Hi Thomas,
first of all, the 2nd patch is attached to this email (cced the list).
> So at the end did everything work as expected ?
In the very end: Yes. Getting the config right was quite an exercise,
search the list archive for my discussion with Dan White on that. He'd
been quite helpful and I understand he made this work as well and I
think he's even using it in production since then. (In case Dan is
reading that, maybe you can comment.)
My deep apologies for never having taken the time to write a proper
Howto ... I should really do that.
> I only got this
> http://osdir.com/ml/security.cyrus.sasl/2007-01/msg00053.html patch.
> Is this enough?
No. You need the attached patch over the other one. The first patch had
a bug.
BTW: It might be worth checking the SASL lib CVS if the patched might
got committed in the meanwhile. I case they haven't, I wonder that would
be the process to make that happen.
I don't think these patches might ever hurt anyone. I had asked Howard
Chu who's an experienced guy both here as well as with OpenLDAP (I
understand he's even the head of OpenLDAP) and even he did not have any
means of getting that patch in.
If this was an Apache project, then I knew what I'd do to get the patch
in. But the Cyrus SASL lib project does not seem to have a bug tracker
and no list of people with write access to the CVS so one could ask
specifically.
Getting that patches committed would be the only way to make sure this
functionality will ever show up in any offical packages on Debian, Red
Hat, etc. and will become mainstream functionality.
But first of all, I hope you can make it work. In case you can, please
let us know and in case a vote will be needed to get this patches
committed, maybe you could vote for it?
Let me know if I can be of any further help.
Regards,
Torsten
Thomas Vogt schrieb:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Torsten
Can you send me the second patch too or maybe you can post it to
mailinglist for everyone.
So at the end did everything work as expected ? I've a similar problem.
I also want to allow users to use the uid as username or the mailalias
entry for the authentification. The cyurs mailbox are created with the
uid name.
I used a cyrus-imapd patch in the past. It's a hacked auth_unix.c which
is doing a ldap search in the tree and if the user tried to login with
his mailalias i chcked for the uid and used it for everything else. A
simple mapping.
The good thing, it's a very simple patch, no big ldap config, just add a
few ldap servers, add some ldap tree information and the name of the
ldap object you want to match. The downside, mostly it's hard coded and
if you want to auth with something else than mailaalias you have to
recompile cyrus imapd.
The solution with a sasl custom canon plugin looks much better. Do you
have a short "howto" and maybe all patches for it?
I only got this
http://osdir.com/ml/security.cyrus.sasl/2007-01/msg00053.html patch. Is
this enough?
Regards,
Thomas
Torsten Schlabach wrote:
Hi Dan!
Some good points you bring up here against Perdition. I need to say that
I heared about it first time some days ago and did not try it myself,
but it sounded like relief for our pressing problem. But from what I
learn from you know, it will make sense to get this SASL patch sorted out.
So let's get onto that.
I would prefer to use Howard's solution since it should be more
efficient, and well, he's a lot better coder.
I would still hope that this will make it to the codebase to it would be
"maintainance free" after that, anyway.
I will send you the 2nd patch.
Regards,
Torsten
Dan White schrieb:
Hi Torsten,
Thanks for the info, I'll check into this shortly. I just joined the
list last night. I'm CCing.
I have been using perdition with an OpenLDAP directory for a couple of
years to solve
exactly this problem (we're an ISP). I'm trying to move away from it
for various minor
reasons. As far as I'm aware you can't do IPv6 with perdition, nor can
you proxy sieve
connections, nor can it do any kind of authentication other than
PLAIN. I'm wanting to
move to a murder setup, but this canonization is one of the holdups
for me.
As I stumbled across this discussion via google last night, I had
actually been working
on a canon plugin of my own, but it's a bit of a struggle since my C
is rusty. My
approach is to duplicate the code of the internal plugin into a new
one, and insert a
getpwnam call to find the 'real' account name to use. This would
require use of
libnss-ldap (or other libnss module) that can query on a given name
and return
another.
For instance, libnss-ldap could be configured to search for some
alternate attribute
(say, altuid) and return uid:
uid: dwhite@xxxxxxx
altuid: dwhite
altuid: dwhite-olp
altuid: dwhite@xxxxxxx
altuid: dwhite-olp@xxxxxxx
I've compiled it and verified that it doesn't crash when using
/etc/passwd, but I haven't
tried it against libnss-ldap yet.
I would prefer to use Howard's solution since it should be more
efficient, and well, he's
a lot better coder. I only saw the first patch in the discussion. Do
you have the second one?
Thanks!
- Dan
Torsten Schlabach wrote:
Hi Dan!
Is the patch that
was provided by Howard on the mailing list working?
I was unable to make it work, but that might very well have been my
own inability.
There are actually two patches. Do you have both of them?
I had been implementing the first one and tried it, but it had some
problems with segfaults and proper string termination. So I
communicated this back to Howard and he came up with a second patch.
He said he had tested that himself with that 2nd patch and it worked
for him, but I kept getting "no user found in database" problems on
the LDAP level. (Not even on the IMAPd level).
I am not sure how skilled you are with OpenLDAP SASL and proxy
authorization and the like. Basically all the stuff described here:
http://www.openldap.org/doc/admin23/sasl.html
The first gotcha is that the name of some parameters has changed
between OpenLDAP 2.2 and 2.3. But a lot of existing Linux systems
still have 2.2, so if you are on 2.2, make sure you use
http://www.openldap.org/doc/admin22/sasl.html
In other words: I (and others) would very much appreciate if you took
the time to try again and in case you will be successful, maybe come
back with a little howto.
We are currently investigating
http://www.vergenet.net/linux/perdition/ as an alternative to what we
planned originally (Cyrus Murder together with that patch we're
discussing here). But for smaller setups with one server it would
definitely make so much sense to have this canon_user functionality
up and running.
Let me know if you get stuck anywhere; I will try to help with the
experience that I have made with this.
Regards,
Torsten
P.S.: Do we have this discussion off-list by purpose or did you just
fall victim to the missing reply-to header on this mailinglist?
-------- Original-Nachricht --------
Datum: Wed, 07 Mar 2007 23:27:43 -0600
Von: Dan White <dwhite@xxxxxxx>
An: tschlabach@xxxxxxx
CC: Betreff: Re: Sponsoring a canon_user plugin for LDAP lookup
Hi Torsten,
I just found the discussion of your sponsored patch for an LDAP SASL
canon plugin and was curious how it all turned out. Is the patch that
was provided by Howard on the mailing list working?
I'm very interested in a similar solution.
Thanks,
- Dan White
**
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iD8DBQFGUkwqGCwkYTI5tyARCLAFAJ9or+CyA5dB2F3iqrnFd+ID/7Vp6gCfX5lG
iR572aC4Jhu++Hi8ISl1k9E=
=vF+M
-----END PGP SIGNATURE-----
--- ldapdb.c.X 2007-01-12 16:55:58.000000000 -0800
+++ ldapdb.c 2007-02-19 15:37:48.000000000 -0800
@@ -311,7 +311,7 @@
if (!strncasecmp(ctx->canon.bv_val, rdn, ctx->canon.bv_len) &&
rdn[ctx->canon.bv_len] == '=') {
char *comma;
- rdn += ctx->canon.bv_len + 2;
+ rdn += ctx->canon.bv_len + 1;
comma = strchr(rdn, ',');
if ( comma )
len = comma - rdn;
@@ -320,6 +320,7 @@
if ( len > out_max )
len = out_max;
memcpy(out, rdn, len);
+ out[len] = '\0';
*out_ulen = len;
ret = SASL_OK;
ber_bvfree(cp.dn);
@@ -361,6 +362,38 @@
}
static int
+ldapdb_canon_client(void *glob_context,
+ sasl_client_params_t *cparams,
+ const char *user,
+ unsigned ulen,
+ unsigned flags,
+ char *out,
+ unsigned out_max,
+ unsigned *out_ulen)
+{
+ if(!cparams || !user) return SASL_BADPARAM;
+
+ /* Trim whitespace */
+ while(isspace(*(unsigned char *)user)) {
+ user++;
+ ulen--;
+ }
+ while(isspace((unsigned char)user[ulen-1])) {
+ ulen--;
+ }
+
+ if (!ulen) {
+ cparams->utils->seterror(cparams->utils->conn, 0,
+ "All-whitespace username.");
+ return SASL_FAIL;
+ }
+ memcpy(out, user, ulen);
+ out[ulen] = '\0';
+ *out_ulen = ulen;
+ return SASL_OK;
+}
+
+static int
ldapdb_config(const sasl_utils_t *utils)
{
ldapctx *p = &ldapdb_ctx;
@@ -446,7 +479,7 @@
ldapdb, /* name */
NULL, /* canon_user_free */
ldapdb_canon_server, /* canon_user_server */
- NULL, /* canon_user_client */
+ ldapdb_canon_client, /* canon_user_client */
NULL,
NULL,
NULL