be30decc480b0719d322f0bc5c > > I hope this can be applied to wheeze, since it really breaks an easy > mailserver setup. > > Cheers, > Christian Schwamborn
> From d1b57852247641be30decc480b0719d322f0bc5c Mon Sep 17 00:00:00 2001
> From: Alexey Melnikov <alexey.melni...@isode.com>
> Date: Thu, 19 Apr 2012 14:41:12 +0100
> Subject: Fixed PLAIN/LOGIN authentication failure when using saslauthd with
> no auxprop plugins
>
> PLAIN/LOGIN plugins should be able to work with no auxprop plugins configured,
> for example if they are using saslauthd. This patch fixes them to work
> in such configurations. In order to achieve this the following changes were
> made
>
> 1) SASL_NOMECH should be handled the same way as SASL_NOUSER while looking
> up auxprop properties.
> 2) SASL PLAIN/LOGIN should pass "this identity was verified externally"
> to auxprop lookup. This will prevent auxprop lookup from failing with
> SASL_NOMECH. Note that they verify user accounts using checkpass interface
> anyway.
>
> Cyrus SASL Bug # 3590
>
> Test-information:
> The following SASL plugins were tested:
> PLAIN, EXTERNAL, SCRAM-SHA-1, LOGIN (partially)
> They were tested with missing auxprop plugins and with a present one.
> ---
> include/sasl.h | 4 +++-
> lib/canonusr.c | 8 +++++---
> plugins/login.c | 6 ++++--
> plugins/plain.c | 2 +-
> 4 files changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/include/sasl.h b/include/sasl.h
> index 2ac5300..ed27104 100755
> --- a/include/sasl.h
> +++ b/include/sasl.h
> @@ -633,8 +633,10 @@ typedef int sasl_server_userdb_setpass_t(sasl_conn_t
> *conn,
> /* One of the following two is required */
> #define SASL_CU_AUTHID 0x01
> #define SASL_CU_AUTHZID 0x02
> +
> /* Combine the following with SASL_CU_AUTHID, if you don't want
> - to fail if auxprop returned SASL_NOUSER */
> + to fail if auxprop returned SASL_NOUSER/SASL_NOMECH.
> + This flag has no effect on SASL_CU_AUTHZID. */
> #define SASL_CU_EXTERNALLY_VERIFIED 0x04
>
> #define SASL_CU_OVERRIDE 0x08 /* mapped to SASL_AUXPROP_OVERRIDE
> */
> diff --git a/lib/canonusr.c b/lib/canonusr.c
> index 0049d13..faee103 100644
> --- a/lib/canonusr.c
> +++ b/lib/canonusr.c
> @@ -241,12 +241,14 @@ static int _sasl_auxprop_lookup_user_props (sasl_conn_t
> *conn,
> }
> }
>
> - if (result == SASL_NOUSER && (flags & SASL_CU_EXTERNALLY_VERIFIED)) {
> + if ((flags & SASL_CU_EXTERNALLY_VERIFIED) && (result == SASL_NOUSER ||
> result == SASL_NOMECH)) {
> /* The called has explicitly told us that the authentication
> identity
> - was already verified. So a failure to retrieve any associated
> properties
> + was already verified or will be verified independently.
> + So a failure to retrieve any associated properties
> is not an error. For example the caller is using Kerberos to
> verify user,
> but the LDAPDB/SASLDB auxprop plugin doesn't contain any
> auxprops for
> - the user. */
> + the user.
> + Another case is PLAIN/LOGIN not using auxprop to verify user
> passwords. */
> result = SASL_OK;
> }
> }
> diff --git a/plugins/login.c b/plugins/login.c
> index ee44be6..f2a05ac 100644
> --- a/plugins/login.c
> +++ b/plugins/login.c
> @@ -179,9 +179,11 @@ static int login_server_mech_step(void *conn_context,
>
> /* canonicalize username first, so that password verification is
> * done against the canonical id */
> - result = params->canon_user(params->utils->conn, text->username,
> + result = params->canon_user(params->utils->conn,
> + text->username,
> text->username_len,
> - SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
> + SASL_CU_AUTHID | SASL_CU_AUTHZID |
> SASL_CU_EXTERNALLY_VERIFIED,
> + oparams);
> if (result != SASL_OK) return result;
>
> /* verify_password - return sasl_ok on success */
> diff --git a/plugins/plain.c b/plugins/plain.c
> index ddbc1f8..e6180a1 100644
> --- a/plugins/plain.c
> +++ b/plugins/plain.c
> @@ -159,7 +159,7 @@ static int plain_server_mech_step(void *conn_context
> __attribute__((unused)),
> result = params->canon_user(params->utils->conn,
> authen,
> 0,
> - SASL_CU_AUTHID | canon_flags,
> + SASL_CU_AUTHID | canon_flags |
> SASL_CU_EXTERNALLY_VERIFIED,
> oparams);
> if (result != SASL_OK) {
> _plug_free_string(params->utils, &passcopy);
>
--
http://wiki.debian.org/FAQsFromDebianUser
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
http://nuvreauspam.ro/gpg-transition.txt
signature.asc
Description: Digital signature
