[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#942486: marked as done (buster-pu: package shelldap/1.4.0-4+deb10u1)

Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id <83c9ffab6f08361485f70dda4733a7a24aeec09b.camel@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #942486,
regarding buster-pu: package shelldap/1.4.0-4+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
942486: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942486
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable release managers

I was asked if we can address #941411 ("shelldap: sometimes falls back
to simple auth when it should do sasl") as well for buster. The
severity is not very high, so you might want to dispute this but it
fixes the issue seen.

Uwe reported that when calling shelldap repeatedly it sometimes fails
and this was due in Net::LDAP in the bind() method the iteration through
%ptype happens in different orderings.

We forwarded the original issue to upstream at
https://github.com/mahlonsmith/shelldap/issues/2 resulting in the
changes:

 - Don't provide a password for sasl authentication (adressing the
   original concern)
 -  Fix sasl for DIGEST-MD5, PLAIN, and LOGIN mechanisms

I could not test the later second one myself though, testing for the
EXTERNAL case was done with the fixed package by Uwe.

Attached is the proposed debdiff.

Regards,
Salvatore

diff -Nru shelldap-1.4.0/debian/changelog shelldap-1.4.0/debian/changelog
--- shelldap-1.4.0/debian/changelog	2018-12-28 23:26:25.000000000 +0100
+++ shelldap-1.4.0/debian/changelog	2019-10-17 08:41:57.000000000 +0200
@@ -1,3 +1,11 @@
+shelldap (1.4.0-4+deb10u1) buster; urgency=medium
+
+  * Repair SASL authentications, add a 'sasluser' option (Closes: #941411)
+    + Don't provide a password for sasl authentication
+    + Fix sasl for DIGEST-MD5, PLAIN, and LOGIN mechanisms
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 17 Oct 2019 08:41:57 +0200
+
 shelldap (1.4.0-4) unstable; urgency=medium
 
   * Replace home-made GitLab CI with the standard Salsa pipeline
diff -Nru shelldap-1.4.0/debian/patches/Don-t-provide-a-password-for-sasl-authentication.patch shelldap-1.4.0/debian/patches/Don-t-provide-a-password-for-sasl-authentication.patch
--- shelldap-1.4.0/debian/patches/Don-t-provide-a-password-for-sasl-authentication.patch	1970-01-01 01:00:00.000000000 +0100
+++ shelldap-1.4.0/debian/patches/Don-t-provide-a-password-for-sasl-authentication.patch	2019-10-17 08:41:57.000000000 +0200
@@ -0,0 +1,33 @@
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uwe@kleine-koenig.org>
+Date: Sun, 13 Oct 2019 10:19:40 -0700
+Subject: Don't provide a password for sasl authentication.
+Origin: https://github.com/mahlonsmith/shelldap/commit/23469d7550ca1853da4fab3f05d43351633b516f
+Bug-Debian: https://bugs.debian.org/941411
+Bug: https://github.com/mahlonsmith/shelldap/issues/2
+
+When a sasl parameter is given (and used) the password parameter is not
+used by Net::LDAP. If indeed a password is required it has to be passed
+in the Authen::SASL object, not as parameter to bind.
+
+So drop the password parameter which stops trying (and failing) to use
+password authentication sometimes if in Net/LDAP.pm the iteration over
+%ptype hits its 'password' member before the 'sasl' member.
+---
+ shelldap | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/shelldap b/shelldap
+index 68dde20cc8de..5a18f23799f0 100755
+--- a/shelldap
++++ b/shelldap
+@@ -770,7 +770,6 @@ You may try connecting insecurely, or install the module and try again.\n} if $@
+ 	#
+ 	if ( $sasl_conn ) {
+ 		$rv = $ldap->bind( $conf->{'binddn'},
+-			password => $conf->{'bindpass'},
+ 			sasl     => $sasl_conn
+ 		);
+ 	}
+-- 
+2.23.0
+
diff -Nru shelldap-1.4.0/debian/patches/Fix-sasl-for-DIGEST-MD5-PLAIN-and-LOGIN-mechanisms-w.patch shelldap-1.4.0/debian/patches/Fix-sasl-for-DIGEST-MD5-PLAIN-and-LOGIN-mechanisms-w.patch
--- shelldap-1.4.0/debian/patches/Fix-sasl-for-DIGEST-MD5-PLAIN-and-LOGIN-mechanisms-w.patch	1970-01-01 01:00:00.000000000 +0100
+++ shelldap-1.4.0/debian/patches/Fix-sasl-for-DIGEST-MD5-PLAIN-and-LOGIN-mechanisms-w.patch	2019-10-17 08:41:57.000000000 +0200
@@ -0,0 +1,82 @@
+From: "Mahlon E. Smith" <mahlon@martini.nu>
+Date: Sun, 13 Oct 2019 10:44:16 -0700
+Subject: Fix sasl for DIGEST-MD5, PLAIN, and LOGIN mechanisms, which I don't
+ think ever actually worked properly.
+Origin: https://github.com/mahlonsmith/shelldap/commit/3e5868c3bf3ef2f68582033c52c13cd9e4b39f92
+Bug-Debian: https://bugs.debian.org/941411
+Bug: https://github.com/mahlonsmith/shelldap/issues/2
+
+Add a sasluser argument if a specific identity is required for the
+backend, which if unsupplied, tries to guess if a binddn is present.
+
+(Uwe's previous commit fixed EXTERNAL and GSSAPI, which did work, but
+randomly failed due to hash ordering.)
+
+
+Minor style cleanups, remove duplicate/unecessary logic for anonymous
+binds.
+
+[Salvatore Bonaccorso: Backport to 1.4.0, reduce chances to only needed
+ones to fix support for sasl]
+---
+ shelldap     | 60 ++++++++++++++++++++++++++++++++++------------------
+ 2 files changed, 41 insertions(+), 20 deletions(-)
+
+ddiff --git a/shelldap b/shelldap
+index 5a18f23799f0..bb3226e5a6ad 100755
+--- a/shelldap
++++ b/shelldap
+@@ -165,7 +165,20 @@ credentials.
+ A space separated list of SASL mechanisms.  Requires the Authen::SASL
+ module.
+ 
+-    --sasl "PLAIN CRAM-MD5 GSSAPI"
++    --sasl 'PLAIN DIGEST-MD5 EXTERNAL GSSAPI'
++    -Y 'PLAIN DIGEST-MD5 EXTERNAL GSSAPI'
++
++=back
++
++=over 4
++
++=item B<sasluser>
++
++SASL authorization identity, if one is explicitly required by your
++backend mechanism.
++
++    --sasluser mahlon
++    -X mahlon
+ 
+ =back
+ 
+@@ -619,7 +632,13 @@ You may try connecting insecurely, or in
+ 	if ( $use_sasl ) {
+ 		my $serv = $conf->{'server'};
+ 		$serv =~ s!^ldap[si]?://!!;
+-		$sasl = Authen::SASL->new( mechanism => $conf->{'sasl'} );
++		my $user = $1 if $conf->{'binddn'} && $conf->{'binddn'} =~ /uid=([^,]*),/i;
++		my $callback = {
++			pass => $conf->{'bindpass'},
++			user => $conf->{'sasluser'} || $user
++		};
++
++		$sasl = Authen::SASL->new( mechanism => $conf->{'sasl'}, callback => $callback );
+ 		$sasl_conn = $sasl->client_new( 'ldap', $serv );
+ 	}
+ 
+@@ -642,7 +661,7 @@ You may try connecting insecurely, or in
+ 	# bind anonymously
+ 	#
+ 	else {
+-		$rv = $sasl_conn ? $ldap->bind( sasl => $sasl_conn ) : $ldap->bind();
++		$rv = $ldap->bind();
+ 	}
+ 
+ 	my $err = $rv->error();
+@@ -2382,6 +2401,7 @@ Getopt::Long::GetOptions(
+ 	'promptpass|W',
+ 	'timeout=i',
+ 	'sasl|Y=s',
++	'sasluser|X=s',
+ 	'tls_cacert=s',
+ 	'tls_cert=s',
+ 	'tls_key=s',
diff -Nru shelldap-1.4.0/debian/patches/series shelldap-1.4.0/debian/patches/series
--- shelldap-1.4.0/debian/patches/series	2018-12-28 23:26:25.000000000 +0100
+++ shelldap-1.4.0/debian/patches/series	2019-10-17 08:41:57.000000000 +0200
@@ -1,2 +1,4 @@
 add-editor-fallback.patch
 add-pager-fallback.patch
+Don-t-provide-a-password-for-sasl-authentication.patch
+Fix-sasl-for-DIGEST-MD5-PLAIN-and-LOGIN-mechanisms-w.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.2

Hi,

The fixes referenced by these bugs were included in today's 10.2 stable
point release.

Regards,

Adam

--- End Message ---
Reply to: