Skip Menu |

This queue is for tickets about the perl-ldap CPAN distribution.

Report information
The Basics
Id: 35263
Status: resolved
Priority: 0/
Queue: perl-ldap
People
Owner: Nobody in particular
Requestors: dom [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 0.35
Fixed in: (no value)

History Show all quoted text
  Mon Apr 21 11:56:57 2008 dom [...] cpan.org - Ticket created
Subject: Fix SASL/GSSAPI behaviour when talking to round-robin server
This is repeated from http://marc.info/?l=perl-ldap-dev&m=120853646505515 (the mailing list is listed as the place to send bug reports, etc, but there are other issues already in RT) The attached patch against 0.35 fixes an obscure problem with Net::LDAP when talking to a round-robin LDAP server(s) using SASL/GSSAPI authentication. Without it, the SASL layer is passed the round-robin name, but if, when the SASL/GSSAPI layer attempts to canonicalise the address, it resolves to a different host to the one IO::Socket used for its connection, a service ticket for a conflicting server will be requested, and authentication will fail. The patched version has been tested with SASL GSSAPI binds to round-robin and non round-robin addresses. Please consider this for inclusion in the next Net::LDAP release. Thanks, Dominic
Subject: sasl-round-robin.patch
diff -urN perl-ldap-0.35/lib/Net/LDAP.pm perl-ldap-0.35.mine/lib/Net/LDAP.pm --- perl-ldap-0.35/lib/Net/LDAP.pm 2008-03-30 19:50:13.000000000 +0100 +++ perl-ldap-0.35.mine/lib/Net/LDAP.pm 2008-04-18 17:15:54.000000000 +0100 @@ -377,9 +377,16 @@ if $ldap->{net_ldap_version} < 3; my $sasl = $passwd; + + # If we're talking to a round-robin, the canonical name of + # the host we are talking to might not match the name we + # requested + my $connected_name = $ldap->{net_ldap_socket}->peerhost; + $connected_name ||= $ldap->{net_ldap_host}; + my $sasl_conn = eval { local($SIG{__DIE__}); - $sasl->client_new("ldap",$ldap->{net_ldap_host}); + $sasl->client_new("ldap",$connected_name); }; return _error($ldap, $mesg, LDAP_LOCAL_ERROR, "$@")
  Mon Apr 21 12:58:38 2008 gbarr [...] pobox.com - Correspondence added
Subject: Re: [rt.cpan.org #35263] Fix SASL/GSSAPI behaviour when talking to round-robin server
Date: Mon, 21 Apr 2008 11:30:55 -0500
To: bug-perl-ldap [...] rt.cpan.org
From: Graham Barr <gbarr [...] pobox.com>
Darn, I knew there was something I was missing in the release of 0.36 today. I have applied your patch to the repository. It will be in 0.37 Graham.
  Mon Apr 21 12:58:40 2008 The RT System itself - Status changed from 'new' to 'open'
  Wed Apr 23 09:45:50 2008 dom [...] cpan.org - Correspondence added
On Mon Apr 21 12:58:38 2008, gbarr@pobox.com wrote: Show quoted text
> Darn, I knew there was something I was missing in the release of 0.36 > today.
:) Show quoted text
> I have applied your patch to the repository. It will be in 0.37
Thanks. Do you have any planned timescale for a 0.37 release? Dominic.
  Tue Jan 27 14:11:56 2009 andi [...] collax.com - Correspondence added
Subject: [rt.cpan.org #35263] Patch breaks SASL/Digest-MD5 against AD [Patch]
Date: Tue, 27 Jan 2009 19:46:04 +0100
To: bug-perl-ldap [...] rt.cpan.org
From: Andreas Hofmeister <andi [...] collax.com>
Hi, the patch earlier breaks SASL/Digest-MD5 with AD as it passes the peers IP address as host and because AD seems to be quite picky in what it accepts as host - it especially dislikes IP addresses. (The error message is "The digest-uri does not match any LDAP SPN's registered for this server."). The attached patch attempts to lookup the host-name for the peer- address. I'm not sure if that breaks GSSAPI again but it probably should not. Ciao Andi

Message body is not shown because sender requested not to inline it.

  Tue Jan 27 16:06:10 2009 gbarr [...] pobox.com - Correspondence added
Subject: Re: [rt.cpan.org #35263] Patch breaks SASL/Digest-MD5 against AD [Patch]
Date: Tue, 27 Jan 2009 14:06:14 -0600
To: bug-perl-ldap [...] rt.cpan.org
From: Graham Barr <gbarr [...] pobox.com>
On Jan 27, 2009, at 1:11 PM, Andreas Hofmeister via RT wrote: Show quoted text
> Queue: perl-ldap > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=35263 > > > Hi, > > the patch earlier breaks SASL/Digest-MD5 with AD as it passes the > peers IP address as host and because AD seems to be quite picky in > what it accepts as host - it especially dislikes IP addresses. (The > error message is "The digest-uri does not match any LDAP SPN's > registered for this server."). > > The attached patch attempts to lookup the host-name for the peer- > address. I'm not sure if that breaks GSSAPI again but it probably > should not.
Hosts can have multiple names. doing a reverse lookup is only going to get one of those and in my experience it rarely gets the one required. As this name is needed to pass to $sasl->client_new I am inclined to do one of a) Add an extra parameter to ->bind so the sasl host can be passed b) Support the caller calling ->client_new and passing the result as the sasl arg to ->bind Graham.
  Wed Jan 28 11:07:36 2009 andi [...] collax.com - Correspondence added
Subject: Re: [rt.cpan.org #35263] Patch breaks SASL/Digest-MD5 against AD
Date: Wed, 28 Jan 2009 16:06:53 +0100
To: bug-perl-ldap [...] rt.cpan.org
From: Andreas Hofmeister <andi [...] collax.com>
Hi Graham, Show quoted text
> Hosts can have multiple names. doing a reverse lookup is only going to > get one of those and in my experience it rarely gets the one required.
Mhh, I guess the round-robin scenario would fail without proper reverse records anyways. Show quoted text
> a) Add an extra parameter to ->bind so the sasl host can be passed > b) Support the caller calling ->client_new and passing the result as > the sasl arg to ->bind
As far as I understand the original problem, it is not easy to decide what to pass to ->client_new until one actually connects the remote host (or unless one asks the dns beforehand). So how about adding an option to ->new or ->bind to enable reverse-lookups for round-robin cases and otherwise just pass the host name as before ? Andi
  Wed Jan 28 12:11:15 2009 gbarr [...] pobox.com - Correspondence added
Subject: Re: [rt.cpan.org #35263] Patch breaks SASL/Digest-MD5 against AD
Date: Wed, 28 Jan 2009 11:01:55 -0600
To: bug-perl-ldap [...] rt.cpan.org
From: Graham Barr <gbarr [...] pobox.com>
On Jan 28, 2009, at 10:07 AM, Andreas Hofmeister via RT wrote: Show quoted text
> Queue: perl-ldap > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=35263 > > > Hi Graham, >
>> Hosts can have multiple names. doing a reverse lookup is only going >> to >> get one of those and in my experience it rarely gets the one >> required.
> > Mhh, I guess the round-robin scenario would fail without proper > reverse records anyways.
While that may be true that some sasl mechanisms require the hostname here to be the same as reverse DNS, I am not sure it is true for all of them. Show quoted text
>> a) Add an extra parameter to ->bind so the sasl host can be passed >> b) Support the caller calling ->client_new and passing the result as >> the sasl arg to ->bind
> > As far as I understand the original problem, it is not easy to decide > what to pass to ->client_new until one actually connects the remote > host (or unless one asks the dns beforehand). So how about adding an > option to ->new or ->bind to enable reverse-lookups for round-robin > cases and otherwise just pass the host name as before ?
This is going beyond the scope of an LDAP library. There are other libraries out there that also use Authen::SASL that will have similar issues about how to determine what to pass. Putting the logic for this into Net::LDAP is just not the right place. If you need a connection to determine a hostname to pass, then Net::LDAP provides access to the socket via $ldap->socket Graham.
  Wed Jan 28 14:56:41 2009 andi [...] collax.com - Correspondence added
Subject: Re: [rt.cpan.org #35263] Patch breaks SASL/Digest-MD5 against AD
Date: Wed, 28 Jan 2009 20:47:37 +0100
To: bug-perl-ldap [...] rt.cpan.org
From: Andreas Hofmeister <andi [...] collax.com>
Hi Graham, Show quoted text
> While that may be true that some sasl mechanisms require the hostname > here to be the same as reverse DNS, I am not sure it is true for all > of them.
Regarding Digest-MD5, it depends on the server too. OpenLDAP apparently accepts just anything as host, AD however is very picky and rejects anything that is not its own name. Show quoted text
> This is going beyond the scope of an LDAP library. There are other > libraries out there that also use Authen::SASL that will have similar > issues about how to determine what to pass. Putting the logic for this > into Net::LDAP is just not the right place.
Agreed. I was just trying to circumvent an immediate problem without throwing away stuff that was introduced for another problem ... (BTW: the original patch also breaks SASL on Unix sockets). Maybe it was possible to identify the "Do The Right Thing" stuff, such as dealing with SRV records, DNS-Round-Robin etc. into its own module ? I've seen other code on CPAN having difficulties with that kind of stuff too. Andi
  Mon May 25 12:01:04 2009 pascal.levy [...] univ-paris1.fr - Correspondence added
Le Mer. Jan. 28 14:56:41 2009, andi@collax.com a écrit : Show quoted text
> Hi Graham,
Hello, Show quoted text
>
> > While that may be true that some sasl mechanisms require the hostname > > here to be the same as reverse DNS, I am not sure it is true for all > > of them.
> > Regarding Digest-MD5, it depends on the server too. OpenLDAP > apparently accepts just anything as host, AD however is very picky > and rejects anything that is not its own name. >
> > This is going beyond the scope of an LDAP library. There are other > > libraries out there that also use Authen::SASL that will have similar > > issues about how to determine what to pass. Putting the logic for this > > into Net::LDAP is just not the right place.
> > Agreed. I was just trying to circumvent an immediate problem without > throwing away stuff that was introduced for another problem ... (BTW: > the original patch also breaks SASL on Unix sockets). >
In my own experience, SASL / GSSAPI also breaks. It use IP adress instead of fqdn to request the service ticket and, of course, fails. I had errors like : GSSAPI Error: Miscellaneous failure (see text) (Server (krbtgt/XX.XX.XXX@MY.REALM.FR) unknown I tried to change LDAP.pm to revert to the old behavior with just 384,385c384,385 < my $connected_name = $ldap->{net_ldap_socket}->peerhost; < $connected_name ||= $ldap->{net_ldap_host}; --- Show quoted text
> #my $connected_name = $ldap->{net_ldap_socket}->peerhost; > $connected_name = $ldap->{net_ldap_host};
and everything works fine.
  Thu Mar 11 21:04:17 2010 GBARR [...] CPAN.ORG - Status changed from 'open' to 'resolved'
  Thu Jun 17 06:46:56 2010 dom [...] cpan.org - Reference by ticket #58478 added