From d1b57852247641be30decc480b0719d322f0bc5c Mon Sep 17 00:00:00 2001 From: Alexey Melnikov <alexey.melnikov@isode.com> Date: Thu, 19 Apr 2012 14:41:12 +0100 Subject: Fixed PLAIN/LOGIN authentication failure when using saslauthd with no auxprop plugins PLAIN/LOGIN plugins should be able to work with no auxprop plugins configured, for example if they are using saslauthd. This patch fixes them to work in such configurations. In order to achieve this the following changes were made 1) SASL_NOMECH should be handled the same way as SASL_NOUSER while looking up auxprop properties. 2) SASL PLAIN/LOGIN should pass "this identity was verified externally" to auxprop lookup. This will prevent auxprop lookup from failing with SASL_NOMECH. Note that they verify user accounts using checkpass interface anyway. Cyrus SASL Bug # 3590 Test-information: The following SASL plugins were tested: PLAIN, EXTERNAL, SCRAM-SHA-1, LOGIN (partially) They were tested with missing auxprop plugins and with a present one. --- include/sasl.h | 4 +++- lib/canonusr.c | 8 +++++--- plugins/login.c | 6 ++++-- plugins/plain.c | 2 +- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/include/sasl.h b/include/sasl.h index 2ac5300..ed27104 100755 --- a/include/sasl.h +++ b/include/sasl.h @@ -633,8 +633,10 @@ typedef int sasl_server_userdb_setpass_t(sasl_conn_t *conn, /* One of the following two is required */ #define SASL_CU_AUTHID 0x01 #define SASL_CU_AUTHZID 0x02 + /* Combine the following with SASL_CU_AUTHID, if you don't want - to fail if auxprop returned SASL_NOUSER */ + to fail if auxprop returned SASL_NOUSER/SASL_NOMECH. + This flag has no effect on SASL_CU_AUTHZID. */ #define SASL_CU_EXTERNALLY_VERIFIED 0x04 #define SASL_CU_OVERRIDE 0x08 /* mapped to SASL_AUXPROP_OVERRIDE */ diff --git a/lib/canonusr.c b/lib/canonusr.c index 0049d13..faee103 100644 --- a/lib/canonusr.c +++ b/lib/canonusr.c @@ -241,12 +241,14 @@ static int _sasl_auxprop_lookup_user_props (sasl_conn_t *conn, } } - if (result == SASL_NOUSER && (flags & SASL_CU_EXTERNALLY_VERIFIED)) { + if ((flags & SASL_CU_EXTERNALLY_VERIFIED) && (result == SASL_NOUSER || result == SASL_NOMECH)) { /* The called has explicitly told us that the authentication identity - was already verified. So a failure to retrieve any associated properties + was already verified or will be verified independently. + So a failure to retrieve any associated properties is not an error. For example the caller is using Kerberos to verify user, but the LDAPDB/SASLDB auxprop plugin doesn't contain any auxprops for - the user. */ + the user. + Another case is PLAIN/LOGIN not using auxprop to verify user passwords. */ result = SASL_OK; } } diff --git a/plugins/login.c b/plugins/login.c index ee44be6..f2a05ac 100644 --- a/plugins/login.c +++ b/plugins/login.c @@ -179,9 +179,11 @@ static int login_server_mech_step(void *conn_context, /* canonicalize username first, so that password verification is * done against the canonical id */ - result = params->canon_user(params->utils->conn, text->username, + result = params->canon_user(params->utils->conn, + text->username, text->username_len, - SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams); + SASL_CU_AUTHID | SASL_CU_AUTHZID | SASL_CU_EXTERNALLY_VERIFIED, + oparams); if (result != SASL_OK) return result; /* verify_password - return sasl_ok on success */ diff --git a/plugins/plain.c b/plugins/plain.c index ddbc1f8..e6180a1 100644 --- a/plugins/plain.c +++ b/plugins/plain.c @@ -159,7 +159,7 @@ static int plain_server_mech_step(void *conn_context __attribute__((unused)), result = params->canon_user(params->utils->conn, authen, 0, - SASL_CU_AUTHID | canon_flags, + SASL_CU_AUTHID | canon_flags | SASL_CU_EXTERNALLY_VERIFIED, oparams); if (result != SASL_OK) { _plug_free_string(params->utils, &passcopy); -- 1.7.7