#1 ldapcat sasl bind support

open
None
5
2005-04-20
2005-04-05
Aaron Hope
No

This is the first of two changes needed in order to
implement NIS push synchronization. The 'userPassword'
field isn't normally visible, so I had to modify
ldapcat to support SASL binds. LOGIN and PLAIN
authentication would be nice, but I'm not sure how best
to store/retrieve the credentials. This patch only
accomodates AUTH/EXTERNAL, which doesn't require
additional credentials. With OpenLDAP, this normally
means either SSL client certificates or ldapi:// with
peercred (client uid w/ domain sockets). Kerberos with
GSS would also be sensible, but I have no experience
with krb.

Discussion

  • Larry Lile

    Larry Lile - 2005-04-19
    • assigned_to: nobody --> lile
     
  • Larry Lile

    Larry Lile - 2005-04-20

    Logged In: YES
    user_id=839907

    I agree with the patch in spirit but not in implementation,
    it will
    have to be re-worked as a part of ldap_connect. The
    ldap_connect
    in ldapcat is a cut down version of the ldap_connect in led.

    After reviewing the OpenLDAP man pages for the current release
    it appears that a lot of work has happened since I last
    looked. I will
    need to make use of several more ldap.conf variables.

     
  • Aaron Hope

    Aaron Hope - 2005-04-20

    Logged In: YES
    user_id=1253102

    Actually, I didn't even realize that ldap_connect was local
    to the file when I was trying to get things to work. I've
    uploaded the current version, this time against led. It's
    also worth noting that I was unable to get Authen::SASL to
    work for me at all with the Cyrus module. Not sure what's
    up with that. The pure-perl version seems to work for me so
    far.

     
  • Aaron Hope

    Aaron Hope - 2005-04-20
    • summary: ldapcat sasl bind support --> led/ldapcat sasl bind support
     
  • Larry Lile

    Larry Lile - 2005-04-20
    • summary: led/ldapcat sasl bind support --> ldapcat sasl bind support
     
  • Larry Lile

    Larry Lile - 2005-04-20

    Logged In: YES
    user_id=839907

    Okay, this verges on twisted but give a try and see if it
    works for you?

     
  • Larry Lile

    Larry Lile - 2005-04-20

    Logged In: YES
    user_id=839907

    I guess it helps if you click the upload file checkbox, duh...

     
  • Larry Lile

    Larry Lile - 2005-04-20
     
  • Aaron Hope

    Aaron Hope - 2005-04-20

    Logged In: YES
    user_id=1253102

    Sheesh. Took me the longest time to figure out that the
    patch wasn't applying due to whitespace issues. Anyway,
    * Needs to handle URI (i.e. URI ldapi://, required for
    peercred auth)
    * $binddn unset, needs to use $ldap_opt{binddn}
    * The mech parameter to Authen::SASL->new() needs to be
    preceded by "mechanism" =>
    * There's no guarantee that the value of SASL_MECH will be
    all uppercase.
    * You've got a stray use statement (perl -e 'if(0){use Bogus}')
    * Authen::SASL::GSSAPI isn't included in the current version
    of Authen::SASL::Cyrus. You're better just trying to build
    $sasl inside an eval block.
    * I've looked through Authen::SASL::Cyrus modules, and I
    don't recall seeing fqdn or service being picked up anywhere.

     
  • Larry Lile

    Larry Lile - 2005-04-20

    Logged In: YES
    user_id=839907

    Sorry, it was a partial patch -- my working set has patches
    for both of your issues.

    We are working against different versions of the SASL and
    LDAP modules, you are using the newer ones. I have to stay
    with the older ones until GSSAPI is working, but I think we
    can work through that issue.

    The modules I have been using are available in the modules
    subdirectory of led's distribution. If you want to peruse
    them, but it doesn't really matter I've got to move to the
    new versions soon.

    We can lift the URI handling code from led to deal with the
    ldapi:///, see the referral chasing code.

    A uc ldap_opt{'sasl_mech'} will handle the module name mangling.

    I'm not seeing the { perl -e 'if(0) {use Bogus} }, but I
    wouldn't be surprised, trying to guard against missing
    modules at runtime is always tricky -- and we are using
    different modules :-)

    I think I will branch the code tommorow, build a perl with
    the new CPAN modules and that should get us on the same
    page. We should be able to get this stuff worked through
    tommorow.

    By the way, are you using led? Do I need to branch it as
    well and start pushing the auth updates in there as well?
    Thanks for being patient, testing and providing the patches,
    it is appreciated.

     
  • Larry Lile

    Larry Lile - 2005-04-20

    Logged In: YES
    user_id=839907

    Net::LDAP and Authen::SASL::Cyrus just don't play well
    together. I've sent Patrick an email and hope that he will
    be able to shed some light on the situation.

    I have branched the code so that I can keep the Authen::SASL
    1x branch with working GSSAPI protected from the
    Authen::SASL 2x code.

    Thanks for being patient.

     
  • Larry Lile

    Larry Lile - 2005-04-22

    Logged In: YES
    user_id=839907

    I'm still waiting for an answer from Patrick, I may ping
    Quanah about it as well.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks