Sponsoring a canon_user plugin for LDAP lookup

Torsten Schlabach tschlabach at gmx.net
Tue May 22 10:23:10 EDT 2007 

Hi Thomas,

first of all, the 2nd patch is attached to this email (cced the list).

 > So at the end did everything work as expected ?

In the very end: Yes. Getting the config right was quite an exercise, =

search the list archive for my discussion with Dan White on that. He'd =

been quite helpful and I understand he made this work as well and I =

think he's even using it in production since then. (In case Dan is =

reading that, maybe you can comment.)

My deep apologies for never having taken the time to write a proper =

Howto ... I should really do that.

 > I only got this
 > http://osdir.com/ml/security.cyrus.sasl/2007-01/msg00053.html patch.
 > Is this enough?

No. You need the attached patch over the other one. The first patch had =

a bug.

BTW: It might be worth checking the SASL lib CVS if the patched might =

got committed in the meanwhile. I case they haven't, I wonder that would =

be the process to make that happen.

I don't think these patches might ever hurt anyone. I had asked Howard =

Chu who's an experienced guy both here as well as with OpenLDAP (I =

understand he's even the head of OpenLDAP) and even he did not have any =

means of getting that patch in.

If this was an Apache project, then I knew what I'd do to get the patch =

in. But the Cyrus SASL lib project does not seem to have a bug tracker =

and no list of people with write access to the CVS so one could ask =

specifically.

Getting that patches committed would be the only way to make sure this =

functionality will ever show up in any offical packages on Debian, Red =

Hat, etc. and will become mainstream functionality.

But first of all, I hope you can make it work. In case you can, please =

let us know and in case a vote will be needed to get this patches =

committed, maybe you could vote for it?

Let me know if I can be of any further help.

Regards,
Torsten


Thomas Vogt schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> =

> Hi Torsten
> =

> Can you send me the second patch too or maybe you can post it to
> mailinglist for everyone.
> =

> So at the end did everything work as expected ? I've a similar problem.
> I also want to allow users to use the uid as username or the mailalias
> entry for the authentification. The cyurs mailbox are created with the
> uid name.
> =

> I used a cyrus-imapd patch in the past. It's a hacked auth_unix.c which
> is doing a ldap search in the tree and if the user tried to login with
> his mailalias i chcked for the uid and used it for everything else. A
> simple mapping.
> =

> The good thing, it's a very simple patch, no big ldap config, just add a
> few ldap servers, add some ldap tree information and the name of the
> ldap object you want to match. The downside, mostly it's hard coded  and
> if you want to auth with something else than mailaalias you have to
> recompile cyrus imapd.
> =

> The solution with a sasl custom canon plugin looks much better. Do you
> have a short "howto" and maybe all patches for it?
> =

> I only got this
> http://osdir.com/ml/security.cyrus.sasl/2007-01/msg00053.html patch. Is
> this enough?
> =

> Regards,
> Thomas
> =

> =

> Torsten Schlabach wrote:
> =

>>Hi Dan!
>>
>>Some good points you bring up here against Perdition. I need to say that
>>I heared about it first time some days ago and did not try it myself,
>>but it sounded like relief for our pressing problem. But from what I
>>learn from you know, it will make sense to get this SASL patch sorted out.
>>
>>So let's get onto that.
>>
>>
>>>I would prefer to use Howard's solution since it should be more
>>>efficient, and well, he's a lot better coder.
>>
>>I would still hope that this will make it to the codebase to it would be
>>"maintainance free" after that, anyway.
>>
>>I will send you the 2nd patch.
>>
>>Regards,
>>Torsten
>>
>>
>>Dan White schrieb:
>>
>>>Hi Torsten,
>>>
>>>Thanks for the info, I'll check into this shortly. I just joined the
>>>list last night. I'm CCing.
>>>
>>>I have been using perdition with an OpenLDAP directory for a couple of
>>>years to solve
>>>exactly this problem (we're an ISP). I'm trying to move away from it
>>>for various minor
>>>reasons. As far as I'm aware you can't do IPv6 with perdition, nor can
>>>you proxy sieve
>>>connections, nor can it do any kind of authentication other than
>>>PLAIN. I'm wanting to
>>>move to a murder setup, but this canonization is one of the holdups
>>>for me.
>>>
>>>As I stumbled across this discussion via google last night, I had
>>>actually been working
>>>on a canon plugin of my own, but it's a bit of a struggle since my C
>>>is rusty. My
>>>approach is to duplicate the code of the internal plugin into a new
>>>one, and insert a
>>>getpwnam call to find the 'real' account name to use. This would
>>>require use of
>>>libnss-ldap (or other libnss module) that can query on a given name
>>>and return
>>>another.
>>>
>>>For instance, libnss-ldap could be configured to search for some
>>>alternate attribute
>>>(say, altuid) and return uid:
>>>
>>>uid: dwhite at olp.net
>>>altuid: dwhite
>>>altuid: dwhite-olp
>>>altuid: dwhite at olp.net
>>>altuid: dwhite-olp at olp.net
>>>
>>>I've compiled it and verified that it doesn't crash when using
>>>/etc/passwd, but I haven't
>>>tried it against libnss-ldap yet.
>>>
>>>I would prefer to use Howard's solution since it should be more
>>>efficient, and well, he's
>>>a lot better coder. I only saw the first patch in the discussion. Do
>>>you have the second one?
>>>
>>>Thanks!
>>>- Dan
>>>
>>>Torsten Schlabach wrote:
>>>
>>>
>>>>Hi Dan!
>>>>
>>>> =

>>>>
>>>>
>>>>>Is the patch that
>>>>>was provided by Howard on the mailing list working?
>>>>>  =

>>>>
>>>>I was unable to make it work, but that might very well have been my
>>>>own inability.
>>>>
>>>>There are actually two patches. Do you have both of them?
>>>>
>>>>I had been implementing the first one and tried it, but it had some
>>>>problems with segfaults and proper string termination. So I
>>>>communicated this back to Howard and he came up with a second patch.
>>>>He said he had tested that himself with that 2nd patch and it worked
>>>>for him, but I kept getting "no user found in database" problems on
>>>>the LDAP level. (Not even on the IMAPd level).
>>>>
>>>>I am not sure how skilled you are with OpenLDAP SASL and proxy
>>>>authorization and the like. Basically all the stuff described here:
>>>>
>>>>http://www.openldap.org/doc/admin23/sasl.html
>>>>
>>>>The first gotcha is that the name of some parameters has changed
>>>>between OpenLDAP 2.2 and 2.3. But a lot of existing Linux systems
>>>>still have 2.2, so if you are on 2.2, make sure you use
>>>>
>>>>http://www.openldap.org/doc/admin22/sasl.html
>>>>
>>>>In other words: I (and others) would very much appreciate if you took
>>>>the time to try again and in case you will be successful, maybe come
>>>>back with a little howto.
>>>>
>>>>We are currently investigating
>>>>http://www.vergenet.net/linux/perdition/ as an alternative to what we
>>>>planned originally (Cyrus Murder together with that patch we're
>>>>discussing here). But for smaller setups with one server it would
>>>>definitely make so much sense to have this canon_user functionality
>>>>up and running.
>>>>
>>>>Let me know if you get stuck anywhere; I will try to help with the
>>>>experience that I have made with this.
>>>>
>>>>Regards,
>>>>Torsten
>>>>
>>>>P.S.: Do we have this discussion off-list by purpose or did you just
>>>>fall victim to the missing reply-to header on this mailinglist?
>>>>
>>>>-------- Original-Nachricht --------
>>>>Datum: Wed, 07 Mar 2007 23:27:43 -0600
>>>>Von: Dan White <dwhite at olp.net>
>>>>An: tschlabach at gmx.net
>>>>CC: Betreff: Re: Sponsoring a canon_user plugin for LDAP lookup
>>>>
>>>> =

>>>>
>>>>
>>>>>Hi Torsten,
>>>>>
>>>>>I just found the discussion of your sponsored patch for an LDAP SASL
>>>>>canon plugin and was curious how it all turned out. Is the patch that
>>>>>was provided by Howard on the mailing list working?
>>>>>
>>>>>I'm very interested in a similar solution.
>>>>>
>>>>>Thanks,
>>>>>- Dan White
>>>>>**
>>>>>  =

>>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (Darwin)
> =

> iD8DBQFGUkwqGCwkYTI5tyARCLAFAJ9or+CyA5dB2F3iqrnFd+ID/7Vp6gCfX5lG
> iR572aC4Jhu++Hi8ISl1k9E=3D
> =3DvF+M
> -----END PGP SIGNATURE-----
-------------- next part --------------
--- ldapdb.c.X	2007-01-12 16:55:58.000000000 -0800
+++ ldapdb.c	2007-02-19 15:37:48.000000000 -0800
@@ -311,7 +311,7 @@
     if (!strncasecmp(ctx->canon.bv_val, rdn, ctx->canon.bv_len) &&
     	rdn[ctx->canon.bv_len] =3D=3D '=3D') {
 	char *comma;
-	rdn +=3D ctx->canon.bv_len + 2;
+	rdn +=3D ctx->canon.bv_len + 1;
 	comma =3D strchr(rdn, ',');
 	if ( comma )
 	    len =3D comma - rdn;
@@ -320,6 +320,7 @@
 	if ( len > out_max )
 	    len =3D out_max;
 	memcpy(out, rdn, len);
+	out[len] =3D '\0';
 	*out_ulen =3D len;
 	ret =3D SASL_OK;
 	ber_bvfree(cp.dn);
@@ -361,6 +362,38 @@
 }
 =

 static int
+ldapdb_canon_client(void *glob_context,
+		    sasl_client_params_t *cparams,
+		    const char *user,
+		    unsigned ulen,
+		    unsigned flags,
+		    char *out,
+		    unsigned out_max,
+		    unsigned *out_ulen)
+{
+    if(!cparams || !user) return SASL_BADPARAM;
+
+    /* Trim whitespace */
+    while(isspace(*(unsigned char *)user)) {
+	user++;
+	ulen--;
+    }
+    while(isspace((unsigned char)user[ulen-1])) {
+    	ulen--;
+    }
+    =

+    if (!ulen) {
+    	cparams->utils->seterror(cparams->utils->conn, 0,
+	    "All-whitespace username.");
+	return SASL_FAIL;
+    }
+    memcpy(out, user, ulen);
+    out[ulen] =3D '\0';
+    *out_ulen =3D ulen;
+    return SASL_OK;
+}
+
+static int
 ldapdb_config(const sasl_utils_t *utils)
 {
     ldapctx *p =3D &ldapdb_ctx;
@@ -446,7 +479,7 @@
 	ldapdb,	/* name */
 	NULL,	/* canon_user_free */
 	ldapdb_canon_server,	/* canon_user_server */
-	NULL,	/* canon_user_client */
+	ldapdb_canon_client,	/* canon_user_client */
 	NULL,
 	NULL,
 	NULL

More information about the Cyrus-sasl mailing list