(ITS#6728) libldap TCP/SASL problems - openldap-bugs

29 Nov 2010


      Full_Name: Quanah Gibson-Mount
Version: 2.4.23
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.111.45.108)
As reported at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604122
Hello,
During some tests for nslcd[1], I found that if the SASL_SECPROPS in
/etc/ldap/ldap.conf is incompatible with the SASL_MECH, then the
library:
- open a useless TCP connection to the server
- check the mechanism and fail
- close the TCP connection
===== /etc/ldap/ldap.conf
BASE    dc=baby-gnu,dc=org
URI     ldap://192.168.122.4
SASL_MECH DIGEST-MD5
SASL_SECPROPS noactive
===== /etc/ldap/ldap.conf
===== Wireshark capture
No. Time      Source         Destination    Protocol Info
3   2.728967  192.168.122.3  192.168.122.4  TCP      51521 > ldap [SYN] Seq=0
[...]
4   2.729699  192.168.122.4  192.168.122.3  TCP      ldap > 51521 [SYN, ACK]
Seq=0 [...]
5   2.729714  192.168.122.3  192.168.122.4  TCP      51521 > ldap [ACK] Seq=1
[...]
6   2.739576  192.168.122.3  192.168.122.4  TCP      51521 > ldap [FIN, ACK]
Seq=1 [...]
7   2.740686  192.168.122.4  192.168.122.3  TCP      ldap > 51521 [FIN, ACK]
Seq=1 [...]
8   2.740702  192.168.122.3  192.168.122.4  TCP      51521 > ldap [ACK] Seq=2
[...]
===== Wireshark capture
===== ldapsearch
ldapsearch -U dad -s base -LLL supportedSASLMechanisms
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available: No worthy
        mechs found
===== ldapsearch
As the problem is found in a software using the libldap, I conclude the
problem is in the lib and not in ldapsearc.
Regards.