2.2-rc3 critique: FAILS '"' CONTAINING PASSWORDS!!!!

Alain Spineux aspineux at gmail.com
Thu Jun 19 12:45:15 CEST 2008


On Thu, Jun 19, 2008 at 12:24 PM, Johannes Graumann
<johannes_graumann at web.de> wrote:
> Alain Spineux wrote:
>
>> On Thu, Jun 19, 2008 at 8:47 AM, Johannes Graumann
>> <johannes_graumann at web.de> wrote:
>>> I was indeed using a password with a double quote - shouldn't there be
>>> input sanitizing escaping all of this and making all special characters
>>> available for secure passwording?
>>
>> This is not secure password anymore, this is extreme password :-)
>> The problem is your password become different depending the escaping
>> of the front end you are login in !You are looking for the difficulties.
>
> And this is one of the points where the kolab infrastructure of conjoined
> proven - but diverse - components shows a weakness ...

You are wrong, The problem is not the "diversity of components"
but diversity of protocol, interfaces and clients.

The way you escape a quote could be different in a shell script,
in thunderbird or a web interface ...

>
> Joh
>
>
>>
>>
>>>
>>> Thanks for the sasl pointer ... will report back tonight.
>>>
>>> Joh
>>>
>>> Alain Spineux wrote:
>>>
>>>> On Wed, Jun 18, 2008 at 11:17 PM, Johannes Graumann
>>>> <johannes_graumann at web.de> wrote:
>>>>> Hi,
>>>>>
>>>>> 1) Completely fresh openpkg install/bootstrap
>>>>> 2) Create a new user
>>>>> 3) Try to use new user:
>>>>>        a) admin interface works
>>>>
>>>> I thing the webadmin use simple_bind not SASL !
>>>>
>>>>>        b) horde doesn't
>>>>
>>>> use IMAP then SASL
>>>>
>>>>>        c) kontact doesn't
>>>>
>>>> use IMAP to
>>>>
>>>>> 4) Investigate:
>>>>>        a) manually bind to openldap:
>>>>>        root# /kolab/bin/ldapsearch -b dc=graumanage,dc=net -s base -D
>>>>>        'cn=Johannes Graumann,dc=graumanage,dc=net' -h 127.0.0.1 -x -w
>>>>>        '<MYPASSWD>'
>>>>>
>>>>
>>>> then simple bind works
>>>>
>>>>>        Output in the shell:
>>>>>         # extended LDIF
>>>>>        #
>>>>>        # LDAPv3
>>>>>        # base <dc=graumanage,dc=net> with scope baseObject
>>>>>        # filter: (objectclass=*)
>>>>>        # requesting: ALL
>>>>>        #
>>>>>
>>>>>        # graumanage.net
>>>>>        dn: dc=graumanage,dc=net
>>>>>        dc: graumanage
>>>>>        objectClass: top
>>>>>        objectClass: domain
>>>>>
>>>>>        # search result
>>>>>        search: 2
>>>>>        result: 0 Success
>>>>>
>>>>>        # numResponses: 2
>>>>>        # numEntries: 1
>>>>>        b) equivalent output when observing slapd debugging (as advised
>>>>>        here:
>>>>>
>>> http://wiki.kolab.org/index.php/Kolab2_Server_Troubleshooting_-_LDAP)
>>>>>        c) appropriate slapd debugging output when logging into admin
>>>>>        interface d) NO slapd output when attempting to use horde
>>>>
>>>> Look like SASL cannot even communicate with LDAP
>>>>
>>>>>        e) only trace of horde login:
>>>>>                tail /kolab/var/apache/log/horde/horde.log
>>>>>                Jun 18 22:14:05 HORDE [error] [horde] FAILED LOGIN for
>>>>>                Johannes Graumann
>>>>>                [192.168.0.2] to Horde [pid 25084 on line 157
>>>>>                of "/kolab/var/kolab/www/horde/login.php"]
>>>>>        ==> this looked up somewhere that the email given was linked to
>>>>>        my name,
>>>>>                but still fails ...
>>>>>        f) /kolab/bin/cyradm --user johannes.graumann at graumanage.net
>>>>>        localhost
>>>>>                  Password ...
>>>>>                  IMAP password ...
>>>>>        FAILS
>>>>
>>>> IMAP then SASL again
>>>>
>>>>> 5) Partial solution to cyrus based problems:
>>>>>        USE PASSWORD WITHOUT '"' and imap-based stuff just
>>>>>        works!!!!?????
>>>>
>>>> I dont understand , without what ?
>>>>
>>>>>        ==> cyradmin login works (also with explicitly escaped '"')
>>>>
>>>> Did you use double or simple quote in your password ?
>>>>
>>>>>        ==> much of kontact functionality therefore works
>>>>
>>>>> 6) Remaining problems:
>>>>>        a) No horde login - pointers for better troubleshooting?
>>>>>        b) LDAP lookup from within kontact: still NO TLS or SSL
>>>>>        c) call up contact: still one stalling progress bar for an
>>>>>        unidentifiable connection to the server - what might this be?
>>>>
>>>> My first idea (before the " or ' stuff) was to troubleshot SASL
>>>>
>>>> http://wiki.kolab.org/index.php/Kolab2_Server_Troubleshooting_-_SASL
>>>>
>>>>
>>>>>
>>>>> Comments? Joh
>>>>>
>>>>> _______________________________________________
>>>>> Kolab-users mailing list
>>>>> Kolab-users at kolab.org
>>>>> https://kolab.org/mailman/listinfo/kolab-users
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Kolab-users mailing list
>>> Kolab-users at kolab.org
>>> https://kolab.org/mailman/listinfo/kolab-users
>>>
>>
>>
>>
>
>
> _______________________________________________
> Kolab-users mailing list
> Kolab-users at kolab.org
> https://kolab.org/mailman/listinfo/kolab-users
>



-- 
Alain Spineux
aspineux gmail com
May the sources be with you




More information about the users mailing list