From: Igor Brezac (igor at ipass dot net)
Date: Thu Mar 25 2004 - 08:53:10 EST
On Thu, 25 Mar 2004, [iso-8859-1] Román Medina wrote:
> >> I've researched a bit and I've seen that saslauthd is sending an
> >> incorrect
> >> query to Mysql: saslauthd is asking for the pass of "user" instead of
> >> "user at domain dot com", which is the complete sasl_username received by
> >> postfix
> >> (although saslauthd takes the domain part as "realm").
> >>
> >> Since Postfix hasn't been updated I suspect that the problems comes from
> >> saslauthd. Is it possible that the behaviour of saslauthd have been
> >> changed between last versions/snapshots? How could I fix it? (perhaps it
> >> is possible to force the use of domain by changing any switch/variable,
> >> or
> >> may be it's a bug introduced in last versions? :-? )
> >
> > Because of there are many lines of code written to implement this
> > behavior, i
> > wouldn't call it "Bug". Maybe "Feature" is a better term...
>
> Yes, may be. Perhaps a "feature which breaks things". Not a good idea. If
> it is a problematic change at least there shoud exist some switch or
> configurable option to disable it.
>
> > I personally don't understand the reason, but it is not configurable.
> >
> > Use a version before 2.1.17, best to downgrade to 2.1.15.
>
> Thanks Andrea. Does somebody know why this behaviour has been changed? Any
> URL / post to mailing-list discussing this topic? (I suppose the change
> should be documented / discussed before being implemented).
This has been discussed before. sasl library splits a fully qualified
username before it is passed to saslauthd for password verification. The
saslauthd pam mech ignores the domain (realm) part.
Try this patch.
Index: auth_pam.c
===================================================================
RCS file: /cvs/src/sasl/saslauthd/auth_pam.c,v
retrieving revision 1.4
diff -u -r1.4 auth_pam.c
--- auth_pam.c 31 May 2003 17:00:24 -0000 1.4
+++ auth_pam.c 25 Mar 2004 13:44:46 -0000
@@ -90,6 +90,7 @@
int i; /* loop counter */
const char *login_prompt; /* string prompting for user-name */
int rc; /* return code holder */
+ char user[256];
/* END VARIABLES */
my_appdata = appdata_ptr;
@@ -178,7 +179,7 @@
const char *login, /* I: plaintext authenticator */
const char *password, /* I: plaintext password */
const char *service, /* I: service name */
- const char *realm __attribute__((unused))
+ const char *realm
/* END PARAMETERS */
)
{
@@ -187,16 +188,23 @@
struct pam_conv my_conv; /* pam conversion data */
pam_handle_t *pamh; /* pointer to PAM handle */
int rc; /* return code holder */
+ char user[256];
/* END VARIABLES */
- my_appdata.login = login;
+ strlcpy(user, login, 256);
+ if (realm && realm[0] != NULL) {
+ strlcat(user, "@", 256);
+ strlcat(user, realm, 256);
+ }
+
+ my_appdata.login = user;
my_appdata.password = password;
my_appdata.pamh = NULL;
my_conv.conv = saslauthd_pam_conv;
my_conv.appdata_ptr = &my_appdata;
- rc = pam_start(service, login, &my_conv, &pamh);
+ rc = pam_start(service, user, &my_conv, &pamh);
if (rc != PAM_SUCCESS) {
syslog(LOG_DEBUG, "DEBUG: auth_pam: pam_start failed: %s",
pam_strerror(pamh, rc));
-- Igor
|
|
|