Sponsoring a canon_user plugin for LDAP lookup
Torsten Schlabach
tschlabach at gmx.net
Mon Mar 12 16:33:34 EST 2007
Hi Dan!
Thank you for taking the time for that detailed writeup.
I have taken a blank server with a fresh Debian Etch installation and
installed the very same packages you did. I did not yet apply the
patches as I wanted to make sure I get all that stuff right out of the
box before I did into canonicalization.
Here is where I got stuck:
cyrus at Debian-pre40-64-minimal:~$ ldapwhoami -Y EXTERNAL \
> -U gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth \
> -X u:dwhite SASL/EXTERNAL
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
I do have the modules installed (which I know is a common gotcha):
cyrus at Debian-pre40-64-minimal:~$ dpkg --get-selections | grep sasl
libsasl2 install
libsasl2-2 install
libsasl2-modules install
libsasl2-modules-ldap install
Any idea what I am missing?
Do you have a 32 or 64 bit system?
Regards,
Torsten
Dan White schrieb:
> Torsten,
>
> Yes, I had some success last night. It took some time to pick up
> the OpenLDAP proxy process.
>
> Using both patches, the canonization works for me for both
> sample-server and imapd, but not for pop3d when it opens the
> mailbox, for some reason. I'm using Debian etch with the
> following versions:
>
> cyrus-imapd-2.2: 2.2.13-10
> libsasl2: 2.1.22.dfsg1-8
> slapd: 2.3.30-4
>
> I'm going to try version 2.3 of cyrus imap to see if pop3 works
> any differently.
>
> I added the following statements to the default slapd.conf
> config:
>
> ========
> sasl-regexp
> "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
> cn=admin,dc=nodomain
>
> authz-policy to
>
> authz-regexp
> "gidNumber=8\\\+uidNumber=104,cn=peercred,cn=external,cn=auth"
> cn=admin,dc=nodomain
>
> authz-regexp uid=(.*),cn=external,cn=auth
> ldap:///ou=People,dc=nodomain??one?(cn=$1)
> ========
>
> Where 104 is the UID of my local cyrus user in /etc/passwd.
> The suffix is "dc=nodomain".
>
> I added the following to my admin entry:
> ========
> dn: cn=admin,dc=nodomain
> changetype: modify
> add: authzTo
> authzTo: ldap:///ou=People,dc=nodomain??sub?(objectClass=posixAccount)
> =========
>
> I'm not sure this authzTo line is correct, but it worked during
> testing.
>
> My test user looks like:
> =========
> dn: uid=test3434,ou=People,dc=nodomain
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: test3434
> cn: test3434
> cn: test3434 at olp.net
> cn: dwhite
> cn: dwhite at olp.net
> uidNumber: 1001
> gidNumber: 500
> homeDirectory: /home/test3434
> loginShell: /bin/bash
> shadowMin: 0
> shadowMax: 99999
> shadowLastChange: 13581
> userPassword: mysecret
> ==========
>
> I added the following lines to /etc/imapd.conf:
> ========
> sasl_pwcheck_method: auxprop
> sasl_auxprop_plugin: ldapdb
>
> sasl_canon_user_plugin: ldapdb
> sasl_ldapdb_uri: ldapi://%2fvar%2frun%2fslapd%2fldapi/
> sasl_ldapdb_mech: EXTERNAL
> sasl_ldapdb_canon_attr: uid
> ========
> (I added cyrus to the openldap group in /etc/group to
> give it access to the ldapi socket)
>
> Some tests (as the cyrus user):
> =======
> cyrus at test:~$ ldapwhoami -Y EXTERNAL
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn:cn=admin,dc=nodomain
> Result: Success (0)
> cyrus at test:~$
> =======
>
> =======
> cyrus at test:~$ ldapwhoami -Y EXTERNAL \
> -U gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth \
> -X u:dwhite SASL/EXTERNAL
> authentication started
> SASL username: u:dwhite
> SASL SSF: 0
> dn:uid=test3434,ou=people,dc=nodomain
> Result: Success (0)
> cyrus at test:~$
> ========
>
> Here's an expect script you can use with the sample-server
> and sample-client executables:
> ========
> #!/usr/bin/expect
>
> # Set environment variables:
> # SASL_PATH - to the location of the plugin modules
> # SASL_CONF_PATH - path to the sample.conf file
>
> set username [lindex $argv 0]
> set mech [lindex $argv 1]
> spawn /usr/sbin/sasl-sample-server -s sample -m $mech
> set saslserver $spawn_id
> spawn /usr/bin/sasl-sample-client -s sample -a $username
> set saslclient $spawn_id
>
> while { 1!=2 } {
>
> expect {
> -i $saslserver -re "S: \[0-9a-zA-Z\=\]+" {
> set output $expect_out(0,string)
> send -i $saslclient "$output\r"
> send_user "==Sending $output to client.==\n";
> }
> -i $saslserver -re "recieved decoded.*client" {
> send_user "==got client recieved.==\n"
> break
> }
> }
>
> expect {
> -i $saslclient -re "C: \[0-9a-zA-Z\=\]+" {
> set output $expect_out(0,string)
> send -i $saslserver "$output\r"
> send_user "==Sending $output to server.==\n";
> }
> -i $saslclient -re "Password:" {
> expect_user -re "(.*)\n"
> send_user "\n"
> send -i $saslclient "$expect_out(1,string)\r"
>
> expect -i $saslclient -re "C: \[0-9a-zA-Z\=\]+"
> set output $expect_out(0,string)
> send -i $saslserver "$output\r"
> send_user "==Sending $output to server.==\n";
> }
> }
> }
>
> send_user "==Success==\n"
> ========
>
> To use, create a .conf file somewhere (like in
> /tmp/sample.conf) with the following contents:
> ========
> pwcheck_method: auxprop
> auxprop_plugin: ldapdb
>
> ldapdb_uri: ldapi://%2fvar%2frun%2fslapd%2fldapi/
> ldapdb_mech: EXTERNAL
>
> canon_user_plugin: ldapdb
> ldapdb_canon_attr: uid
> ========
>
> Then do:
> test:~# export SASL_CONF_PATH=/tmp
> test:~# ./sasl.exp dwhite LOGIN
> ...
> Password: mysecret
> ...
> got 'dwhite'
> ...
> Username: dwhite
> ...
> Username: test3434
> ...
> ==Success==
> test:~#
> ==========
>
> Connecting via IMAP seems to work fine. I can authenticate
> with either username (test3434 or dwhite) and I get
> test3434's INBOX.
>
> - Dan
>
> Torsten Schlabach wrote:
>
>> Hi Dan!
>>
>> Did you anywhere with that?
>>
>> Regards,
>> Torsten
>>
>> -------- Original-Nachricht --------
>> Betreff: [Fwd: Re: Sponsoring a canon_user plugin for LDAP lookup]
>> Datum: Thu, 08 Mar 2007 18:51:36 +0100
>> Von: Torsten Schlabach <tschlabach at gmx.net>
>> An: dwhite at olp.net
>>
>> Hi Dan!
>>
>> This is the other one.
>>
>> So the process would probably be:
>>
>> - Check out the SASL library sources.
>> - Apply the patched.
>> - Configure with the apporiate option to build the libldapdb SASL plugin
>> and built it.
>> - Either install SASL from your patched sources or just transfer the
>> libldapdb libs into your SASL installation coming from your packages.
>> (Not sure what distro you're using.)
>>
>> That was not the problem.
>>
>> Then you need to configure both OpenLDAP (slapd.conf) as well as Cyrus
>> IMAPd (imapd.conf) to use this properly and this is where I basically
>> failed and gave up.
>>
>> Would be nice if you kept me in the look, please.
>>
>> Regards,
>> Torsten
>>
>> -------- Original-Nachricht --------
>> Betreff: Re: Sponsoring a canon_user plugin for LDAP lookup
>> Datum: Mon, 19 Feb 2007 16:13:50 -0800
>> Von: Howard Chu <hyc at highlandsun.com>
>> An: Torsten Schlabach <tschlabach at gmx.net>
>> Referenzen: <45A6179E.2040506 at gmx.net>
>> <45A7C28A.8060602 at highlandsun.com> <45A7EDBD.6070700 at gmx.net>
>> <45A7F356.5070806 at highlandsun.com> <45A80444.9090802 at gmx.net>
>> <45A814D2.70903 at highlandsun.com> <45A818C4.40406 at gmx.net>
>> <45A81C4E.2090003 at highlandsun.com> <45A81EA1.5090204 at gmx.net>
>> <45A830BD.4080300 at highlandsun.com> <45DA148D.7000207 at gmx.net>
>> <45DA1DC6.6060703 at highlandsun.com> <45DA20F1.3080700 at gmx.net>
>>
>> Torsten Schlabach wrote:
>>
>>> Hi!
>>>
>>> > + out[len] = '\0';
>>>
>>> I had tried this myself, but the result I got was an empty string. So
>>> it seems that len == 0 for whatever reason.
>>>
>>> Bonus question, as I am going nuts about it: How do I add the authTo:
>>> attribute to the uid=root object?
>>>
>>> Regards,
>>> Torsten
>>>
>>> Howard Chu schrieb:
>>>
>>>> Hi. Try patching these two lines. I haven't tested this yet,
>>>> rebuilding my test directory at the moment and will know more in a
>>>> few minutes.
>>
>> The attachment contains the same patch for those two lines, plus a
>> canonuser_client entry point. It's working for me, with these rules:
>>
>> authid-rewriteMap slapd alias2DN
>> ldap:///dc=example,dc=com?mailAliasedName?sub?
>> authid-rewriteRule uid=(.*)@(.*),cn=digest-md5,cn=auth
>>
>> ldap:///dc=example,dc=com??sub?(uid=%{alias2dn((&(mailalias=$1)(dc=$2)))})
>>
>> authz-regexp uid=(.*),cn=digest-md5,cn=auth
>> ldap:///dc=example,dc=com??sub?(uid=$1)
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> --- ldapdb.c.X 2007-01-12 16:55:58.000000000 -0800
>> +++ ldapdb.c 2007-02-19 15:37:48.000000000 -0800
>> @@ -311,7 +311,7 @@
>> if (!strncasecmp(ctx->canon.bv_val, rdn, ctx->canon.bv_len) &&
>> rdn[ctx->canon.bv_len] == '=') {
>> char *comma;
>> - rdn += ctx->canon.bv_len + 2;
>> + rdn += ctx->canon.bv_len + 1;
>> comma = strchr(rdn, ',');
>> if ( comma )
>> len = comma - rdn;
>> @@ -320,6 +320,7 @@
>> if ( len > out_max )
>> len = out_max;
>> memcpy(out, rdn, len);
>> + out[len] = '\0';
>> *out_ulen = len;
>> ret = SASL_OK;
>> ber_bvfree(cp.dn);
>> @@ -361,6 +362,38 @@
>> }
>>
>> static int
>> +ldapdb_canon_client(void *glob_context,
>> + sasl_client_params_t *cparams,
>> + const char *user,
>> + unsigned ulen,
>> + unsigned flags,
>> + char *out,
>> + unsigned out_max,
>> + unsigned *out_ulen)
>> +{
>> + if(!cparams || !user) return SASL_BADPARAM;
>> +
>> + /* Trim whitespace */
>> + while(isspace(*(unsigned char *)user)) {
>> + user++;
>> + ulen--;
>> + }
>> + while(isspace((unsigned char)user[ulen-1])) {
>> + ulen--;
>> + }
>> + + if (!ulen) {
>> + cparams->utils->seterror(cparams->utils->conn, 0,
>> + "All-whitespace username.");
>> + return SASL_FAIL;
>> + }
>> + memcpy(out, user, ulen);
>> + out[ulen] = '\0';
>> + *out_ulen = ulen;
>> + return SASL_OK;
>> +}
>> +
>> +static int
>> ldapdb_config(const sasl_utils_t *utils)
>> {
>> ldapctx *p = &ldapdb_ctx;
>> @@ -446,7 +479,7 @@
>> ldapdb, /* name */
>> NULL, /* canon_user_free */
>> ldapdb_canon_server, /* canon_user_server */
>> - NULL, /* canon_user_client */
>> + ldapdb_canon_client, /* canon_user_client */
>> NULL,
>> NULL,
>> NULL
>>
>>
>>
More information about the Cyrus-sasl
mailing list