Hi Dan!
Some good points you bring up here against Perdition. I need to say that
I heared about it first time some days ago and did not try it myself,
but it sounded like relief for our pressing problem. But from what I
learn from you know, it will make sense to get this SASL patch sorted out.
So let's get onto that.
> I would prefer to use Howard's solution since it should be more
> efficient, and well, he's a lot better coder.
I would still hope that this will make it to the codebase to it would be
"maintainance free" after that, anyway.
I will send you the 2nd patch.
Regards,
Torsten
Dan White schrieb:
Hi Torsten,
Thanks for the info, I'll check into this shortly. I just joined the
list last night. I'm CCing.
I have been using perdition with an OpenLDAP directory for a couple of
years to solve
exactly this problem (we're an ISP). I'm trying to move away from it for
various minor
reasons. As far as I'm aware you can't do IPv6 with perdition, nor can
you proxy sieve
connections, nor can it do any kind of authentication other than PLAIN.
I'm wanting to
move to a murder setup, but this canonization is one of the holdups for me.
As I stumbled across this discussion via google last night, I had
actually been working
on a canon plugin of my own, but it's a bit of a struggle since my C is
rusty. My
approach is to duplicate the code of the internal plugin into a new one,
and insert a
getpwnam call to find the 'real' account name to use. This would require
use of
libnss-ldap (or other libnss module) that can query on a given name and
return
another.
For instance, libnss-ldap could be configured to search for some
alternate attribute
(say, altuid) and return uid:
uid: dwhite@xxxxxxx
altuid: dwhite
altuid: dwhite-olp
altuid: dwhite@xxxxxxx
altuid: dwhite-olp@xxxxxxx
I've compiled it and verified that it doesn't crash when using
/etc/passwd, but I haven't
tried it against libnss-ldap yet.
I would prefer to use Howard's solution since it should be more
efficient, and well, he's
a lot better coder. I only saw the first patch in the discussion. Do you
have the second one?
Thanks!
- Dan
Torsten Schlabach wrote:
Hi Dan!
Is the patch that
was provided by Howard on the mailing list working?
I was unable to make it work, but that might very well have been my own inability.
There are actually two patches. Do you have both of them?
I had been implementing the first one and tried it, but it had some problems with segfaults and proper string termination. So I communicated this back to Howard and he came up with a second patch. He said he had tested that himself with that 2nd patch and it worked for him, but I kept getting "no user found in database" problems on the LDAP level. (Not even on the IMAPd level).
I am not sure how skilled you are with OpenLDAP SASL and proxy authorization and the like. Basically all the stuff described here:
http://www.openldap.org/doc/admin23/sasl.html
The first gotcha is that the name of some parameters has changed between OpenLDAP 2.2 and 2.3. But a lot of existing Linux systems still have 2.2, so if you are on 2.2, make sure you use
http://www.openldap.org/doc/admin22/sasl.html
In other words: I (and others) would very much appreciate if you took the time to try again and in case you will be successful, maybe come back with a little howto.
We are currently investigating http://www.vergenet.net/linux/perdition/ as an alternative to what we planned originally (Cyrus Murder together with that patch we're discussing here). But for smaller setups with one server it would definitely make so much sense to have this canon_user functionality up and running.
Let me know if you get stuck anywhere; I will try to help with the experience that I have made with this.
Regards,
Torsten
P.S.: Do we have this discussion off-list by purpose or did you just fall victim to the missing reply-to header on this mailinglist?
-------- Original-Nachricht --------
Datum: Wed, 07 Mar 2007 23:27:43 -0600
Von: Dan White <dwhite@xxxxxxx>
An: tschlabach@xxxxxxx
CC:
Betreff: Re: Sponsoring a canon_user plugin for LDAP lookup
Hi Torsten,
I just found the discussion of your sponsored patch for an LDAP SASL
canon plugin and was curious how it all turned out. Is the patch that
was provided by Howard on the mailing list working?
I'm very interested in a similar solution.
Thanks,
- Dan White
**