Re: Sponsoring a canon_user plugin for LDAP lookup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Torsten,

Yes, I had some success last night. It took some time to pick up
the OpenLDAP proxy process.

Using both patches, the canonization works for me for both
sample-server and imapd, but not for pop3d when it opens the
mailbox, for some reason. I'm using Debian etch with the
following versions:

cyrus-imapd-2.2:        2.2.13-10
libsasl2:               2.1.22.dfsg1-8
slapd:                  2.3.30-4

I'm going to try version 2.3 of cyrus imap to see if pop3 works
any differently.

I added the following statements to the default slapd.conf
config:

========
sasl-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
 cn=admin,dc=nodomain

authz-policy to

authz-regexp "gidNumber=8\\\+uidNumber=104,cn=peercred,cn=external,cn=auth"
 cn=admin,dc=nodomain

authz-regexp uid=(.*),cn=external,cn=auth
   ldap:///ou=People,dc=nodomain??one?(cn=$1)
========

Where 104 is the UID of my local cyrus user in /etc/passwd.
The suffix is "dc=nodomain".

I added the following to my admin entry:
========
dn: cn=admin,dc=nodomain
changetype: modify
add: authzTo
authzTo: ldap:///ou=People,dc=nodomain??sub?(objectClass=posixAccount)
=========

I'm not sure this authzTo line is correct, but it worked during
testing.

My test user looks like:
=========
dn: uid=test3434,ou=People,dc=nodomain
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: test3434
cn: test3434
cn: test3434@xxxxxxx
cn: dwhite
cn: dwhite@xxxxxxx
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/test3434
loginShell: /bin/bash
shadowMin: 0
shadowMax: 99999
shadowLastChange: 13581
userPassword: mysecret
==========

I added the following lines to /etc/imapd.conf:
========
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb

sasl_canon_user_plugin: ldapdb
sasl_ldapdb_uri: ldapi://%2fvar%2frun%2fslapd%2fldapi/
sasl_ldapdb_mech: EXTERNAL
sasl_ldapdb_canon_attr: uid
========
(I added cyrus to the openldap group in /etc/group to
give it access to the ldapi socket)

Some tests (as the cyrus user):
=======
cyrus@test:~$ ldapwhoami -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=admin,dc=nodomain
Result: Success (0)
cyrus@test:~$
=======

=======
cyrus@test:~$ ldapwhoami -Y EXTERNAL \
 -U gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth \
 -X u:dwhite SASL/EXTERNAL
authentication started
SASL username: u:dwhite
SASL SSF: 0
dn:uid=test3434,ou=people,dc=nodomain
Result: Success (0)
cyrus@test:~$
========

Here's an expect script you can use with the sample-server
and sample-client executables:
========
#!/usr/bin/expect

# Set environment variables:
#   SASL_PATH - to the location of the plugin modules
#   SASL_CONF_PATH - path to the sample.conf file

set username [lindex $argv 0]
set mech [lindex $argv 1]
spawn /usr/sbin/sasl-sample-server -s sample -m $mech
set saslserver $spawn_id
spawn /usr/bin/sasl-sample-client -s sample -a $username
set saslclient $spawn_id

while { 1!=2 } {

 expect {
   -i $saslserver -re "S: \[0-9a-zA-Z\=\]+" {
     set output $expect_out(0,string)
     send -i $saslclient "$output\r"
     send_user "==Sending $output to client.==\n";
   }
   -i $saslserver -re "recieved decoded.*client" {
     send_user "==got client recieved.==\n"
     break
   }
 }

 expect {
   -i $saslclient -re "C: \[0-9a-zA-Z\=\]+" {
     set output $expect_out(0,string)
     send -i $saslserver "$output\r"
     send_user "==Sending $output to server.==\n";
   }
   -i $saslclient -re "Password:" {
     expect_user -re "(.*)\n"
     send_user "\n"
     send -i $saslclient "$expect_out(1,string)\r"

     expect -i $saslclient -re "C: \[0-9a-zA-Z\=\]+"
     set output $expect_out(0,string)
     send -i $saslserver "$output\r"
     send_user "==Sending $output to server.==\n";
   }
 }
}

send_user "==Success==\n"
========

To use, create a .conf file somewhere (like in
/tmp/sample.conf) with the following contents:
========
pwcheck_method: auxprop
auxprop_plugin: ldapdb

ldapdb_uri: ldapi://%2fvar%2frun%2fslapd%2fldapi/
ldapdb_mech: EXTERNAL

canon_user_plugin: ldapdb
ldapdb_canon_attr: uid
========

Then do:
test:~# export SASL_CONF_PATH=/tmp
test:~# ./sasl.exp dwhite LOGIN
...
Password: mysecret
...
got 'dwhite'
...
Username: dwhite
...
Username: test3434
...
==Success==
test:~#
==========

Connecting via IMAP seems to work fine. I can authenticate
with either username (test3434 or dwhite) and I get
test3434's INBOX.

- Dan

Torsten Schlabach wrote:
Hi Dan!

Did you anywhere with that?

Regards,
Torsten

-------- Original-Nachricht --------
Betreff: [Fwd: Re: Sponsoring a canon_user plugin for LDAP lookup]
Datum: Thu, 08 Mar 2007 18:51:36 +0100
Von: Torsten Schlabach <tschlabach@xxxxxxx>
An: dwhite@xxxxxxx

Hi Dan!

This is the other one.

So the process would probably be:

- Check out the SASL library sources.
- Apply the patched.
- Configure with the apporiate option to build the libldapdb SASL plugin
and built it.
- Either install SASL from your patched sources or just transfer the
libldapdb libs into your SASL installation coming from your packages.
(Not sure what distro you're using.)

That was not the problem.

Then you need to configure both OpenLDAP (slapd.conf) as well as Cyrus
IMAPd (imapd.conf) to use this properly and this is where I basically
failed and gave up.

Would be nice if you kept me in the look, please.

Regards,
Torsten

-------- Original-Nachricht --------
Betreff: Re: Sponsoring a canon_user plugin for LDAP lookup
Datum: Mon, 19 Feb 2007 16:13:50 -0800
Von: Howard Chu <hyc@xxxxxxxxxxxxxxx>
An: Torsten Schlabach <tschlabach@xxxxxxx>
Referenzen: <45A6179E.2040506@xxxxxxx>
<45A7C28A.8060602@xxxxxxxxxxxxxxx> <45A7EDBD.6070700@xxxxxxx>
<45A7F356.5070806@xxxxxxxxxxxxxxx> <45A80444.9090802@xxxxxxx>
<45A814D2.70903@xxxxxxxxxxxxxxx> <45A818C4.40406@xxxxxxx>
<45A81C4E.2090003@xxxxxxxxxxxxxxx> <45A81EA1.5090204@xxxxxxx>
<45A830BD.4080300@xxxxxxxxxxxxxxx> <45DA148D.7000207@xxxxxxx>
<45DA1DC6.6060703@xxxxxxxxxxxxxxx> <45DA20F1.3080700@xxxxxxx>

Torsten Schlabach wrote:
Hi!

> +       out[len] = '\0';

I had tried this myself, but the result I got was an empty string. So it seems that len == 0 for whatever reason.

Bonus question, as I am going nuts about it: How do I add the authTo: attribute to the uid=root object?

Regards,
Torsten

Howard Chu schrieb:
Hi. Try patching these two lines. I haven't tested this yet, rebuilding my test directory at the moment and will know more in a few minutes.
The attachment contains the same patch for those two lines, plus a
canonuser_client entry point. It's working for me, with these rules:

authid-rewriteMap slapd alias2DN
ldap:///dc=example,dc=com?mailAliasedName?sub?
authid-rewriteRule uid=(.*)@(.*),cn=digest-md5,cn=auth

ldap:///dc=example,dc=com??sub?(uid=%{alias2dn((&(mailalias=$1)(dc=$2)))})
authz-regexp uid=(.*),cn=digest-md5,cn=auth
     ldap:///dc=example,dc=com??sub?(uid=$1)



------------------------------------------------------------------------

--- ldapdb.c.X	2007-01-12 16:55:58.000000000 -0800
+++ ldapdb.c	2007-02-19 15:37:48.000000000 -0800
@@ -311,7 +311,7 @@
     if (!strncasecmp(ctx->canon.bv_val, rdn, ctx->canon.bv_len) &&
     	rdn[ctx->canon.bv_len] == '=') {
 	char *comma;
-	rdn += ctx->canon.bv_len + 2;
+	rdn += ctx->canon.bv_len + 1;
 	comma = strchr(rdn, ',');
 	if ( comma )
 	    len = comma - rdn;
@@ -320,6 +320,7 @@
 	if ( len > out_max )
 	    len = out_max;
 	memcpy(out, rdn, len);
+	out[len] = '\0';
 	*out_ulen = len;
 	ret = SASL_OK;
 	ber_bvfree(cp.dn);
@@ -361,6 +362,38 @@
 }
static int
+ldapdb_canon_client(void *glob_context,
+		    sasl_client_params_t *cparams,
+		    const char *user,
+		    unsigned ulen,
+		    unsigned flags,
+		    char *out,
+		    unsigned out_max,
+		    unsigned *out_ulen)
+{
+    if(!cparams || !user) return SASL_BADPARAM;
+
+    /* Trim whitespace */
+    while(isspace(*(unsigned char *)user)) {
+	user++;
+	ulen--;
+    }
+    while(isspace((unsigned char)user[ulen-1])) {
+    	ulen--;
+    }
+ + if (!ulen) {
+    	cparams->utils->seterror(cparams->utils->conn, 0,
+	    "All-whitespace username.");
+	return SASL_FAIL;
+    }
+    memcpy(out, user, ulen);
+    out[ulen] = '\0';
+    *out_ulen = ulen;
+    return SASL_OK;
+}
+
+static int
 ldapdb_config(const sasl_utils_t *utils)
 {
     ldapctx *p = &ldapdb_ctx;
@@ -446,7 +479,7 @@
 	ldapdb,	/* name */
 	NULL,	/* canon_user_free */
 	ldapdb_canon_server,	/* canon_user_server */
-	NULL,	/* canon_user_client */
+	ldapdb_canon_client,	/* canon_user_client */
 	NULL,
 	NULL,
 	NULL




[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux