Sponsoring a canon_user plugin for LDAP lookup
Dan White
dwhite at olp.net
Mon Mar 12 10:43:16 EST 2007
Torsten,
Yes, I had some success last night. It took some time to pick up
the OpenLDAP proxy process.
Using both patches, the canonization works for me for both
sample-server and imapd, but not for pop3d when it opens the
mailbox, for some reason. I'm using Debian etch with the
following versions:
cyrus-imapd-2.2: 2.2.13-10
libsasl2: 2.1.22.dfsg1-8
slapd: 2.3.30-4
I'm going to try version 2.3 of cyrus imap to see if pop3 works
any differently.
I added the following statements to the default slapd.conf
config:
========
sasl-regexp
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
cn=admin,dc=nodomain
authz-policy to
authz-regexp
"gidNumber=8\\\+uidNumber=104,cn=peercred,cn=external,cn=auth"
cn=admin,dc=nodomain
authz-regexp uid=(.*),cn=external,cn=auth
ldap:///ou=People,dc=nodomain??one?(cn=$1)
========
Where 104 is the UID of my local cyrus user in /etc/passwd.
The suffix is "dc=nodomain".
I added the following to my admin entry:
========
dn: cn=admin,dc=nodomain
changetype: modify
add: authzTo
authzTo: ldap:///ou=People,dc=nodomain??sub?(objectClass=posixAccount)
=========
I'm not sure this authzTo line is correct, but it worked during
testing.
My test user looks like:
=========
dn: uid=test3434,ou=People,dc=nodomain
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: test3434
cn: test3434
cn: test3434 at olp.net
cn: dwhite
cn: dwhite at olp.net
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/test3434
loginShell: /bin/bash
shadowMin: 0
shadowMax: 99999
shadowLastChange: 13581
userPassword: mysecret
==========
I added the following lines to /etc/imapd.conf:
========
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_canon_user_plugin: ldapdb
sasl_ldapdb_uri: ldapi://%2fvar%2frun%2fslapd%2fldapi/
sasl_ldapdb_mech: EXTERNAL
sasl_ldapdb_canon_attr: uid
========
(I added cyrus to the openldap group in /etc/group to
give it access to the ldapi socket)
Some tests (as the cyrus user):
=======
cyrus at test:~$ ldapwhoami -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=admin,dc=nodomain
Result: Success (0)
cyrus at test:~$
=======
=======
cyrus at test:~$ ldapwhoami -Y EXTERNAL \
-U gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth \
-X u:dwhite SASL/EXTERNAL
authentication started
SASL username: u:dwhite
SASL SSF: 0
dn:uid=test3434,ou=people,dc=nodomain
Result: Success (0)
cyrus at test:~$
========
Here's an expect script you can use with the sample-server
and sample-client executables:
========
#!/usr/bin/expect
# Set environment variables:
# SASL_PATH - to the location of the plugin modules
# SASL_CONF_PATH - path to the sample.conf file
set username [lindex $argv 0]
set mech [lindex $argv 1]
spawn /usr/sbin/sasl-sample-server -s sample -m $mech
set saslserver $spawn_id
spawn /usr/bin/sasl-sample-client -s sample -a $username
set saslclient $spawn_id
while { 1!=2 } {
expect {
-i $saslserver -re "S: \[0-9a-zA-Z\=\]+" {
set output $expect_out(0,string)
send -i $saslclient "$output\r"
send_user "==Sending $output to client.==\n";
}
-i $saslserver -re "recieved decoded.*client" {
send_user "==got client recieved.==\n"
break
}
}
expect {
-i $saslclient -re "C: \[0-9a-zA-Z\=\]+" {
set output $expect_out(0,string)
send -i $saslserver "$output\r"
send_user "==Sending $output to server.==\n";
}
-i $saslclient -re "Password:" {
expect_user -re "(.*)\n"
send_user "\n"
send -i $saslclient "$expect_out(1,string)\r"
expect -i $saslclient -re "C: \[0-9a-zA-Z\=\]+"
set output $expect_out(0,string)
send -i $saslserver "$output\r"
send_user "==Sending $output to server.==\n";
}
}
}
send_user "==Success==\n"
========
To use, create a .conf file somewhere (like in
/tmp/sample.conf) with the following contents:
========
pwcheck_method: auxprop
auxprop_plugin: ldapdb
ldapdb_uri: ldapi://%2fvar%2frun%2fslapd%2fldapi/
ldapdb_mech: EXTERNAL
canon_user_plugin: ldapdb
ldapdb_canon_attr: uid
========
Then do:
test:~# export SASL_CONF_PATH=/tmp
test:~# ./sasl.exp dwhite LOGIN
...
Password: mysecret
...
got 'dwhite'
...
Username: dwhite
...
Username: test3434
...
==Success==
test:~#
==========
Connecting via IMAP seems to work fine. I can authenticate
with either username (test3434 or dwhite) and I get
test3434's INBOX.
- Dan
Torsten Schlabach wrote:
> Hi Dan!
>
> Did you anywhere with that?
>
> Regards,
> Torsten
>
> -------- Original-Nachricht --------
> Betreff: [Fwd: Re: Sponsoring a canon_user plugin for LDAP lookup]
> Datum: Thu, 08 Mar 2007 18:51:36 +0100
> Von: Torsten Schlabach <tschlabach at gmx.net>
> An: dwhite at olp.net
>
> Hi Dan!
>
> This is the other one.
>
> So the process would probably be:
>
> - Check out the SASL library sources.
> - Apply the patched.
> - Configure with the apporiate option to build the libldapdb SASL plugin
> and built it.
> - Either install SASL from your patched sources or just transfer the
> libldapdb libs into your SASL installation coming from your packages.
> (Not sure what distro you're using.)
>
> That was not the problem.
>
> Then you need to configure both OpenLDAP (slapd.conf) as well as Cyrus
> IMAPd (imapd.conf) to use this properly and this is where I basically
> failed and gave up.
>
> Would be nice if you kept me in the look, please.
>
> Regards,
> Torsten
>
> -------- Original-Nachricht --------
> Betreff: Re: Sponsoring a canon_user plugin for LDAP lookup
> Datum: Mon, 19 Feb 2007 16:13:50 -0800
> Von: Howard Chu <hyc at highlandsun.com>
> An: Torsten Schlabach <tschlabach at gmx.net>
> Referenzen: <45A6179E.2040506 at gmx.net>
> <45A7C28A.8060602 at highlandsun.com> <45A7EDBD.6070700 at gmx.net>
> <45A7F356.5070806 at highlandsun.com> <45A80444.9090802 at gmx.net>
> <45A814D2.70903 at highlandsun.com> <45A818C4.40406 at gmx.net>
> <45A81C4E.2090003 at highlandsun.com> <45A81EA1.5090204 at gmx.net>
> <45A830BD.4080300 at highlandsun.com> <45DA148D.7000207 at gmx.net>
> <45DA1DC6.6060703 at highlandsun.com> <45DA20F1.3080700 at gmx.net>
>
> Torsten Schlabach wrote:
>> Hi!
>>
>> > + out[len] = '\0';
>>
>> I had tried this myself, but the result I got was an empty string. So
>> it seems that len == 0 for whatever reason.
>>
>> Bonus question, as I am going nuts about it: How do I add the authTo:
>> attribute to the uid=root object?
>>
>> Regards,
>> Torsten
>>
>> Howard Chu schrieb:
>>> Hi. Try patching these two lines. I haven't tested this yet,
>>> rebuilding my test directory at the moment and will know more in a
>>> few minutes.
> The attachment contains the same patch for those two lines, plus a
> canonuser_client entry point. It's working for me, with these rules:
>
> authid-rewriteMap slapd alias2DN
> ldap:///dc=example,dc=com?mailAliasedName?sub?
> authid-rewriteRule uid=(.*)@(.*),cn=digest-md5,cn=auth
>
> ldap:///dc=example,dc=com??sub?(uid=%{alias2dn((&(mailalias=$1)(dc=$2)))})
>
> authz-regexp uid=(.*),cn=digest-md5,cn=auth
> ldap:///dc=example,dc=com??sub?(uid=$1)
>
>
>
> ------------------------------------------------------------------------
>
> --- ldapdb.c.X 2007-01-12 16:55:58.000000000 -0800
> +++ ldapdb.c 2007-02-19 15:37:48.000000000 -0800
> @@ -311,7 +311,7 @@
> if (!strncasecmp(ctx->canon.bv_val, rdn, ctx->canon.bv_len) &&
> rdn[ctx->canon.bv_len] == '=') {
> char *comma;
> - rdn += ctx->canon.bv_len + 2;
> + rdn += ctx->canon.bv_len + 1;
> comma = strchr(rdn, ',');
> if ( comma )
> len = comma - rdn;
> @@ -320,6 +320,7 @@
> if ( len > out_max )
> len = out_max;
> memcpy(out, rdn, len);
> + out[len] = '\0';
> *out_ulen = len;
> ret = SASL_OK;
> ber_bvfree(cp.dn);
> @@ -361,6 +362,38 @@
> }
>
> static int
> +ldapdb_canon_client(void *glob_context,
> + sasl_client_params_t *cparams,
> + const char *user,
> + unsigned ulen,
> + unsigned flags,
> + char *out,
> + unsigned out_max,
> + unsigned *out_ulen)
> +{
> + if(!cparams || !user) return SASL_BADPARAM;
> +
> + /* Trim whitespace */
> + while(isspace(*(unsigned char *)user)) {
> + user++;
> + ulen--;
> + }
> + while(isspace((unsigned char)user[ulen-1])) {
> + ulen--;
> + }
> +
> + if (!ulen) {
> + cparams->utils->seterror(cparams->utils->conn, 0,
> + "All-whitespace username.");
> + return SASL_FAIL;
> + }
> + memcpy(out, user, ulen);
> + out[ulen] = '\0';
> + *out_ulen = ulen;
> + return SASL_OK;
> +}
> +
> +static int
> ldapdb_config(const sasl_utils_t *utils)
> {
> ldapctx *p = &ldapdb_ctx;
> @@ -446,7 +479,7 @@
> ldapdb, /* name */
> NULL, /* canon_user_free */
> ldapdb_canon_server, /* canon_user_server */
> - NULL, /* canon_user_client */
> + ldapdb_canon_client, /* canon_user_client */
> NULL,
> NULL,
> NULL
>
>
>
More information about the Cyrus-sasl
mailing list