Sponsoring a canon_user plugin for LDAP lookup
Torsten Schlabach
tschlabach at gmx.net
Mon Feb 19 10:45:30 EST 2007
Hi!
Sorry that it took as such a long time to come back to this ...
Now I have implemented that patch, but I fail to make it work. Not sure
where to search. Maybe I did not something completely wrong.
So here is *what* I did:
- Downloaded the SASL library 2.0.22 from the Cyrus site, compiled with
./configure, make, make install to make sure I have everything I need.
- Re-configured with ./configure --enable-ldapdb --with-ldap=/usr, make,
make install.
- Copied the libldap.* files from /usr/lib/sasl2 onto the target machine.
- Edited /etc/imapd.conf according to the example:
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: localhost
sasl_ldapdb_id: root
sasl_ldapdb_pw: secret
sasl_ldapdb_mech: DIGEST-MD5
sasl_ldapdb_canon_attr: uid
Made the entries in /etc/ldap/slapd.conf:
authz-regexp
uid=([^,]*),cn=[^,]*,cn=auth
uid=$1,dc=ourtld,dc=net
authz-policy to
dn: cn=*,dc=ourtld,dc=net
First attempt:
I found that that upon trying to login through IMAP, the IMAP process
was sinalled to death with signal 11.
After I did an ldconfig, I have a new problem:
It does not even ask the LDAP server anymore.
I am using loglevel = 384 with slapd, but I don't see any attempt of
even going to the directory when logging in. Instead what I see is:
Feb 19 16:40:38 box-k-07 cyrus/imapd[7207]: accepted connection
Feb 19 16:40:38 box-k-07 cyrus/imapd[7207]: badlogin:
m2w008.mail2web.com[168.144.108.8] plaintext cntst SASL(-13): user not
found: checkpass failed
Feb 19 16:40:41 box-k-07 cyrus/imapd[7207]: badlogin:
m2w008.mail2web.com[168.144.108.8] plaintext invalid user
I tried
ldapsearch -U root -X u:cntst
which seems to be ok.
There are some
Feb 19 16:38:59 box-k-07 slapd[4095]: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: ldapdb
Feb 19 16:38:59 box-k-07 slapd[4095]: canonuserfunc error -7
which I understand I can ignore?
Any thoughts? This is quite frustrating ...
Regards,
Torsten
Howard Chu schrieb:
> Torsten Schlabach wrote:
>
>> > And now just to doublecheck - you actually want just the simple name
>> > returned, not the full DN. Correct?
>>
>> Sure. As this is what Cyrus IMAPd expects.
>>
>> Without the canon_user, you'd type
>>
>> AUTH id000012
>>
>> You wouldn't type
>>
>> AUTH uid=id000012,ou=user,ou=...
>>
>> It's getting 1:00 a.m. now where I am. So I hope you got all the info
>> and I can go to bed now. I'd really be thankful for you help with
>> that. Any probably many others as well.
>>
> The attached patch should do what you want. Add "ldapdb_canon_attr: uid"
> to your configuration to use it.
>
>
> ------------------------------------------------------------------------
>
> Index: doc/options.html
> ===================================================================
> RCS file: /cvs/src/sasl/doc/options.html,v
> retrieving revision 1.30
> diff -u -r1.30 options.html
> --- doc/options.html 16 Feb 2005 20:52:05 -0000 1.30
> +++ doc/options.html 13 Jan 2007 01:05:49 -0000
> @@ -83,6 +83,14 @@
> <TD>none</TD>
> </TR>
> <TR>
> +<TD>ldapdb_canon_attr</TD><TD>LDAPDB plugin</TD>
> +<TD>Use the value of the specified attribute as the user's
> +canonical name. The attribute will be looked up in the user's LDAP
> +entry. This setting must be configured in order to use LDAPDB as
> +a canonuser plugin.</TD>
> +<TD>none</TD>
> +</TR>
> +<TR>
> <TD>log_level</TD><TD>SASL Library</TD>
> <TD><b>Numeric</b> Logging Level (see <TT>SASL_LOG_*</TT> in <tt>sasl.h</tt>
> for values and descriptions</TD>
> @@ -273,7 +281,7 @@
> </pre>
> is a valid value for <tt>sql_select</tt>.
>
> -<h2>Notes on LDAPDB auxprop options</h2>
> +<h2>Notes on LDAPDB plugin options</h2>
>
> <p>
> </p>
> @@ -286,7 +294,8 @@
> makes the configuration of remote services much simpler.</p>
>
> <p>This plugin is not for use with slapd itself. When OpenLDAP is
> -built with SASL support, slapd uses its own internal auxprop module.
> +built with SASL support, slapd uses its own internal auxprop and
> +canonuser module.
> By default, without configuring anything else, slapd will fail to load
> the ldapdb module when it's present. This is as it should be. If you
> don't like the "auxpropfunc: error -7" message that is sent to syslog
> @@ -303,6 +312,7 @@
> ldapdb_id: root
> ldapdb_pw: secret
> ldapdb_mech: DIGEST-MD5
> +ldapdb_canon_attr: uid
> </pre>
>
> <p>The LDAP server must be configured to map the SASL authcId "root" into a DN
> Index: plugins/ldapdb.c
> ===================================================================
> RCS file: /cvs/src/sasl/plugins/ldapdb.c,v
> retrieving revision 1.2
> diff -u -r1.2 ldapdb.c
> --- plugins/ldapdb.c 19 Feb 2005 02:26:31 -0000 1.2
> +++ plugins/ldapdb.c 13 Jan 2007 01:05:49 -0000
> @@ -1,6 +1,6 @@
> /* $OpenLDAP: pkg/ldap/contrib/ldapsasl/ldapdb.c,v 1.1.2.7 2003/11/29 22:10:03 hyc Exp $ */
> -/* SASL LDAP auxprop implementation
> - * Copyright (C) 2002,2003 Howard Chu, All rights reserved. <hyc at symas.com>
> +/* SASL LDAP auxprop+canonuser implementation
> + * Copyright (C) 2002-2007 Howard Chu, All rights reserved. <hyc at symas.com>
> *
> * Redistribution and use in source and binary forms, with or without
> * modification, are permitted only as authorized by the OpenLDAP
> @@ -14,6 +14,7 @@
> #include <config.h>
>
> #include <stdio.h>
> +#include <ctype.h>
>
> #include "sasl.h"
> #include "saslutil.h"
> @@ -26,13 +27,17 @@
> static char ldapdb[] = "ldapdb";
>
> typedef struct ldapctx {
> + int inited; /* Have we already read the config? */
> const char *uri; /* URI of LDAP server */
> struct berval id; /* SASL authcid to bind as */
> struct berval pw; /* password for bind */
> struct berval mech; /* SASL mech */
> int use_tls; /* Issue StartTLS request? */
> + struct berval canon; /* Use attr in user entry for canonical name */
> } ldapctx;
>
> +static ldapctx ldapdb_ctx;
> +
> static int ldapdb_interact(LDAP *ld, unsigned flags __attribute__((unused)),
> void *def, void *inter)
> {
> @@ -79,7 +84,7 @@
> char *authzid;
>
> if((i=ldap_initialize(&cp->ld, ctx->uri))) {
> - return i;
> + return i;
> }
>
> authzid = sparams->utils->malloc(ulen + sizeof("u:"));
> @@ -203,7 +208,7 @@
>
> done:
> if(attrs) sparams->utils->free(attrs);
> - if(cp.ld) ldap_unbind(cp.ld);
> + if(cp.ld) ldap_unbind_ext(cp.ld, NULL, NULL);
> }
>
> static int ldapdb_auxprop_store(void *glob_context,
> @@ -254,58 +259,133 @@
> if (i == LDAP_NO_MEMORY) i = SASL_NOMEM;
> else i = SASL_FAIL;
> }
> - if (cp.ld) ldap_unbind(cp.ld);
> + if(cp.ld) ldap_unbind_ext(cp.ld, NULL, NULL);
> return i;
> }
>
> -static void ldapdb_auxprop_free(void *glob_ctx, const sasl_utils_t *utils)
> +static int
> +ldapdb_canon_server(void *glob_context,
> + sasl_server_params_t *sparams,
> + const char *user,
> + unsigned ulen,
> + unsigned flags,
> + char *out,
> + unsigned out_max,
> + unsigned *out_ulen)
> {
> - utils->free(glob_ctx);
> -}
> + ldapctx *ctx = glob_context;
> + connparm cp;
> + struct berval **bvals;
> + LDAPMessage *msg, *res;
> + char *rdn, *attrs[2];
> + unsigned len;
> + int ret;
> +
> + if(!ctx || !sparams || !user) return SASL_BADPARAM;
>
> -static sasl_auxprop_plug_t ldapdb_auxprop_plugin = {
> - 0, /* Features */
> - 0, /* spare */
> - NULL, /* glob_context */
> - ldapdb_auxprop_free, /* auxprop_free */
> - ldapdb_auxprop_lookup, /* auxprop_lookup */
> - ldapdb, /* name */
> - ldapdb_auxprop_store /* auxprop store */
> -};
> + /* If no canon attribute was configured, we can't do anything */
> + if(!ctx->canon.bv_val) return SASL_BADPARAM;
>
> -int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
> - int max_version,
> - int *out_version,
> - sasl_auxprop_plug_t **plug,
> - const char *plugname __attribute__((unused)))
> + /* Trim whitespace */
> + while(isspace(*(unsigned char *)user)) {
> + user++;
> + ulen--;
> + }
> + while(isspace((unsigned char)user[ulen-1])) {
> + ulen--;
> + }
> +
> + if (!ulen) {
> + sparams->utils->seterror(sparams->utils->conn, 0,
> + "All-whitespace username.");
> + return SASL_FAIL;
> + }
> +
> + ret = ldapdb_connect(ctx, sparams, user, ulen, &cp);
> + if ( ret ) goto done;
> +
> + /* See if the RDN uses the canon attr. If so, just use the RDN
> + * value, we don't need to do a search.
> + */
> + rdn = cp.dn->bv_val+3;
> + if (!strncasecmp(ctx->canon.bv_val, rdn, ctx->canon.bv_len) &&
> + rdn[ctx->canon.bv_len] == '=') {
> + char *comma;
> + rdn += ctx->canon.bv_len + 2;
> + comma = strchr(rdn, ',');
> + if ( comma )
> + len = comma - rdn;
> + else
> + len = cp.dn->bv_len - (rdn - cp.dn->bv_val);
> + if ( len > out_max )
> + len = out_max;
> + memcpy(out, rdn, len);
> + *out_ulen = len;
> + ret = SASL_OK;
> + ber_bvfree(cp.dn);
> + goto done;
> + }
> +
> + /* Have to read the user's entry */
> + attrs[0] = ctx->canon.bv_val;
> + attrs[1] = NULL;
> + ret = ldap_search_ext_s(cp.ld, cp.dn->bv_val+3, LDAP_SCOPE_BASE,
> + "(objectclass=*)", attrs, 0, cp.ctrl, NULL, NULL, 1, &res);
> + ber_bvfree(cp.dn);
> +
> + if (ret != LDAP_SUCCESS) goto done;
> +
> + for(msg=ldap_first_message(cp.ld, res); msg; msg=ldap_next_message(cp.ld, msg))
> + {
> + if (ldap_msgtype(msg) != LDAP_RES_SEARCH_ENTRY) continue;
> + bvals = ldap_get_values_len(cp.ld, msg, attrs[0]);
> + if (!bvals) continue;
> + len = bvals[0]->bv_len;
> + if ( len > out_max )
> + len = out_max;
> + memcpy(out, bvals[0]->bv_val, len);
> + *out_ulen = len;
> + ber_bvecfree(bvals);
> + }
> + ldap_msgfree(res);
> +
> + done:
> + if(cp.ld) ldap_unbind_ext(cp.ld, NULL, NULL);
> + if (ret) {
> + sparams->utils->seterror(sparams->utils->conn, 0,
> + ldap_err2string(ret));
> + if (ret == LDAP_NO_MEMORY) ret = SASL_NOMEM;
> + else ret = SASL_FAIL;
> + }
> + return ret;
> +}
> +
> +static int
> +ldapdb_config(const sasl_utils_t *utils)
> {
> - ldapctx tmp, *p;
> + ldapctx *p = &ldapdb_ctx;
> const char *s;
> unsigned len;
>
> - if(!out_version || !plug) return SASL_BADPARAM;
> -
> - if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
> -
> - memset(&tmp, 0, sizeof(tmp));
> + if(p->inited) return SASL_OK;
>
> - utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &tmp.uri, NULL);
> - if(!tmp.uri) return SASL_BADPARAM;
> + utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &p->uri, NULL);
> + if(!p->uri) return SASL_BADPARAM;
>
> utils->getopt(utils->getopt_context, ldapdb, "ldapdb_id",
> - (const char **)&tmp.id.bv_val, &len);
> - tmp.id.bv_len = len;
> + (const char **)&p->id.bv_val, &len);
> + p->id.bv_len = len;
> utils->getopt(utils->getopt_context, ldapdb, "ldapdb_pw",
> - (const char **)&tmp.pw.bv_val, &len);
> - tmp.pw.bv_len = len;
> + (const char **)&p->pw.bv_val, &len);
> + p->pw.bv_len = len;
> utils->getopt(utils->getopt_context, ldapdb, "ldapdb_mech",
> - (const char **)&tmp.mech.bv_val, &len);
> - tmp.mech.bv_len = len;
> + (const char **)&p->mech.bv_val, &len);
> + p->mech.bv_len = len;
> utils->getopt(utils->getopt_context, ldapdb, "ldapdb_starttls", &s, NULL);
> if (s)
> {
> - if (!strcasecmp(s, "demand")) tmp.use_tls = 2;
> - else if (!strcasecmp(s, "try")) tmp.use_tls = 1;
> + if (!strcasecmp(s, "demand")) p->use_tls = 2;
> + else if (!strcasecmp(s, "try")) p->use_tls = 1;
> }
> utils->getopt(utils->getopt_context, ldapdb, "ldapdb_rc", &s, &len);
> if (s)
> @@ -320,15 +400,75 @@
> return SASL_NOMEM;
> }
> }
> + utils->getopt(utils->getopt_context, ldapdb, "ldapdb_canon_attr",
> + (const char **)&p->canon.bv_val, &len);
> + p->canon.bv_len = len;
> + p->inited = 1;
>
> - p = utils->malloc(sizeof(ldapctx));
> - if (!p) return SASL_NOMEM;
> - *p = tmp;
> - ldapdb_auxprop_plugin.glob_context = p;
> + return SASL_OK;
> +}
> +
> +static sasl_auxprop_plug_t ldapdb_auxprop_plugin = {
> + 0, /* Features */
> + 0, /* spare */
> + &ldapdb_ctx, /* glob_context */
> + NULL, /* auxprop_free */
> + ldapdb_auxprop_lookup, /* auxprop_lookup */
> + ldapdb, /* name */
> + ldapdb_auxprop_store /* auxprop store */
> +};
> +
> +int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
> + int max_version,
> + int *out_version,
> + sasl_auxprop_plug_t **plug,
> + const char *plugname __attribute__((unused)))
> +{
> + int rc;
> +
> + if(!out_version || !plug) return SASL_BADPARAM;
> +
> + if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
> +
> + rc = ldapdb_config(utils);
>
> *out_version = SASL_AUXPROP_PLUG_VERSION;
>
> *plug = &ldapdb_auxprop_plugin;
>
> - return SASL_OK;
> + return rc;
> +}
> +
> +static sasl_canonuser_plug_t ldapdb_canonuser_plugin = {
> + 0, /* features */
> + 0, /* spare */
> + &ldapdb_ctx, /* glob_context */
> + ldapdb, /* name */
> + NULL, /* canon_user_free */
> + ldapdb_canon_server, /* canon_user_server */
> + NULL, /* canon_user_client */
> + NULL,
> + NULL,
> + NULL
> +};
> +
> +int ldapdb_canonuser_plug_init(const sasl_utils_t *utils,
> + int max_version,
> + int *out_version,
> + sasl_canonuser_plug_t **plug,
> + const char *plugname __attribute__((unused)))
> +{
> + int rc;
> +
> + if(!out_version || !plug) return SASL_BADPARAM;
> +
> + if(max_version < SASL_CANONUSER_PLUG_VERSION) return SASL_BADVERS;
> +
> + rc = ldapdb_config(utils);
> +
> + *out_version = SASL_CANONUSER_PLUG_VERSION;
> +
> + *plug = &ldapdb_canonuser_plugin;
> +
> + return rc;
> }
> Index: plugins/makeinit.sh
> ===================================================================
> RCS file: /cvs/src/sasl/plugins/makeinit.sh,v
> retrieving revision 1.10
> diff -u -r1.10 makeinit.sh
> --- plugins/makeinit.sh 16 Feb 2005 20:52:12 -0000 1.10
> +++ plugins/makeinit.sh 13 Jan 2007 01:05:49 -0000
> @@ -45,7 +45,7 @@
> " > ${mech}_init.c
> done
>
> -for mech in sasldb sql ldapdb; do
> +for mech in sasldb sql; do
>
> echo "
> #include <config.h>
> @@ -87,3 +87,46 @@
> " > ${mech}_init.c
> done
>
> +for mech in ldapdb; do
> +
> +echo "
> +#include <config.h>
> +
> +#include <string.h>
> +#include <stdlib.h>
> +#include <stdio.h>
> +#ifndef macintosh
> +#include <sys/stat.h>
> +#endif
> +#include <fcntl.h>
> +#include <assert.h>
> +
> +#include <sasl.h>
> +#include <saslplug.h>
> +#include <saslutil.h>
> +
> +#include \"plugin_common.h\"
> +
> +#ifdef WIN32
> +BOOL APIENTRY DllMain( HANDLE hModule,
> + DWORD ul_reason_for_call,
> + LPVOID lpReserved
> + )
> +{
> + switch (ul_reason_for_call)
> + {
> + case DLL_PROCESS_ATTACH:
> + case DLL_THREAD_ATTACH:
> + case DLL_THREAD_DETACH:
> + case DLL_PROCESS_DETACH:
> + break;
> + }
> + return TRUE;
> +}
> +#endif
> +
> +SASL_AUXPROP_PLUG_INIT( $mech )
> +SASL_CANONUSER_PLUG_INIT( $mech )
> +" > ${mech}_init.c
> +done
> +
More information about the Cyrus-sasl
mailing list