Sponsoring a canon_user plugin for LDAP lookup

Torsten Schlabach tschlabach at gmx.net
Mon Mar 12 16:33:34 EST 2007


Hi Dan!

Thank you for taking the time for that detailed writeup.

I have taken a blank server with a fresh Debian Etch installation and 
installed the very same packages you did. I did not yet apply the 
patches as I wanted to make sure I get all that stuff right out of the 
box before I did into canonicalization.

Here is where I got stuck:

cyrus at Debian-pre40-64-minimal:~$ ldapwhoami -Y EXTERNAL \
 >  -U gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth \
 >  -X u:dwhite SASL/EXTERNAL
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
         additional info: SASL(-4): no mechanism available:

I do have the modules installed (which I know is a common gotcha):

cyrus at Debian-pre40-64-minimal:~$ dpkg --get-selections | grep sasl
libsasl2                                        install
libsasl2-2                                      install
libsasl2-modules                                install
libsasl2-modules-ldap                           install

Any idea what I am missing?

Do you have a 32 or 64 bit system?

Regards,
Torsten

Dan White schrieb:
> Torsten,
> 
> Yes, I had some success last night. It took some time to pick up
> the OpenLDAP proxy process.
> 
> Using both patches, the canonization works for me for both
> sample-server and imapd, but not for pop3d when it opens the
> mailbox, for some reason. I'm using Debian etch with the
> following versions:
> 
> cyrus-imapd-2.2:        2.2.13-10
> libsasl2:               2.1.22.dfsg1-8
> slapd:                  2.3.30-4
> 
> I'm going to try version 2.3 of cyrus imap to see if pop3 works
> any differently.
> 
> I added the following statements to the default slapd.conf
> config:
> 
> ========
> sasl-regexp    
>  "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
>  cn=admin,dc=nodomain
> 
> authz-policy to
> 
> authz-regexp   
>  "gidNumber=8\\\+uidNumber=104,cn=peercred,cn=external,cn=auth"
>  cn=admin,dc=nodomain
> 
> authz-regexp uid=(.*),cn=external,cn=auth
>    ldap:///ou=People,dc=nodomain??one?(cn=$1)
> ========
> 
> Where 104 is the UID of my local cyrus user in /etc/passwd.
> The suffix is "dc=nodomain".
> 
> I added the following to my admin entry:
> ========
> dn: cn=admin,dc=nodomain
> changetype: modify
> add: authzTo
> authzTo: ldap:///ou=People,dc=nodomain??sub?(objectClass=posixAccount)
> =========
> 
> I'm not sure this authzTo line is correct, but it worked during
> testing.
> 
> My test user looks like:
> =========
> dn: uid=test3434,ou=People,dc=nodomain
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: test3434
> cn: test3434
> cn: test3434 at olp.net
> cn: dwhite
> cn: dwhite at olp.net
> uidNumber: 1001
> gidNumber: 500
> homeDirectory: /home/test3434
> loginShell: /bin/bash
> shadowMin: 0
> shadowMax: 99999
> shadowLastChange: 13581
> userPassword: mysecret
> ==========
> 
> I added the following lines to /etc/imapd.conf:
> ========
> sasl_pwcheck_method: auxprop
> sasl_auxprop_plugin: ldapdb
> 
> sasl_canon_user_plugin: ldapdb
> sasl_ldapdb_uri: ldapi://%2fvar%2frun%2fslapd%2fldapi/
> sasl_ldapdb_mech: EXTERNAL
> sasl_ldapdb_canon_attr: uid
> ========
> (I added cyrus to the openldap group in /etc/group to
> give it access to the ldapi socket)
> 
> Some tests (as the cyrus user):
> =======
> cyrus at test:~$ ldapwhoami -Y EXTERNAL
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn:cn=admin,dc=nodomain
> Result: Success (0)
> cyrus at test:~$
> =======
> 
> =======
> cyrus at test:~$ ldapwhoami -Y EXTERNAL \
>  -U gidNumber=8+uidNumber=104,cn=peercred,cn=external,cn=auth \
>  -X u:dwhite SASL/EXTERNAL
> authentication started
> SASL username: u:dwhite
> SASL SSF: 0
> dn:uid=test3434,ou=people,dc=nodomain
> Result: Success (0)
> cyrus at test:~$
> ========
> 
> Here's an expect script you can use with the sample-server
> and sample-client executables:
> ========
> #!/usr/bin/expect
> 
> # Set environment variables:
> #   SASL_PATH - to the location of the plugin modules
> #   SASL_CONF_PATH - path to the sample.conf file
> 
> set username [lindex $argv 0]
> set mech [lindex $argv 1]
> spawn /usr/sbin/sasl-sample-server -s sample -m $mech
> set saslserver $spawn_id
> spawn /usr/bin/sasl-sample-client -s sample -a $username
> set saslclient $spawn_id
> 
> while { 1!=2 } {
> 
>  expect {
>    -i $saslserver -re "S: \[0-9a-zA-Z\=\]+" {
>      set output $expect_out(0,string)
>      send -i $saslclient "$output\r"
>      send_user "==Sending $output to client.==\n";
>    }
>    -i $saslserver -re "recieved decoded.*client" {
>      send_user "==got client recieved.==\n"
>      break
>    }
>  }
> 
>  expect {
>    -i $saslclient -re "C: \[0-9a-zA-Z\=\]+" {
>      set output $expect_out(0,string)
>      send -i $saslserver "$output\r"
>      send_user "==Sending $output to server.==\n";
>    }
>    -i $saslclient -re "Password:" {
>      expect_user -re "(.*)\n"
>      send_user "\n"
>      send -i $saslclient "$expect_out(1,string)\r"
> 
>      expect -i $saslclient -re "C: \[0-9a-zA-Z\=\]+"
>      set output $expect_out(0,string)
>      send -i $saslserver "$output\r"
>      send_user "==Sending $output to server.==\n";
>    }
>  }
> }
> 
> send_user "==Success==\n"
> ========
> 
> To use, create a .conf file somewhere (like in
> /tmp/sample.conf) with the following contents:
> ========
> pwcheck_method: auxprop
> auxprop_plugin: ldapdb
> 
> ldapdb_uri: ldapi://%2fvar%2frun%2fslapd%2fldapi/
> ldapdb_mech: EXTERNAL
> 
> canon_user_plugin: ldapdb
> ldapdb_canon_attr: uid
> ========
> 
> Then do:
> test:~# export SASL_CONF_PATH=/tmp
> test:~# ./sasl.exp dwhite LOGIN
> ...
> Password: mysecret
> ...
> got 'dwhite'
> ...
> Username: dwhite
> ...
> Username: test3434
> ...
> ==Success==
> test:~#
> ==========
> 
> Connecting via IMAP seems to work fine. I can authenticate
> with either username (test3434 or dwhite) and I get
> test3434's INBOX.
> 
> - Dan
> 
> Torsten Schlabach wrote:
> 
>> Hi Dan!
>>
>> Did you anywhere with that?
>>
>> Regards,
>> Torsten
>>
>> -------- Original-Nachricht --------
>> Betreff: [Fwd: Re: Sponsoring a canon_user plugin for LDAP lookup]
>> Datum: Thu, 08 Mar 2007 18:51:36 +0100
>> Von: Torsten Schlabach <tschlabach at gmx.net>
>> An: dwhite at olp.net
>>
>> Hi Dan!
>>
>> This is the other one.
>>
>> So the process would probably be:
>>
>> - Check out the SASL library sources.
>> - Apply the patched.
>> - Configure with the apporiate option to build the libldapdb SASL plugin
>> and built it.
>> - Either install SASL from your patched sources or just transfer the
>> libldapdb libs into your SASL installation coming from your packages.
>> (Not sure what distro you're using.)
>>
>> That was not the problem.
>>
>> Then you need to configure both OpenLDAP (slapd.conf) as well as Cyrus
>> IMAPd (imapd.conf) to use this properly and this is where I basically
>> failed and gave up.
>>
>> Would be nice if you kept me in the look, please.
>>
>> Regards,
>> Torsten
>>
>> -------- Original-Nachricht --------
>> Betreff: Re: Sponsoring a canon_user plugin for LDAP lookup
>> Datum: Mon, 19 Feb 2007 16:13:50 -0800
>> Von: Howard Chu <hyc at highlandsun.com>
>> An: Torsten Schlabach <tschlabach at gmx.net>
>> Referenzen: <45A6179E.2040506 at gmx.net>
>> <45A7C28A.8060602 at highlandsun.com> <45A7EDBD.6070700 at gmx.net>
>> <45A7F356.5070806 at highlandsun.com> <45A80444.9090802 at gmx.net>
>> <45A814D2.70903 at highlandsun.com> <45A818C4.40406 at gmx.net>
>> <45A81C4E.2090003 at highlandsun.com> <45A81EA1.5090204 at gmx.net>
>> <45A830BD.4080300 at highlandsun.com> <45DA148D.7000207 at gmx.net>
>> <45DA1DC6.6060703 at highlandsun.com> <45DA20F1.3080700 at gmx.net>
>>
>> Torsten Schlabach wrote:
>>
>>> Hi!
>>>
>>> > +       out[len] = '\0';
>>>
>>> I had tried this myself, but the result I got was an empty string. So 
>>> it seems that len == 0 for whatever reason.
>>>
>>> Bonus question, as I am going nuts about it: How do I add the authTo: 
>>> attribute to the uid=root object?
>>>
>>> Regards,
>>> Torsten
>>>
>>> Howard Chu schrieb:
>>>
>>>> Hi. Try patching these two lines. I haven't tested this yet, 
>>>> rebuilding my test directory at the moment and will know more in a 
>>>> few minutes.
>>
>> The attachment contains the same patch for those two lines, plus a
>> canonuser_client entry point. It's working for me, with these rules:
>>
>> authid-rewriteMap slapd alias2DN
>> ldap:///dc=example,dc=com?mailAliasedName?sub?
>> authid-rewriteRule uid=(.*)@(.*),cn=digest-md5,cn=auth
>>
>> ldap:///dc=example,dc=com??sub?(uid=%{alias2dn((&(mailalias=$1)(dc=$2)))}) 
>>
>> authz-regexp uid=(.*),cn=digest-md5,cn=auth
>>      ldap:///dc=example,dc=com??sub?(uid=$1)
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> --- ldapdb.c.X    2007-01-12 16:55:58.000000000 -0800
>> +++ ldapdb.c    2007-02-19 15:37:48.000000000 -0800
>> @@ -311,7 +311,7 @@
>>      if (!strncasecmp(ctx->canon.bv_val, rdn, ctx->canon.bv_len) &&
>>          rdn[ctx->canon.bv_len] == '=') {
>>      char *comma;
>> -    rdn += ctx->canon.bv_len + 2;
>> +    rdn += ctx->canon.bv_len + 1;
>>      comma = strchr(rdn, ',');
>>      if ( comma )
>>          len = comma - rdn;
>> @@ -320,6 +320,7 @@
>>      if ( len > out_max )
>>          len = out_max;
>>      memcpy(out, rdn, len);
>> +    out[len] = '\0';
>>      *out_ulen = len;
>>      ret = SASL_OK;
>>      ber_bvfree(cp.dn);
>> @@ -361,6 +362,38 @@
>>  }
>>  
>>  static int
>> +ldapdb_canon_client(void *glob_context,
>> +            sasl_client_params_t *cparams,
>> +            const char *user,
>> +            unsigned ulen,
>> +            unsigned flags,
>> +            char *out,
>> +            unsigned out_max,
>> +            unsigned *out_ulen)
>> +{
>> +    if(!cparams || !user) return SASL_BADPARAM;
>> +
>> +    /* Trim whitespace */
>> +    while(isspace(*(unsigned char *)user)) {
>> +    user++;
>> +    ulen--;
>> +    }
>> +    while(isspace((unsigned char)user[ulen-1])) {
>> +        ulen--;
>> +    }
>> +    +    if (!ulen) {
>> +        cparams->utils->seterror(cparams->utils->conn, 0,
>> +        "All-whitespace username.");
>> +    return SASL_FAIL;
>> +    }
>> +    memcpy(out, user, ulen);
>> +    out[ulen] = '\0';
>> +    *out_ulen = ulen;
>> +    return SASL_OK;
>> +}
>> +
>> +static int
>>  ldapdb_config(const sasl_utils_t *utils)
>>  {
>>      ldapctx *p = &ldapdb_ctx;
>> @@ -446,7 +479,7 @@
>>      ldapdb,    /* name */
>>      NULL,    /* canon_user_free */
>>      ldapdb_canon_server,    /* canon_user_server */
>> -    NULL,    /* canon_user_client */
>> +    ldapdb_canon_client,    /* canon_user_client */
>>      NULL,
>>      NULL,
>>      NULL
>>
>>
>>   


More information about the Cyrus-sasl mailing list