[Fedora-directory-users] SASL authentication

Howard Chu hyc at symas.com
Fri Sep 8 17:35:01 UTC 2006 

> Date: Fri, 08 Sep 2006 09:01:41 -0600
> From: Richard Megginson <rmeggins at redhat.com>

> Josh Kelley wrote:
>> > On 9/7/06, Richard Megginson <rmeggins at redhat.com> wrote:
>>> >> I checked RFC 4513  - http://www.ietf.org/rfc/rfc4513.txt - it doesn't
>>> >> say anything about the correct result code to return in this case, other
>>> >> than it is an error if anything other than success or bindinprogress is
>>> >> returned.  You might want to ask on ldap at umich.edu or on
>>> >> IRC.freenode.net #ldap if there is a standard that covers this case.
>> >
>> > Thanks for the suggestion.  I'll ask.
>> >
>> > I skimmed RFC 4513 (sans coffee) and didn't find the section you're
>> > referring to.  I did see that RFC 4422 (last paragraph of section 3.6)
>> > seems to suggest that OS X's and OpenLDAP's behavior is legitimate and
>> > useful.

Before you go any further with this, please tell us which version of 
OpenLDAP you're using. Current releases (since 2.3.6) return 
invalidCredentials for a SASL bind failure:

ldapsearch -H ldap://:9000 -Y DIGEST-MD5
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
         additional info: SASL(-13): user not found: no secret in database

Probably we should also do something about not returning the 
SASL-specific error code in this case too, to adhere more to the intent 
of rfc4422. Logging it on the server side should be sufficient.

I just checked, and releases 2.1 and 2.2 returned error code 80 here. So 
it seems Apple is relying on a broken behavior.

> Yes.  But it seems to differ from the behavior of a simple bind (rfc4513 
> 5.1.3).  In a simple bind, the server resultCode differentiates these cases:
> 1) Invalid bind DN results in a noSuchObject (well, not exactly 
> specified, but this is the usual behavior)
> 2) Valid bind DN but invalid password results in invalidCredentials
> 
> However, the rfc (and also rfc 4511 Appendix A LDAP Result Codes) says 
> that other codes may be substituted for the above "to prevent 
> unauthorized disclosures (such as substitution of noSuchObject for 
> insufficientAccessRights, or invalidCredentials for 
> insufficientAccessRights)."
> 
> The SASL doc (rfc4422) says:
> 
> "It is also important that the server can be configured such that the outcome message will not distinguish between a valid user with invalid credentials and an invalid user."
> 
> 
> So it seems that SASL wants the server not to differentiate these cases, 
> probably for security reasons.  But this makes sasl binds have different 
> semantics than simple binds.
>> >
>> > Even if the standards permit either behavior (and even if it's
>> > slightly more secure to not reveal additional information, as David
>> > Boreham pointed out), wouldn't it be worth having FDS compatible with
>> > OpenLDAP and OS X?
> Yes.  And please file a bug about this at http://bugzilla.redhat.com/

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/

More information about the Fedora-directory-users mailing list