[PATCH v2 0/4] Missing Support of SASL Sign or Seal using Data Security Layer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: Thomas Reim <reimth@xxxxxxxxx>

- v2: Updates after review
    - autofs-5.1.8 - let OpenLDAP handle SASL binding:
        - Parse (final) LDAP SASL bind result and check for errors
        - Fixed LDAP result message (pointer) handling
        - Removed rc shadow declaration
        - Declarations moved to the top of code block
        - Corrected formatting of single-line target code blocks
        - Fixed indents

Since version 4.4 Samba AD domain controllers default settings only allow
for simple SASL binds over TLS encrypted connections or SASL binds with
sign or seal, i. e. data security layer encryption, over unencrypted
connections. Therefore, current automounter cannot fetch autofs maps from
Samba AD DCs using SASL anymore without setting Samba configuration
parameter "ldap server require strong auth" to "no" or "allow_sasl_over_tls".

Cyrus SASL supports data encryption in GSSAPI (with Kerberos V) mode using
an SASL data security layer according to IETF RFC 2078. This security layer
provides for traffic encryption during authentication and authorization
towards an OpenLDAP based server and for subsequent encryption of data
traffic for the LDAP session. Current automounter does not implement SASL
security layer encryption and only relies on TLS to protect LDAP

OpenLDAP libldap if compiled with Cyrus SASL supports negotiation of an
SASL data security layer based encryption of LDAP traffic. libldap also
provides automatic negotiation of the best suited SASL mechanism taking
into account application required defaults.

This series of patches updates automounter to let OpenLDAP and Cyrus SASL
handle SASL binding and traffic security configuration. Proposed changes
are backward compatible for clients that use LDAP libraries different from
OpenLDAP. When using SASL mechanism GSSAPI or simple authentication with
TLS encryption automounter seamlessly interworks with latest Samba AD DCs.

Please review and provide your comments or suggestions.

Thomas Reim (4):
  autofs-5.1.8 - restore gcc flags after autoconf Kerberos 5 check
  autofs-5.1.8 - prepare for OpenLDAP SASL binding
  autofs-5.1.8 - let OpenLDAP handle SASL binding
  autofs-5.1.8 - configure: LDAP function checks ignore implicit

 aclocal.m4            |  52 +++++++++++++++
 configure.in          |   5 +-
 include/config.h.in   |   3 +
 include/lookup_ldap.h |   6 ++
 modules/cyrus-sasl.c  | 150 +++++++++++++++++++++++++++++++++++++++++-
 modules/lookup_ldap.c | 125 ++++++++++++++++++++++++++++++++++-
 6 files changed, 338 insertions(+), 3 deletions(-)


[Index of Archives]     [Linux Filesystem Development]     [Linux Ext4]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux