Re: Authorization with Authen::SASL::Perl::External

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

--On Dienstag, 7. Mai 2002 13:38 +0100 Graham Barr <gb...@po...> wrote:

> The reason it was using user, was for compatability with previous SASL
> implementation.

How am I supposed to call Authen::SASL->new and Net::LDAP->bind if I don't=20
want to do proxy auth (ie. not specify an authorization identity with the=20
user callback)?

I'm asking this because in Net/LDAP.pm line 242 "user" defaults to
'dn: <DN>', where <DN> is the first parameter to NET::LDAP::bind():
    # Tell the SASL object our user identifier
    $sasl->callback( user =3D> "dn: $stash{name}")
      unless $sasl->callback('user');

So without an explicit "user" callback, perl-ldap will emit the following=20
bind request:

    30 1c 02 01 01 60 17 02 01 03 04 00 a3 10 04 08    0....`..........
    45 58 54 45 52 4e 41 4c 04 04 64 6e 3a 20          EXTERNAL..dn:

Similar for PLAIN:

    30 2a 02 01 01 60 25 02 01 03 04 00 a3 1e 04 05    0*...`%.........
    50 4c 41 49 4e 04 15 64 6e 3a 20 00 63 6e 3d 61    PLAIN..dn: .cn=3Da
    75 74 68 63 32 00 73 65 63 72 65 74                uthc2.secret

I think the default callback for user should only be set, if $stash{name}=20
actually contains a value:
    # Tell the SASL object our user identifier
    $sasl->callback( user =3D> "dn: $stash{name}")
      unless $sasl->callback('user') || !$stash{name}

This would allow
    my $sasl =3D Authen::SASL->new( mechanism =3D> 'EXTERNAL' );
and
    $mesg =3D $ldap->bind( '', sasl =3D> $sasl );
or
    $mesg =3D $ldap->bind( $proxydn, sasl =3D> $sasl );

BTW how is a server to respond, if it receives different authCids in the=20
name and credentials component of a bind request? With the following code,=20
perl-ldap will emit such a request.

my $sasl =3D Authen::SASL->new(
        mechanism =3D> 'PLAIN',
        callback =3D> {
                pass =3D> 'secret',
                user =3D> 'cn=3Dauthz',
                authname =3D> 'cn=3Dauthc2',
        }
);

$mesg =3D $ldap->bind( 'cn=3Dauthc1', sasl =3D> $sasl );

    30 37 02 01 01 60 32 02 01 03 04 09 63 6e 3d 61    07...`2.....cn=3Da
    75 74 68 63 31 a3 22 04 05 50 4c 41 49 4e 04 19    uthc1."..PLAIN..
    63 6e 3d 61 75 74 68 7a 00 63 6e 3d 61 75 74 68    cn=3Dauthz.cn=3Dauth
    63 32 00 73 65 63 72 65 74                         c2.secret

--=20
Dipl.-Inform. Norbert Klasen
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 T=FCbingen                           email: nor...@da...
Germany                                  web:   http://www.daasi.de