https://bugzilla.redhat.com/show_bug.cgi?id=469261
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 2
Reviewed by: ???
Files: see diff
Branch: HEAD
Fix Description: This part focuses on chaining backend - allowing the
mux server to use SASL to connect to the farm server, and allowing SASL
authentication to chain. I had to add two new config parameters for
chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present,
this must be one of the supported mechanisms (EXTERNAL, GSSAPI,
DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to
slapi_ldap_bind, and correct the replication code to pass in a NULL for
the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to
the sasl user id. This search could not be chained due to the way it
was coded. So I added a new chainable component called cn=sasl and
changed the sasl internal search code to use this component ID. This
allows the sasl code to work with a chained backend. In order to use
chaining with sasl, this component must be set in the chaining
configuration nsActiveChainingComponents. I also discovered that
password policy must be configured too, in order for the sasl code to
determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code -
kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
https://bugzilla.redhat.com/attachment.cgi?id=322613&action=diff
--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
