Sponsoring a canon_user plugin for LDAP lookup

Torsten Schlabach tschlabach at gmx.net
Thu Mar 8 12:37:06 EST 2007


Hi Dan!

Some good points you bring up here against Perdition. I need to say that 
I heared about it first time some days ago and did not try it myself, 
but it sounded like relief for our pressing problem. But from what I 
learn from you know, it will make sense to get this SASL patch sorted out.

So let's get onto that.

 > I would prefer to use Howard's solution since it should be more
 > efficient, and well, he's a lot better coder.

I would still hope that this will make it to the codebase to it would be 
"maintainance free" after that, anyway.

I will send you the 2nd patch.

Regards,
Torsten


Dan White schrieb:
> Hi Torsten,
> 
> Thanks for the info, I'll check into this shortly. I just joined the 
> list last night. I'm CCing.
> 
> I have been using perdition with an OpenLDAP directory for a couple of 
> years to solve
> exactly this problem (we're an ISP). I'm trying to move away from it for 
> various minor
> reasons. As far as I'm aware you can't do IPv6 with perdition, nor can 
> you proxy sieve
> connections, nor can it do any kind of authentication other than PLAIN. 
> I'm wanting to
> move to a murder setup, but this canonization is one of the holdups for me.
> 
> As I stumbled across this discussion via google last night, I had 
> actually been working
> on a canon plugin of my own, but it's a bit of a struggle since my C is 
> rusty. My
> approach is to duplicate the code of the internal plugin into a new one, 
> and insert a
> getpwnam call to find the 'real' account name to use. This would require 
> use of
> libnss-ldap (or other libnss module) that can query on a given name and 
> return
> another.
> 
> For instance, libnss-ldap could be configured to search for some 
> alternate attribute
> (say, altuid) and return uid:
> 
> uid: dwhite at olp.net
> altuid: dwhite
> altuid: dwhite-olp
> altuid: dwhite at olp.net
> altuid: dwhite-olp at olp.net
> 
> I've compiled it and verified that it doesn't crash when using 
> /etc/passwd, but I haven't
> tried it against libnss-ldap yet.
> 
> I would prefer to use Howard's solution since it should be more 
> efficient, and well, he's
> a lot better coder. I only saw the first patch in the discussion. Do you 
> have the second one?
> 
> Thanks!
> - Dan
> 
> Torsten Schlabach wrote:
> 
>>Hi Dan!
>>
>>  
>>
>>>Is the patch that
>>>was provided by Howard on the mailing list working?
>>>    
>>>
>>
>>I was unable to make it work, but that might very well have been my own inability.
>>
>>There are actually two patches. Do you have both of them?
>>
>>I had been implementing the first one and tried it, but it had some problems with segfaults and proper string termination. So I communicated this back to Howard and he came up with a second patch. He said he had tested that himself with that 2nd patch and it worked for him, but I kept getting "no user found in database" problems on the LDAP level. (Not even on the IMAPd level).
>>
>>I am not sure how skilled you are with OpenLDAP SASL and proxy authorization and the like. Basically all the stuff described here:
>>
>>http://www.openldap.org/doc/admin23/sasl.html
>>
>>The first gotcha is that the name of some parameters has changed between OpenLDAP 2.2 and 2.3. But a lot of existing Linux systems still have 2.2, so if you are on 2.2, make sure you use
>>
>>http://www.openldap.org/doc/admin22/sasl.html
>>
>>In other words: I (and others) would very much appreciate if you took the time to try again and in case you will be successful, maybe come back with a little howto.
>>
>>We are currently investigating http://www.vergenet.net/linux/perdition/ as an alternative to what we planned originally (Cyrus Murder together with that patch we're discussing here). But for smaller setups with one server it would definitely make so much sense to have this canon_user functionality up and running.
>>
>>Let me know if you get stuck anywhere; I will try to help with the experience that I have made with this.
>>
>>Regards,
>>Torsten
>>
>>P.S.: Do we have this discussion off-list by purpose or did you just fall victim to the missing reply-to header on this mailinglist?
>>
>>-------- Original-Nachricht --------
>>Datum: Wed, 07 Mar 2007 23:27:43 -0600
>>Von: Dan White <dwhite at olp.net>
>>An: tschlabach at gmx.net
>>CC: 
>>Betreff: Re: Sponsoring a canon_user plugin for LDAP lookup
>>
>>  
>>
>>>Hi Torsten,
>>>
>>>I just found the discussion of your sponsored patch for an LDAP SASL
>>>canon plugin and was curious how it all turned out. Is the patch that
>>>was provided by Howard on the mailing list working?
>>>
>>>I'm very interested in a similar solution.
>>>
>>>Thanks,
>>>- Dan White
>>>**
>>>    
>>>
> 


More information about the Cyrus-sasl mailing list