[Fedora-directory-users] SASL authentication

Josh Kelley joshkel at gmail.com
Fri Sep 8 22:07:26 UTC 2006 

On 9/8/06, Howard Chu <hyc at symas.com> wrote:
> Before you go any further with this, please tell us which version of
> OpenLDAP you're using. Current releases (since 2.3.6) return
> invalidCredentials for a SASL bind failure:

2.2.13, as provided by RHEL 4.  I had not thought to try a current
release; thanks for the info.

> Probably we should also do something about not returning the
> SASL-specific error code in this case too, to adhere more to the intent
> of rfc4422. Logging it on the server side should be sufficient.
>
> I just checked, and releases 2.1 and 2.2 returned error code 80 here. So
> it seems Apple is relying on a broken behavior.

I guess I really don't understand here.  RFC 4422 says that "outcome
message provided by the server can provide a way for the client to
distinguish between errors" of various sorts, which I assumed could
include errors resulting from attempting to use an unconfigured
authentication mechanism.  And although the RFC says that it is
"important that the server can be configured such that the outcome
message will not distinguish between a valid user with invalid
credentials and an invalid user," it doesn't say that it's necessary
that servers be so configured or that it's broken for servers to not
be so configured.

Furthermore, it seems to me that what Apple's trying to do - attempt a
secure authentication method first, then fall back to a nonsecure
authentication method if a secure method is not configured, without
needlessly sending cleartext passwords if the secure authentication
method is configured and rejects the user - is a good idea.  Is
Apple's default approach simply not permitted by the RFCs?  I
understand that for the server to unnecessarily give away
security-related info is potentially bad, but it seems like a minor
concern compared to the gains of permitting "secure by default, fall
back to unsecured" behavior like Apple's default.  (I guess MITM
attacks are a risk with that kind of approach; are they enough of a
risk to negate that approach's value?)

I hope I'm not coming across as argumentative; I just would really
like to understand the issues involved.

If it is a bad idea for the server to distinguish between "invalid
credentials" and "no secret in database," then what is the best way to
get OS X logins to work?  For now I've simply disabled CRAM-MD5 by
moving those libraries out of my /usr/lib/sasl2 directory, but that
seems like a hack.  I guess a better solution would be to permit the
SASL mech_list to be configured from within FDS; should I submit an
RFE on Bugzilla for that?

Thanks.

Josh Kelley

More information about the Fedora-directory-users mailing list