[Bug 1987992] Re: autofs: Missing support of SCRAM for SASL binds

rdratlos 1987992 at bugs.launchpad.net
Mon Sep 5 08:24:22 UTC 2022 

To reproduce an LDAP server (server.example.com) is required with a test
user setup. autofs maps in LDAP are not needed, as we only try to bind
our workstation to the directory service.

Test user dn:
uid=testuser at example.com,ou=Users,dc=example,dc=com

Settings in /etc/autofs_ldap_auth.conf:
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
        usetls="yes"
        tlsrequired="no"
        authrequired="yes"
        user="testuser at example.com"
        authtype="SCRAM-SHA-1"
        secret="my_secret"
/>

Failed SASL bind log:
$ automount -f -v -d
Starting automounter version 5.1.8, master map auto.master                                                                          
using kernel protocol version 5.05                                                                                                  
lookup_nss_read_master: reading master ldap auto.master                                                                             
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master".      
parse_server_string: lookup(ldap): mapname auto.master                                                                              
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 1, tls_required: 0, auth_required: 2, sasl_mech: SCRAM-SHA-1
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: (null) credential cache: (null)
do_init: parse(sun): init gathered global options: (null)
find_server: trying server uri ldap://server.example.com
do_bind: lookup(ldap): auth_required: 2, sasl_mech SCRAM-SHA-1                                                                      
do_bind: Attempting sasl bind with mechanism SCRAM-SHA-1                                                                            
do_bind: lookup(ldap): ldap_sasl_interactive_bind failed with error 49
do_bind: ldap_sasl_interactive_bind: SASL(-13): user not found: no secret in database                                               
lookup(ldap): couldn't connect to server ldap://server.example.com

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to autofs in Ubuntu.
https://bugs.launchpad.net/bugs/1987992

Title:
  autofs: Missing support of SCRAM for SASL binds

Status in autofs package in Ubuntu:
  New

Bug description:
  Most directory services now support the more secure Salted Challenge
  Response Authentication Mechanismis (SCRAM) for SASL binding (RFC 5802).
  But automount user cannot request use of SCRAM, as automount does not
  read user and password credentials for SCRAM mechanisms.

  For sys admins that do not want to implement Kerberos based
  authentication to their directory service using GSSAPI need to rely on
  DIGEST-MD5, which is regarded as insecure.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/1987992/+subscriptions

More information about the foundations-bugs mailing list