From: Román Medina (roman at rs-labs dot com)
Date: Thu Mar 25 2004 - 09:35:10 EST
> You should of run testsaslauthd when you were at 2.1.18 to see if it was
> transplanting the domain portion of or user at domain dot com to
I tried this before downgrading and it worked "as always", I mean,
complete user was not splitted in user + domain parts.
> user: user
> realm: domain.com
>
> instead of
>
> user: user at domain dot com
> realm:
>
> Looking at it, the change isn't in saslauthd. It's in the SASL libs in
Yes, I also realized that, after having a quick look to saslauthd code:
* Excerpt from do_request() function at ipc_doors.c of saslauthd:
/**************************************************************
* The input data string consists of the login id, password,
* service name and user realm. We'll break them up and then
* authenticate them.
**************************************************************/
dataend = data + datasize;
/* login id */
memcpy(&count, data, sizeof(unsigned short));
count = ntohs(count);
data += sizeof(unsigned short);
if (count > MAX_REQ_LEN || data + count > dataend) {
logger(L_ERR, L_FUNC, "login exceeds MAX_REQ_LEN: %d",
MAX_REQ_LEN);
send_no("");
return;
}
memcpy(login, data, count);
login[count] = '\0';
data += count;
/* password */
memcpy(&count, data, sizeof(unsigned short));
count = ntohs(count);
data += sizeof(unsigned short);
if (count > MAX_REQ_LEN || data + count > dataend) {
logger(L_ERR, L_FUNC, "password exceeds MAX_REQ_LEN: %d",
MAX_REQ_LEN);
send_no("");
return;
}
memcpy(password, data, count);
password[count] = '\0';
data += count;
As you can see, saslauthd reads the login size, then get login (using the
previous size) and continues with the process with rest of fields
(password, realm ,etc). Afterwards, variable "login" is used in the rest
of the program (for instance, in do_auth()) without previous processing.
So, yes, saslauthd is not the guilty of my pain ;-)
I supposed the change could be in libs, as you have just confirmed. The
last chance could be Postfix sending wrong values but I had forgotten this
choice since Postfix log clearly shows sasl_username as been the complete
entry user at domain and I have no clues of Postfix beeing upgraded.
Anyway, if libsasl behaviour has changed, it is logical to think that in a
future saslauthd will include the option to merge "user" + "realm" so the
authentication id to test will be user at domain dot This should be optional.
Personally I would not patch auth_pam.c as Igor suggested but ipc_doors.c
and ipc_unix.c, which seem to be the entry points of the login data. Doing
in that way, the fix is valid for pam, ldap and other auth methods in
general without having to patch all of them.
Do cyrus-sasl developers read this list?
Regards,
-Roman
|
|
|