Skip to content

Allow reply to interractive SASL mechanisms #8347

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow reply to interractive SASL mechanisms #8347

wants to merge 1 commit into from

Conversation

manu0401
Copy link
Contributor

Some SASL mechanisms like OTP perform an interractive challenge-response.

Obviously it is not possible to perform the interraction within a single
HTTP transaction, but we may obtain the challenge from a first HTTP
transaction and send the reply during a second one. The only requirement
is that PHP LDAP module does not reject the second operation because
it should be part of an interractive exchange. This change does just that.

@manu0401
Allow reply to interractive SASL mechanisms
b3c4db0 
Some SASL mechanisms like OTP perform an interractive challenge-response.

Obviously it is not possible to perform the interraction within a single
HTTP transaction, but we may obtain the challenge from a first HTTP
transaction and send the reply during a second one. The only requirement
is that PHP LDAP module does not reject the second operation because
it should be part of an interractive exchange. This change does just that.
@cmb69
Copy link
Member

cmb69 commented Apr 12, 2022

@MCMic, thoughts?

@manu0401
Copy link
Contributor Author

manu0401 commented May 4, 2022

@MCMic, thoughts?

At least it did not raise a fierce opposition :-)

@cmb69
Copy link
Member

cmb69 commented May 4, 2022

Some other LDAP people around who could review this PR?

@MCMic
Copy link
Contributor

MCMic commented May 4, 2022

I missed the notification about this, sorry.
No strong opposition I suppose, would it be possible to add a test for this? Or at least provide some example code using this change to illustrate.

@manu0401
Copy link
Contributor Author

provide some example code using this change to illustrate.

Let us image you want to use SASL OTP. You managed to let the user obtain the OTP challenge from another HTTP connexion. The user enter the OTP password and this happens:
$r = ldap_sasl_bind($ldap, $dn, $otp_passwd "OTP");

Current code will always fail here because it assume OTP must ber interactive, something that cannot happpen in an single HTTP connexion anyway. My change lets it proceed.

@ramsey ramsey added this to the PHP 8.2 milestone May 23, 2022
@ramsey
Copy link
Member

ramsey commented May 23, 2022

Are we still waiting on a test or example code?

@github-actions
Copy link

There has not been any recent activity in this PR. It will automatically be closed in 7 days if no further action is taken.

@github-actions github-actions bot added the Stale label Jul 23, 2022
@manu0401
Copy link
Contributor Author

If you want a test, please tell me how it could be built.

@cmb69
Copy link
Member

cmb69 commented Jul 25, 2022

Maybe @heiglandreas wants to have a look?

@heiglandreas
Copy link
Contributor

Thanks for looping me in.

Code-wise I don't see any issues. But I indeed would either love to see a test or two or a detailed explanation on what needs to be done in PHP-Code as well as on the LDAP-Servers side to make use of the code.

The information from #8347 (comment) is kinda OK but I'm still not 100% on board on how I can use that over multiple HTTP requests. So a short example-script in PHP that illustrates the two requests would be extremely helpful. I'd then happily try to hack a test together.

But I'd jut go ahead with that!

@adoy adoy removed this from the PHP 8.2 milestone Feb 16, 2023
@manu0401
Copy link
Contributor Author

Sorry for the lag, I forgot this contribution was not merged, and I just rediscovered it when updating PHP.

The use case is SASL/OTP. It works with a challenge/response, but the challenge is always the same between two successful authentications. Here is an exemple of interractive use:

$ ldapwhoami -U johndoe -U OTP
SASL/OTP authentication started
Challenge: otp-sha256 498 w44551 ext
Please enter your one-time password:

Here the LDAP directory asks about one-time-password #498 in the list. It will always ask #498 until authentication succeeds, then it will ask for #497. This means that despite the challenge/response nature of the exchange, we can run in within a set of two HTTP requests, the first one to retrieve the challenge, and the second one to send the one-time-password.

All we need it the proposed change so that we can simulate the interactive exchange.

@cmb69
Copy link
Member

cmb69 commented Nov 12, 2024

I'd then happily try to hack a test together.

From what I can tell, we have almost no tests for SASL auth, and neither is working in CI as expected, since we have no SASL auth configured (ldap_sasl_bind_basic.phpt is skipped due to an errorenous fsockopen() check, and ldap_sasl_bind_error.phpt succeeds because SASL auth isn't set up). I think we should catch up on this first; unfortunately, I have no idea how to configure SASL auth for slapd.

@manu0401
Copy link
Contributor Author

manu0401 commented Nov 12, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Extension: ldap Stale Waiting on Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@manu0401 @cmb69 @MCMic @ramsey @heiglandreas @adoy