Bug #38372 for Authen-SASL-Cyrus: Use of ssf property is not working

Subject:	Use of ssf property is not working
Date:	Sun, 10 Aug 2008 18:45:08 +0100
To:	<bug-Authen-SASL-Cyrus [...] rt.cpan.org>, <mark [...] nb.net>
From:	"Markus Moeller" <huaraz [...] moeller.plus.com>

Hi, I want to use LDAPS with SASL/GSSAPI. I have the following code: #!/usr/bin/perl # # Reads LDAP Attributes and store them as Radius Attributes # # use Net::LDAPS; # use Authen::SASL qw(Perl); use Authen::SASL; use Authen::Krb5; use Net::DNS; my $user = 'mm'; # DNS details my $ares = Net::DNS::Resolver->new; my $nres = Net::DNS::Resolver->new; my $rres = Net::DNS::Resolver->new; my $aquery = $ares->query("win2003r2.home"); my $hostlist = ''; # # Query DNS and make sanity checks to guaranty Kerberos works # if ($aquery) { # loop over list of IP-addresses foreach my $arr ($aquery->answer) { next unless $arr->type eq "A"; my $nquery = $nres->query($arr->address); if ($nquery) { # Get names for IP-addresses foreach my $nrr ($nquery->answer) { next unless $nrr->type eq "PTR"; my $rquery = $rres->query($nrr->ptrdname); if ($rquery) { # Check if DNS lookup of name gives same IP-address foreach my $rrr ($rquery->answer) { next unless $rrr->type eq "A"; if ( $rrr->address eq $arr->address ) { $hostlist = $hostlist." ".$nrr->ptrdname; } } } } } } } else { print("DNS query failed: $ares->errorstring \n"); return; } my @hosts = split(/\s+/,$hostlist); # ldap details my $server = \@hosts; my $bind_path = 'dc=win2003r2,dc=home'; my ($mail, $samaccountname, $userprincipalname, $useraccountcontrol); my ($ldap, $sasl, $mesg, $entry); # # Connect to Global Catalog to get details of all trusted domain users # # $ldap = Net::LDAPS->new( $server, # port => 3269, $ldap = Net::LDAPS->new( $server, port => 3269, timeout => 2, verify => 'never', version => 3) or die "$@"; # Setup Kerberos cache Authen::Krb5::init_context(); my $ccache_name = "FILE:/tmp/.radclient.cache.$$"; my $ccache = Authen::Krb5::cc_resolve($ccache_name); my $kt = Authen::Krb5::kt_resolve('FILE:./radclienttest.keytab'); my $princ = Authen::Krb5::parse_name('radclient/test@WIN2003R2.HOME'); $ccache->initialize($princ); my $creds = Authen::Krb5::get_init_creds_keytab($princ, $kt); $ccache->store_cred($creds); $ENV{'KRB5CCNAME'} = $ccache_name; $sasl = Authen::SASL->new('GSSAPI', 'user' => ''); # $sasl = Authen::SASL->new('GSSAPI', 'user' => '', debug => 13); # $ldap->debug(15); $ldap->debug(255); $mesg = $ldap->bind( '', sasl => $sasl) ; $mesg->code && die $mesg->error; $mesg = $ldap->search( # perform a search base => $bind_path, filter => "(samaccountname=$user)", timelimit => 2, attrs => ['mail', 'samaccountname', 'useraccountcontrol', 'userprincipalname'] ); $ccache->destroy; $mesg->code && die $mesg->error; foreach $entry ($mesg->entries) { $mail = $entry->get_value('mail'); $samaccountname= $entry->get_value('samaccountname'); $useraccountcontrol = $entry->get_value('useraccountcontrol'); $userprincipalname = $entry->get_value('userprincipalname'); } $mesg = $ldap->unbind; # take down session my $locked = ($useraccountcontrol & 0x0002)?"Yes":"No" if defined $useraccountcontrol; print("Retrieved LDAP Attributes:\n"); print("User-Mail = $mail\n"); print("User-SAM-Accountname = $samaccountname\n"); print("User-Account-Control = $useraccountcontrol\n"); print("User-Account-Locked = $locked \n"); print("User-Principal-name = $userprincipalname\n"); Which fails initially with: 00002029: LdapErr: DSID-0C09016D, comment: Cannot start kerberos signing/sealing when using TLS/SSL, data 0, vece at ./LDAP-AD-query.pl line 88. because it tries to use SSL and GSSAPI encryption. So I set ssf to 0 in LDAP.pm line 392 # Tell SASL the local and server IP addresses $sasl_conn->property( sockname => $ldap->{net_ldap_socket}->sockname, peername => $ldap->{net_ldap_socket}->peername, ssf => 0 ); but then I get: Decoding error at ./LDAP-AD-query.pl line 88. If I use use Authen::SASL qw(Perl); e.g. not the Cyrus version and set maxssf=0 in line 392 of LDAP.pm # Tell SASL the local and server IP addresses $sasl_conn->property( sockname => $ldap->{net_ldap_socket}->sockname, peername => $ldap->{net_ldap_socket}->peername, maxssf => 0 ); it works fine and I get: Retrieved LDAP Attributes: User-Mail = User-SAM-Accountname = mm User-Account-Control = 66048 User-Account-Locked = No User-Principal-name = mm@win2003r2.home I went though the sources but could not find anywhere that the ssf property is used. This looks like a bug to me. Thank you Markus