Sponsoring a canon_user plugin for LDAP lookup
Dan White
dwhite at olp.net
Thu Mar 8 11:05:27 EST 2007
Hi Torsten,
Thanks for the info, I'll check into this shortly. I just joined the =
list last night. I'm CCing.
I have been using perdition with an OpenLDAP directory for a couple of =
years to solve
exactly this problem (we're an ISP). I'm trying to move away from it for =
various minor
reasons. As far as I'm aware you can't do IPv6 with perdition, nor can =
you proxy sieve
connections, nor can it do any kind of authentication other than PLAIN. =
I'm wanting to
move to a murder setup, but this canonization is one of the holdups for me.
As I stumbled across this discussion via google last night, I had =
actually been working
on a canon plugin of my own, but it's a bit of a struggle since my C is =
rusty. My
approach is to duplicate the code of the internal plugin into a new one, =
and insert a
getpwnam call to find the 'real' account name to use. This would require =
use of
libnss-ldap (or other libnss module) that can query on a given name and =
return
another.
For instance, libnss-ldap could be configured to search for some =
alternate attribute
(say, altuid) and return uid:
uid: dwhite at olp.net
altuid: dwhite
altuid: dwhite-olp
altuid: dwhite at olp.net
altuid: dwhite-olp at olp.net
I've compiled it and verified that it doesn't crash when using =
/etc/passwd, but I haven't
tried it against libnss-ldap yet.
I would prefer to use Howard's solution since it should be more =
efficient, and well, he's
a lot better coder. I only saw the first patch in the discussion. Do you =
have the second one?
Thanks!
- Dan
Torsten Schlabach wrote:
> Hi Dan!
>
> =
>> Is the patch that
>> was provided by Howard on the mailing list working?
>> =
>
> I was unable to make it work, but that might very well have been my own i=
nability.
>
> There are actually two patches. Do you have both of them?
>
> I had been implementing the first one and tried it, but it had some probl=
ems with segfaults and proper string termination. So I communicated this ba=
ck to Howard and he came up with a second patch. He said he had tested that=
himself with that 2nd patch and it worked for him, but I kept getting "no =
user found in database" problems on the LDAP level. (Not even on the IMAPd =
level).
>
> I am not sure how skilled you are with OpenLDAP SASL and proxy authorizat=
ion and the like. Basically all the stuff described here:
>
> http://www.openldap.org/doc/admin23/sasl.html
>
> The first gotcha is that the name of some parameters has changed between =
OpenLDAP 2.2 and 2.3. But a lot of existing Linux systems still have 2.2, s=
o if you are on 2.2, make sure you use
>
> http://www.openldap.org/doc/admin22/sasl.html
>
> In other words: I (and others) would very much appreciate if you took the=
time to try again and in case you will be successful, maybe come back with=
a little howto.
>
> We are currently investigating http://www.vergenet.net/linux/perdition/ a=
s an alternative to what we planned originally (Cyrus Murder together with =
that patch we're discussing here). But for smaller setups with one server i=
t would definitely make so much sense to have this canon_user functionality=
up and running.
>
> Let me know if you get stuck anywhere; I will try to help with the experi=
ence that I have made with this.
>
> Regards,
> Torsten
>
> P.S.: Do we have this discussion off-list by purpose or did you just fall=
victim to the missing reply-to header on this mailinglist?
>
> -------- Original-Nachricht --------
> Datum: Wed, 07 Mar 2007 23:27:43 -0600
> Von: Dan White <dwhite at olp.net>
> An: tschlabach at gmx.net
> CC: =
> Betreff: Re: Sponsoring a canon_user plugin for LDAP lookup
>
> =
>> Hi Torsten,
>>
>> I just found the discussion of your sponsored patch for an LDAP SASL
>> canon plugin and was curious how it all turned out. Is the patch that
>> was provided by Howard on the mailing list working?
>>
>> I'm very interested in a similar solution.
>>
>> Thanks,
>> - Dan White
>> **
>> =
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20=
070308/701750bd/attachment.html
More information about the Cyrus-sasl
mailing list