Sponsoring a canon_user plugin for LDAP lookup

Dan White dwhite at olp.net
Thu Mar 8 11:05:27 EST 2007


Hi Torsten,

Thanks for the info, I'll check into this shortly. I just joined the =

list last night. I'm CCing.

I have been using perdition with an OpenLDAP directory for a couple of =

years to solve
exactly this problem (we're an ISP). I'm trying to move away from it for =

various minor
reasons. As far as I'm aware you can't do IPv6 with perdition, nor can =

you proxy sieve
connections, nor can it do any kind of authentication other than PLAIN. =

I'm wanting to
move to a murder setup, but this canonization is one of the holdups for me.

As I stumbled across this discussion via google last night, I had =

actually been working
on a canon plugin of my own, but it's a bit of a struggle since my C is =

rusty. My
approach is to duplicate the code of the internal plugin into a new one, =

and insert a
getpwnam call to find the 'real' account name to use. This would require =

use of
libnss-ldap (or other libnss module) that can query on a given name and =

return
another.

For instance, libnss-ldap could be configured to search for some =

alternate attribute
(say, altuid) and return uid:

uid: dwhite at olp.net
altuid: dwhite
altuid: dwhite-olp
altuid: dwhite at olp.net
altuid: dwhite-olp at olp.net

I've compiled it and verified that it doesn't crash when using =

/etc/passwd, but I haven't
tried it against libnss-ldap yet.

I would prefer to use Howard's solution since it should be more =

efficient, and well, he's
a lot better coder. I only saw the first patch in the discussion. Do you =

have the second one?

Thanks!
- Dan

Torsten Schlabach wrote:
> Hi Dan!
>
>   =

>> Is the patch that
>> was provided by Howard on the mailing list working?
>>     =

>
> I was unable to make it work, but that might very well have been my own i=
nability.
>
> There are actually two patches. Do you have both of them?
>
> I had been implementing the first one and tried it, but it had some probl=
ems with segfaults and proper string termination. So I communicated this ba=
ck to Howard and he came up with a second patch. He said he had tested that=
 himself with that 2nd patch and it worked for him, but I kept getting "no =
user found in database" problems on the LDAP level. (Not even on the IMAPd =
level).
>
> I am not sure how skilled you are with OpenLDAP SASL and proxy authorizat=
ion and the like. Basically all the stuff described here:
>
> http://www.openldap.org/doc/admin23/sasl.html
>
> The first gotcha is that the name of some parameters has changed between =
OpenLDAP 2.2 and 2.3. But a lot of existing Linux systems still have 2.2, s=
o if you are on 2.2, make sure you use
>
> http://www.openldap.org/doc/admin22/sasl.html
>
> In other words: I (and others) would very much appreciate if you took the=
 time to try again and in case you will be successful, maybe come back with=
 a little howto.
>
> We are currently investigating http://www.vergenet.net/linux/perdition/ a=
s an alternative to what we planned originally (Cyrus Murder together with =
that patch we're discussing here). But for smaller setups with one server i=
t would definitely make so much sense to have this canon_user functionality=
 up and running.
>
> Let me know if you get stuck anywhere; I will try to help with the experi=
ence that I have made with this.
>
> Regards,
> Torsten
>
> P.S.: Do we have this discussion off-list by purpose or did you just fall=
 victim to the missing reply-to header on this mailinglist?
>
> -------- Original-Nachricht --------
> Datum: Wed, 07 Mar 2007 23:27:43 -0600
> Von: Dan White <dwhite at olp.net>
> An: tschlabach at gmx.net
> CC: =

> Betreff: Re: Sponsoring a canon_user plugin for LDAP lookup
>
>   =

>> Hi Torsten,
>>
>> I just found the discussion of your sponsored patch for an LDAP SASL
>> canon plugin and was curious how it all turned out. Is the patch that
>> was provided by Howard on the mailing list working?
>>
>> I'm very interested in a similar solution.
>>
>> Thanks,
>> - Dan White
>> **
>>     =


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20=
070308/701750bd/attachment.html


More information about the Cyrus-sasl mailing list