Control: reassign -1 libsasl2-2 2.1.25.dfsg1-6+deb7u1 On Mi, 30 oct 13, 20:58:16, Christian Schwamborn wrote: > Package: libsasl2 > Version: 2.1.25.dfsg1-6+deb7u1 > Severity: important > > A quote from the upstream bugreport: > > Formerly (as of 2.1.23) SASL library did not care if there was no > auxprop plugin set up/present, current (2.1.25) library _requires_ > the presence of properly comfigured and working auxprop plugin, > making SASL usesless as an auth provider in daily operations. > > The following configuration works with cyrus-sasl 2.1.23 and fails > miserably with "no mechs available" with cyrus-sasl 2.1.25: > > - run saslauthd with pam as an auth mechanism > - run postfix (or any other daemon) with pwcheck_method set to saslauthd > > The root cause is the call to _sasl_auxprop_lookup_user_props that > has been added to _sasl_canon_user(_lookup) which causes > authentication to fail if no auxprop plugin in configured. > <end of quote> > > This issue is known in the cyrus-sasl and ubuntu bugtracker aswell: > https://bugzilla.cyrusimap.org/show_bug.cgi?id=3590 > https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/875440 > > I attached the patch from revision d1b57852247641be30decc480b0719d322f0bc5c > > I hope this can be applied to wheeze, since it really breaks an easy > mailserver setup. > > Cheers, > Christian Schwamborn
> From d1b57852247641be30decc480b0719d322f0bc5c Mon Sep 17 00:00:00 2001 > From: Alexey Melnikov <alexey.melni...@isode.com> > Date: Thu, 19 Apr 2012 14:41:12 +0100 > Subject: Fixed PLAIN/LOGIN authentication failure when using saslauthd with > no auxprop plugins > > PLAIN/LOGIN plugins should be able to work with no auxprop plugins configured, > for example if they are using saslauthd. This patch fixes them to work > in such configurations. In order to achieve this the following changes were > made > > 1) SASL_NOMECH should be handled the same way as SASL_NOUSER while looking > up auxprop properties. > 2) SASL PLAIN/LOGIN should pass "this identity was verified externally" > to auxprop lookup. This will prevent auxprop lookup from failing with > SASL_NOMECH. Note that they verify user accounts using checkpass interface > anyway. > > Cyrus SASL Bug # 3590 > > Test-information: > The following SASL plugins were tested: > PLAIN, EXTERNAL, SCRAM-SHA-1, LOGIN (partially) > They were tested with missing auxprop plugins and with a present one. > --- > include/sasl.h | 4 +++- > lib/canonusr.c | 8 +++++--- > plugins/login.c | 6 ++++-- > plugins/plain.c | 2 +- > 4 files changed, 13 insertions(+), 7 deletions(-) > > diff --git a/include/sasl.h b/include/sasl.h > index 2ac5300..ed27104 100755 > --- a/include/sasl.h > +++ b/include/sasl.h > @@ -633,8 +633,10 @@ typedef int sasl_server_userdb_setpass_t(sasl_conn_t > *conn, > /* One of the following two is required */ > #define SASL_CU_AUTHID 0x01 > #define SASL_CU_AUTHZID 0x02 > + > /* Combine the following with SASL_CU_AUTHID, if you don't want > - to fail if auxprop returned SASL_NOUSER */ > + to fail if auxprop returned SASL_NOUSER/SASL_NOMECH. > + This flag has no effect on SASL_CU_AUTHZID. */ > #define SASL_CU_EXTERNALLY_VERIFIED 0x04 > > #define SASL_CU_OVERRIDE 0x08 /* mapped to SASL_AUXPROP_OVERRIDE > */ > diff --git a/lib/canonusr.c b/lib/canonusr.c > index 0049d13..faee103 100644 > --- a/lib/canonusr.c > +++ b/lib/canonusr.c > @@ -241,12 +241,14 @@ static int _sasl_auxprop_lookup_user_props (sasl_conn_t > *conn, > } > } > > - if (result == SASL_NOUSER && (flags & SASL_CU_EXTERNALLY_VERIFIED)) { > + if ((flags & SASL_CU_EXTERNALLY_VERIFIED) && (result == SASL_NOUSER || > result == SASL_NOMECH)) { > /* The called has explicitly told us that the authentication > identity > - was already verified. So a failure to retrieve any associated > properties > + was already verified or will be verified independently. > + So a failure to retrieve any associated properties > is not an error. For example the caller is using Kerberos to > verify user, > but the LDAPDB/SASLDB auxprop plugin doesn't contain any > auxprops for > - the user. */ > + the user. > + Another case is PLAIN/LOGIN not using auxprop to verify user > passwords. */ > result = SASL_OK; > } > } > diff --git a/plugins/login.c b/plugins/login.c > index ee44be6..f2a05ac 100644 > --- a/plugins/login.c > +++ b/plugins/login.c > @@ -179,9 +179,11 @@ static int login_server_mech_step(void *conn_context, > > /* canonicalize username first, so that password verification is > * done against the canonical id */ > - result = params->canon_user(params->utils->conn, text->username, > + result = params->canon_user(params->utils->conn, > + text->username, > text->username_len, > - SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams); > + SASL_CU_AUTHID | SASL_CU_AUTHZID | > SASL_CU_EXTERNALLY_VERIFIED, > + oparams); > if (result != SASL_OK) return result; > > /* verify_password - return sasl_ok on success */ > diff --git a/plugins/plain.c b/plugins/plain.c > index ddbc1f8..e6180a1 100644 > --- a/plugins/plain.c > +++ b/plugins/plain.c > @@ -159,7 +159,7 @@ static int plain_server_mech_step(void *conn_context > __attribute__((unused)), > result = params->canon_user(params->utils->conn, > authen, > 0, > - SASL_CU_AUTHID | canon_flags, > + SASL_CU_AUTHID | canon_flags | > SASL_CU_EXTERNALLY_VERIFIED, > oparams); > if (result != SASL_OK) { > _plug_free_string(params->utils, &passcopy); > -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt
signature.asc
Description: Digital signature