--On October 28, 2011 3:55:54 AM +0000 Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
On Thu, Oct 27, 2011 at 07:22:05PM -0700, Quanah Gibson-Mount wrote:
The issue I fixed today would affect any postfix build with an
OpenLDAP API at least as far back as OpenLDAP 2.1. What postfix
revisions you fix are entirely up to you of course, and I think
reasonably I wouldn't expect you to fix unsupported postfix
releases, but it is not limited to the OpenLDAP 2.4 API.
No, in OpenLDAP 2.3.4, the ldap_parse_sasl_bind_result()
function returns an error when bind operations fail:
... openldap-2.3.4/libraries/libldap/sasl.c line 349:
ld->ld_errno = errcode;
if ( freeit ) {
ldap_msgfree( res );
}
return( ld->ld_errno );
}
Therefore, with OpenLDAP 2.3(.4) or older the Postfix code does not
IMHO fail to detect failed logins. What evidence do you have to
the contrary?
Reading the code in libraries/libldap/sasl.c, specifically the function
ldap_sasl_bind_s. This is from OpenLDAP 2.1.30. Note that
ldap_result2error is still called after ldap_parse_sasl_bind_result.
if ( ldap_result( ld, msgid, 1, NULL, &result ) == -1 ) {
return( ld->ld_errno ); /* ldap_result sets ld_errno */
}
/* parse the results */
scredp = NULL;
if( servercredp != NULL ) {
rc = ldap_parse_sasl_bind_result( ld, result, &scredp, 0 );
}
if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
ldap_msgfree( result );
return( rc );
}
rc = ldap_result2error( ld, result, 1 );
if ( rc == LDAP_SUCCESS || rc == LDAP_SASL_BIND_IN_PROGRESS ) {
if( servercredp != NULL ) {
*servercredp = scredp;
scredp = NULL;
}
}
if ( scredp != NULL ) {
ber_bvfree(scredp);
}
return rc;
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
