Hello,
openldap 2.5.12
cyrus-sasl 2.1.28 + sasl channel binding patch[1] + gss-spnego maxssf=0 patch[2]
openldap linked with gnutls
libsasl2-modules-gssapi-mit
I'm currently testing the patches[1][2] for sasl channel binding over
GSSAPI + ssl/tls connection, and was wondering if I could get openldap
to reject ldaps connections without sasl channel binding. Currently it
seems to always accept it, but I can't be sure CB was even checked by
the server by looking at logs (even with -d -1). I got windows 2016 AD
to reject ldaps connections without CB over gssapi and gss-spnego, so
the client part of openldap (ldapwhoami specifically) seems ok.
I looked at test 077[3] and it runs the server with this configuration:
dn: cn=config
changetype: modify
replace: olcSaslCBinding
olcSaslCBinding: ${acb}
Where `${acb}` loops over the 3 valid values of "none" "tls-unique"
"tls-endpoint".
Then a simple connection with ldapwhoami is attempted, also looping -o
SASL_CBINDING=$icb over those values.
I have seen the comment in that test script that it looks like
tls-unique is broken when used with gnutls[4], and also a comment
about MIT failing in another case[5].
When trying it manually, though, I could never get the client
connection to be refused by the server. Before digging in deeper, let
me just ask if my understanding is correct:
- server configured with:
dn: cn=config
changetype: modify
replace: olcSaslCBinding
olcSaslCBinding: tls-endpoint
- client connecting to that server over ldaps://, with GSSAPI, and
with -o SASL_CBINDING=none
Should that client be rejected?
Sample run:
$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config
'(olcSaslCBinding=*)' olcSaslCBinding
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslCBinding: tls-endpoint
$ ldapwhoami -Y GSSAPI -H ldaps://k-slapd.lxd -o SASL_CBINDING=none
SASL/GSSAPI authentication started
SASL username: ubuntu@VMS
SASL SSF: 256
SASL data security layer installed.
dn:uid=ubuntu,cn=gssapi,cn=auth
And the server logs (olcLogLevel: stats):
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 fd=14 ACCEPT from
IP=10.0.100.36:33800 (IP=0.0.0.0:636)
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 fd=14 TLS established
tls_ssf=256 ssf=256 tls_proto=TLS1.3 tls_cipher=AES-256-GCM
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=0 BIND dn="" method=163
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=0 RESULT tag=97
err=14 qtime=0.000011 etime=0.002447 text=SASL(0): successful result:
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=1 BIND dn="" method=163
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=1 RESULT tag=97
err=14 qtime=0.000012 etime=0.000069 text=SASL(0): successful result:
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=2 BIND dn="" method=163
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=2 BIND
authcid="ubuntu" authzid="ubuntu"
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=2 BIND
dn="uid=ubuntu,cn=gssapi,cn=auth" mech=GSSAPI bind_ssf=256 ssf=256
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=2 RESULT tag=97 err=0
qtime=0.000012 etime=0.000109 text=
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=3 EXT
oid=1.3.6.1.4.1.4203.1.11.3
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=3 WHOAMI
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=3 RESULT oid= err=0
qtime=0.000016 etime=0.000087 text=
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 op=4 UNBIND
Jul 25 14:38:36 k-slapd slapd[261]: conn=1002 fd=14 closed
1.
https://github.com/cyrusimap/cyrus-sasl/commit/975edbb69070eba6b035f08776de771a129cfb57
2. https://github.com/cyrusimap/cyrus-sasl/pull/603/commits
3.
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5/tests/scripts/test077-sasl-gssapi#L177
4.
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5/tests/scripts/test077-sasl-gssapi#L196
5.
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5/tests/scripts/test077-sasl-gssapi#L204
