Menu
▾
▴
#1 ldapcat sasl bind support
This is the first of two changes needed in order to
implement NIS push synchronization. The 'userPassword'
field isn't normally visible, so I had to modify
ldapcat to support SASL binds. LOGIN and PLAIN
authentication would be nice, but I'm not sure how best
to store/retrieve the credentials. This patch only
accomodates AUTH/EXTERNAL, which doesn't require
additional credentials. With OpenLDAP, this normally
means either SSL client certificates or ldapi:// with
peercred (client uid w/ domain sockets). Kerberos with
GSS would also be sensible, but I have no experience
with krb.
Logged In: YES
user_id=839907
I agree with the patch in spirit but not in implementation,
it will
have to be re-worked as a part of ldap_connect. The
ldap_connect
in ldapcat is a cut down version of the ldap_connect in led.
After reviewing the OpenLDAP man pages for the current release
it appears that a lot of work has happened since I last
looked. I will
need to make use of several more ldap.conf variables.
Logged In: YES
user_id=1253102
Actually, I didn't even realize that ldap_connect was local
to the file when I was trying to get things to work. I've
uploaded the current version, this time against led. It's
also worth noting that I was unable to get Authen::SASL to
work for me at all with the Cyrus module. Not sure what's
up with that. The pure-perl version seems to work for me so
far.
Take two, this time against led
Logged In: YES
user_id=839907
Okay, this verges on twisted but give a try and see if it
works for you?
Logged In: YES
user_id=839907
I guess it helps if you click the upload file checkbox, duh...
Logged In: YES
user_id=1253102
Sheesh. Took me the longest time to figure out that the
patch wasn't applying due to whitespace issues. Anyway,
* Needs to handle URI (i.e. URI ldapi://, required for
peercred auth)
* $binddn unset, needs to use $ldap_opt{binddn}
* The mech parameter to Authen::SASL->new() needs to be
preceded by "mechanism" =>
* There's no guarantee that the value of SASL_MECH will be
all uppercase.
* You've got a stray use statement (perl -e 'if(0){use Bogus}')
* Authen::SASL::GSSAPI isn't included in the current version
of Authen::SASL::Cyrus. You're better just trying to build
$sasl inside an eval block.
* I've looked through Authen::SASL::Cyrus modules, and I
don't recall seeing fqdn or service being picked up anywhere.
Logged In: YES
user_id=839907
Sorry, it was a partial patch -- my working set has patches
for both of your issues.
We are working against different versions of the SASL and
LDAP modules, you are using the newer ones. I have to stay
with the older ones until GSSAPI is working, but I think we
can work through that issue.
The modules I have been using are available in the modules
subdirectory of led's distribution. If you want to peruse
them, but it doesn't really matter I've got to move to the
new versions soon.
We can lift the URI handling code from led to deal with the
ldapi:///, see the referral chasing code.
A uc ldap_opt{'sasl_mech'} will handle the module name mangling.
I'm not seeing the { perl -e 'if(0) {use Bogus} }, but I
wouldn't be surprised, trying to guard against missing
modules at runtime is always tricky -- and we are using
different modules :-)
I think I will branch the code tommorow, build a perl with
the new CPAN modules and that should get us on the same
page. We should be able to get this stuff worked through
tommorow.
By the way, are you using led? Do I need to branch it as
well and start pushing the auth updates in there as well?
Thanks for being patient, testing and providing the patches,
it is appreciated.
Logged In: YES
user_id=839907
Net::LDAP and Authen::SASL::Cyrus just don't play well
together. I've sent Patrick an email and hope that he will
be able to shed some light on the situation.
I have branched the code so that I can keep the Authen::SASL
1x branch with working GSSAPI protected from the
Authen::SASL 2x code.
Thanks for being patient.
Logged In: YES
user_id=839907
I'm still waiting for an answer from Patrick, I may ping
Quanah about it as well.