Bug#962968: libauthen-sasl-perl: Net::LDAP with GSSAPI SASL bind connecting with wrong sasl_ssf on Debian buster

Tue, 16 Jun 2020 09:15:23 -0700 

Package: libauthen-sasl-perl
Version: 2.1600-1
Severity: important

Dear Maintainer,

I have a Perl script to read from an OpenLDAP instance using Net::LDAP
with a GSSAPI bind. The script works fine on Debian stretch but fails on
Debian buster.

Note that on both servers the line at the bottom of the Perl code that
runs ldapsearch produces the same correct results, so I am sure that the
Kerberos ticket cache is correct on both servers.

Looking at the OpenLDAP logs I see that the ldapsearch run shows up with
the strength factors sasl_ssf=256 ssf=256 while the Net::LDAP bind shows
up with the strength factors sasl_ssf=1 ssf=256. Since the Net::LDAP bind
is using Kerberos, the sasl_ssf should be 56, not 1.

#######

use strict;
use warnings;
use Authen::SASL;
use Net::LDAP;
use Data::Dumper;

my $server_name = 'ldap.example.com';
$ENV{'KRB5CCNAME'} = '/tmp/krb.tkt';

my $ld = Net::LDAP->new($server_name, version => '3');
$ld->start_tls(verify => 'require');

if (!$ld or $ld == -1) {
    die "Could not connect to directory server $server_name";
}

my $SASL = Authen::SASL->new('GSSAPI');
my $status = $ld->bind(sasl => $SASL);

if ($status->code) {
    die  'Bind error: (' . $status->error_name . ') ' . $status->error_text;
}

my $base   = 'dc=example,dc=com';
my $filter = '(uid=johndoe)';
my @attrs  = ('uid', 'sn');
$status = $ld->search(
    base    => 'dc=example,dc=com',
    filter  => $filter,
    attrs   => \@attrs,
    ) ;

my @entries = $status->all_entries;
# This results in nothing (but should result in the same data as the ldapsearch 
below):
warn Dumper @entries ;

my $attrs = join(' ', @attrs) ;
my $cmd = "ldapsearch -LLL -h $server_name -b $base '$filter' $attrs";
# This gives the correct result:
warn `$cmd`;


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages libauthen-sasl-perl depends on:
ii  perl  5.28.1-6

libauthen-sasl-perl recommends no packages.

Versions of packages libauthen-sasl-perl suggests:
ii  libdigest-hmac-perl  1.03+dfsg-2
ii  libgssapi-perl       0.28-3+b1

-- no debconf information

Reply via email to