New feature allows administrator to configure DS to allow/forbit certain SASL mechanisms. These mechanisms are advertised in RootDSE.
According to the design document: "Using the new configuration attribute "nsslapd-allowed-sasl-mechanisms", specify the list the mechanisms you wish to allow. Each mechanism can separated by commas or spaces.
This setting does not require a server restart to take effect. "
I consider 5 scenarios. Before each DS was freshly installed.
Scenario 1: Try setting all mechanisms separated by comma, then try to allow only 2 of them Result: Only EXTERNAL and ANONYMOUS are set, change is silently ignored
Scenario 2: Try setting all mechanisms separated by space, then try to allow only 2 of them Result: All mechanisms are accepted correctly, any subsequent change is silently ignored
Scenario 3: Try setting just 2 allowed mechanisms with commas, try replacing them with some others Result: I tried setting SCRAM-SHA-1 and GSSAPI, but RootDSE advertised EXTERNAL and GSSAPI, subsequent changes are silently ignored
Scenario 4 Try setting just 2 allowed mechanisms without commas, try replacing them with some others Result: I tried setting SCRAM-SHA-1 and GSSAPI, but RootDSE advertised EXTERNAL, SCRAM-SHA-1 and GSSAPI
Scenario 5: Replace empty nsslapd-allowed-sasl-mechanisms with empty value Result: Only EXTERNAL is advertised by RootDSE
Steps to Reproduce:
SCENARIO 1:
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF
dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: EXTERNAL, SCRAM-SHA-1, GSSAPI, GSS-SPNEGO, DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS EOF modifying entry "cn=config"
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: ANONYMOUS
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: EXTERNAL, SCRAM-SHA-1, GSSAPI, GSS-SPNEGO, DI GEST-MD5, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI EOF
modifying entry "cn=config"
SCENARIO 2:
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: EXTERNAL SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS EOF
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: EXTERNAL SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST -MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI EOF modifying entry "cn=config"
SCENARIO 3:
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI EOF
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: GSSAPI
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI, DIGEST-MD5 EOF
SCENARIO 4:
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: DIGEST-MD5 GSS-SPNEGO EOF
SCENARIO 5:
is empty [jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN supportedSASLMechanisms: ANONYMOUS
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms dn: cn=config nsslapd-allowed-sasl-mechanisms:
[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory manager" -w Secret123 <<EOF dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms nsslapd-allowed-sasl-mechanisms: EOF modifying entry "cn=config"
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory manager" -w Secret123 -b "" -s base supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL
After some discussion with Jan (who reported these issues), it looks like any SASL mechanisms with a comma at the end of them are ignored. I think it is fine to change the design doc to only support space separated lists for this.
There are still some issues here to investigate though.
Will str always be non-NULL? If not, then use for (i = 0; str && str[i]; i++)
revision 0001-Ticket-47613-Impossible-to-configure-nsslapd-allowed.patch
Replying to [comment:4 rmeggins]:
I think it might be possible(adding an empty value?), so I changed it just in case. New patch attached.
git merge ticket47613 Updating 7e21a4b..6200f68 Fast-forward ldap/servers/slapd/libglobs.c | 18 ++++++++++++++++++ 1 files changed, 18 insertions(+), 0 deletions(-)
git push origin master Counting objects: 11, done. Delta compression using up to 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (6/6), 981 bytes, done. Total 6 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 7e21a4b..6200f68 master -> master
commit 6200f68 Author: Mark Reynolds mreynolds@redhat.com Date: Mon Dec 2 15:08:15 2013 -0500
git push origin 389-ds-base-1.3.2 5b24c4a..0dd81fc 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
git push origin 389-ds-base-1.3.1 c9c7d54..f146131 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
attachment 0001-Ticket-47613-Issues-setting-allowed-mechanisms.patch
git merge ticket47613 Updating 9f75027..4395923 Fast-forward ldap/servers/slapd/configdse.c | 1 - ldap/servers/slapd/libglobs.c | 10 +++++++--- 2 files changed, 7 insertions(+), 4 deletions(-)
git push origin master Counting objects: 13, done. Delta compression using up to 4 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (7/7), 980 bytes, done. Total 7 (delta 5), reused 1 (delta 1) To ssh://git.fedorahosted.org/git/389/ds.git 9f75027..4395923 master -> master
commit 4395923 Author: Mark Reynolds mreynolds@redhat.com Date: Thu Dec 12 12:48:08 2013 -0500
1.3.2.
668e85c..42ba3dc 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
1.3.1
8004449..a1e3861 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
Metadata Update from @rmeggins: - Issue assigned to mreynolds - Issue set to the milestone: 1.3.1.17
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/950
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Log in to comment on this ticket.