RFC auxprop enhancement

Pierangelo Masarati ando at sys-net.it
Sun Dec 18 04:20:59 EST 2005


> Howard Chu wrote:
>
>> The LDAP Password Policy spec crawls forward, providing a standard
>> mechanism for defining/enforcing password policies in LDAP. In
>> OpenLDAP we support password policies for Simple Binds (i.e.
>> plaintext), but it would be desirable to support it for other
>> secret-based mechs as well. This necessarily means we're talking about
>> the auxprop API, since the other available APIs also only support
>> plaintext credentials.
>>
>> I see two major limitations in the auxprop mechs themselves:
>>   the _lookup function is a void, it cannot return any result codes.
>> So if we encounter an expiration or lockout status, there is no way to
>> convey it back to the caller.
>>   there is no _authentication_done callback, so there is no way to
>> convey success/failure back to the mech. Which means there is no way
>> to perform failure counting, in support of a lockout policy.
>>
>> It seems that there's no simple way to add this functionality without
>> significant changes to the entire library.
>>
>> I'm wondering if (a) maybe I've overestimated the difficulty
>
> I don't think you do. However I would like to note that the changes can
> be done incrementally: change the lookup function to return value, then
> update plugins.
>
>> and (b) is there interest in developing the necessary extensions?
>
> Yes.

Howard, Alexey,

encouraged by your comments I've started looking in detail at the code
and, based on our early discussion, I think the difficulty will not that
hard.  I think we can split the activity in the following steps:

1) add a return value to auxprop_lookup() and _sasl_auxprop_lookup(), set
it from inside the lib and the plugins, and use it inside the lib;

2) add an (optional) auxprop_done() hook, and call it consistently from
inside the lib.

This is all with SASL; then

3) determine cases in which a direct searches for the password attribute
should be considered authentication attempts, and act on draft-behera
accordingly (this requires moving dicussion to the lbapbis at ietf.org list,
as it is off-topic here

4) modify te ldapdb auxprop plugin so that it exploits the auxprop_done()
call;

5) modify the ldapdb auxprop so that it supports the ppolicy control.

I'm preparing two patches for submission to Cyrus SASL, one for point (1),
which could be of benefit for other mechs as well, and one (conditional on
the existence of ppolicy support in the LDAP library) for point (5), which
should be considered only as an example of how it could be implemented,
since currently the support for ppolicy in OpenLDAP (as of draft-behera)
doesn't consider searches yet).

I'll submit the two patches separately for initial review by Cyrus SASL
later on, when I get to a better performing connection :).  Right now, I
consider them little more that a basis for further discussion.

Ciao, p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati at sys-net.it
OpenLDAP Core Team



Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati at sys-net.it
------------------------------------------



More information about the Cyrus-sasl mailing list