#47613 Impossible to configure nsslapd-allowed-sasl-mechanisms
Closed: wontfix None Opened 10 years ago by nkinder.

New feature allows administrator to configure DS to allow/forbit certain SASL
mechanisms. These mechanisms are advertised in RootDSE.

According to the design document:
"Using the new configuration attribute "nsslapd-allowed-sasl-mechanisms",
specify the list the mechanisms you wish to allow. Each mechanism can separated
by commas or spaces.

This setting does not require a server restart to take effect. "

I consider 5 scenarios. Before each DS was freshly installed.

Scenario 1: Try setting all mechanisms separated by comma, then try to allow
only 2 of them
Result: Only EXTERNAL and ANONYMOUS are set, change is silently ignored

Scenario 2: Try setting all mechanisms separated by space, then try to allow
only 2 of them
Result: All mechanisms are accepted correctly, any subsequent change is
silently ignored

Scenario 3: Try setting just 2 allowed mechanisms with commas, try replacing
them with some others
Result: I tried setting SCRAM-SHA-1 and GSSAPI, but RootDSE advertised EXTERNAL
and GSSAPI, subsequent changes are silently ignored

Scenario 4 Try setting just 2 allowed mechanisms without commas, try replacing
them with some others
Result: I tried setting SCRAM-SHA-1 and GSSAPI, but RootDSE advertised
EXTERNAL, SCRAM-SHA-1 and GSSAPI

Scenario 5: Replace empty nsslapd-allowed-sasl-mechanisms with empty value
Result: Only EXTERNAL is advertised by RootDSE

Steps to Reproduce:

SCENARIO 1:

Try setting all mechanisms separated by commas

[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 <<EOF

dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: EXTERNAL, SCRAM-SHA-1, GSSAPI, GSS-SPNEGO,
DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS
EOF
modifying entry "cn=config"

Check values of supportedSASLMechanisms and nsslapd-allowed-sasl-mechanisms

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: ANONYMOUS

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: EXTERNAL, SCRAM-SHA-1, GSSAPI, GSS-SPNEGO, DI
GEST-MD5, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS

Try changing to some other value

[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI
EOF

modifying entry "cn=config"

Change is ignored

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: EXTERNAL, SCRAM-SHA-1, GSSAPI, GSS-SPNEGO, DI
GEST-MD5, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: ANONYMOUS

SCENARIO 2:

Try setting all mechanisms separated by space

[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: EXTERNAL SCRAM-SHA-1 GSSAPI GSS-SPNEGO
DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS
EOF

modifying entry "cn=config"

Check values of supportedSASLMechanisms and nsslapd-allowed-sasl-mechanisms

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: EXTERNAL SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST
-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS

Try changing to some other value

[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI
EOF
modifying entry "cn=config"

Change is accepted but ignored

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: EXTERNAL SCRAM-SHA-1 GSSAPI GSS-SPNEGO DIGEST
-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

SCENARIO 3:

Try setting some values separated by commas

[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI
EOF

modifying entry "cn=config"

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI

External shouldn`t be here, SCRAM-SHA-1 is missing

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSSAPI

Try changing to some other values

[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI, DIGEST-MD5
EOF

modifying entry "cn=config"

Ignored

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1, GSSAPI

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: GSSAPI

SCENARIO 4:

Try setting values separated by spaces

[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI
EOF

modifying entry "cn=config"

External shouldn`t be here

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI

Try changing to some other value

[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms: DIGEST-MD5 GSS-SPNEGO
EOF

modifying entry "cn=config"

Ignored

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms: SCRAM-SHA-1 GSSAPI

SCENARIO 5:

Check which mechanisms are adversited, when nsslapd-allowed-sasl-mechanisms

is empty
[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms:

Set nsslapd-allowed-sasl-mechanisms to empty value

[jrusnack@dstet 6.0]$ ldapmodify -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-allowed-sasl-mechanisms
nsslapd-allowed-sasl-mechanisms:
EOF
modifying entry "cn=config"

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -s base -b "cn=config" nsslapd-allowed-sasl-mechanisms
dn: cn=config
nsslapd-allowed-sasl-mechanisms:

Only EXTERNAL is advertised

[jrusnack@dstet 6.0]$ ldapsearch -LLL -h localhost -p 22222 -D "cn=directory
manager" -w Secret123 -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: EXTERNAL


After some discussion with Jan (who reported these issues), it looks like any SASL mechanisms with a comma at the end of them are ignored. I think it is fine to change the design doc to only support space separated lists for this.

There are still some issues here to investigate though.

Will str always be non-NULL? If not, then use
for (i = 0; str && str[i]; i++)

Replying to [comment:4 rmeggins]:

Will str always be non-NULL? If not, then use
for (i = 0; str && str[i]; i++)

I think it might be possible(adding an empty value?), so I changed it just in case. New patch attached.

git merge ticket47613
Updating 7e21a4b..6200f68
Fast-forward
ldap/servers/slapd/libglobs.c | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)

git push origin master
Counting objects: 11, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 981 bytes, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
7e21a4b..6200f68 master -> master

commit 6200f68
Author: Mark Reynolds mreynolds@redhat.com
Date: Mon Dec 2 15:08:15 2013 -0500

git push origin 389-ds-base-1.3.2
5b24c4a..0dd81fc 389-ds-base-1.3.2 -> 389-ds-base-1.3.2

git push origin 389-ds-base-1.3.1
c9c7d54..f146131 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

git merge ticket47613
Updating 9f75027..4395923
Fast-forward
ldap/servers/slapd/configdse.c | 1 -
ldap/servers/slapd/libglobs.c | 10 +++++++---
2 files changed, 7 insertions(+), 4 deletions(-)

git push origin master
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (7/7), 980 bytes, done.
Total 7 (delta 5), reused 1 (delta 1)
To ssh://git.fedorahosted.org/git/389/ds.git
9f75027..4395923 master -> master

commit 4395923
Author: Mark Reynolds mreynolds@redhat.com
Date: Thu Dec 12 12:48:08 2013 -0500

1.3.2.

668e85c..42ba3dc 389-ds-base-1.3.2 -> 389-ds-base-1.3.2

1.3.1

8004449..a1e3861 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

Metadata Update from @rmeggins:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.1.17

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/950

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

4 years ago

Log in to comment on this ticket.

Metadata