ptloader setup

Tue Dec 21 10:41:03 EST 2004

On Tue, 21 Dec 2004, Igor Brezac wrote:

>
> On Tue, 21 Dec 2004, Mike O'Rourke wrote:
>
>> Hi all,
>> 
>> I have IMAPd 2.2.10, compiled with --with-auth=pts --with-pts=ldap
>> --with-ldap
>> OpenLDAP 2.2.17
>> 
>> my /etc/imapd.conf is:
>> 
>> configdirectory: /var/imap
>> defaultpartition: default
>> partition-default: /var/spool/imap
>> unixhierarchysep: yes
>> allowanonymouslogin: no
>> allowplaintext: yes
>> allowusermoves: yes
>> servername: server12.mydom.com
>> virtdomains: userid
>> defaultdomain: mydom.com
>> autocreatequota: -1
>> createonpost: 1
>> autocreateinboxfolders: Sent|Trash
>> autosubscribeinboxfolders: Sent|Trash
>> admins: cyrus
>> lmtpsocket: /var/imap/socket/lmtp
>> sendmail: /usr/sbin/sendmail
>> tls_cert_file: /var/imap/server12_cert.pem
>> tls_key_file: /var/imap/server12_key.pem
>> tls_CA_file: /var/imap/cacerts/cacert.pem
>> tls_CA_path: /var/imap/cacerts
>> tls_require_cert: 0
>> ldap_sasl: 0
>> ldap_base: ou=email,o=internet,o=mycom
>> ldap_bind_dn: cn=server12.mydom.com,ou=hosts,o=internet,o=mycom
>> ldap_filter: (&(uid=%u)(MailUserDefHost=server12.mydom.com))
>> ldap_password: mypass
>> ldap_tls_cacert_file: /var/imap/cacerts/cacert.pem
>> ldap_tls_cert: /var/imap/server12_cert.pem
>> ldap_tls_key: /var/imap/server12_key.pem
>> ldap_uri: ldaps://192.168.7.11 ldaps://ldap1.mydom.com
>> ldaps://ldap2.mydom.com
>> ptloader_sock: /var/imap/socket/ptsock
>> 
>> In the ldap_filter, MailUserDefHost is a private attribute to limit
>> which host the user can login to.
>> 
>> Authorization fails with a generic failure (see the output from imtest
>> below, if you wish). Even though "ldap_sasl" is set to 0 in imapd.conf,
>> it would seem that it is trying to use SASL (proxy) authentication after
>> a successful bind (see the debugging output from the LDAP server below,
>> if you wish).
>
> This is a bug in ptloader/ldap.
>
> Please try this patch:
>
> Index: ldap.c
> ===================================================================
> RCS file: /cvs/src/cyrus/ptclient/ldap.c,v
> retrieving revision 1.7
> diff -u -r1.7 ldap.c
> --- ldap.c      24 Jun 2004 19:28:39 -0000      1.7
> +++ ldap.c      21 Dec 2004 05:27:18 -0000

This patch will not work when ldap_sasl is enabled.  Here is an updated 
patch:

Index: ldap.c
===================================================================
RCS file: /cvs/src/cyrus/ptclient/ldap.c,v
retrieving revision 1.7
diff -u -r1.7 ldap.c

--- ldap.c      24 Jun 2004 19:28:39 -0000      1.7
+++ ldap.c      21 Dec 2004 15:38:49 -0000
@@ -799,64 +799,66 @@

  #if LDAP_VENDOR_VERSION >= 20125

-    authzid = xmalloc(size + sizeof("u:"));
-    if (authzid == NULL)
-        return PTSM_NOMEM;
-
-    strcpy(authzid, "u:");
-    strcpy(authzid+2, canon_id);
-    c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
-    c.ldctl_value.bv_val = authzid;
-    c.ldctl_value.bv_len = size + 2;
-    c.ldctl_iscritical = 1;
-
-    ctrl[0] = &c;
-    ctrl[1] = NULL;
-    rc = ldap_whoami_s(ptsm->ld, &dn, ctrl, NULL);
-    free(authzid);
-    if ( rc != LDAP_SUCCESS || !dn ) {
-        if (rc == LDAP_SERVER_DOWN) {
-            ldap_unbind(ptsm->ld);
-            ptsm->ld = NULL;
-            return PTSM_RETRY;
+    if (ptsm->sasl) {
+        authzid = xmalloc(size + sizeof("u:"));
+        if (authzid == NULL)
+            return PTSM_NOMEM;
+
+        strcpy(authzid, "u:");
+        strcpy(authzid+2, canon_id);
+        c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+        c.ldctl_value.bv_val = authzid;
+        c.ldctl_value.bv_len = size + 2;
+        c.ldctl_iscritical = 1;
+
+        ctrl[0] = &c;
+        ctrl[1] = NULL;
+        rc = ldap_whoami_s(ptsm->ld, &dn, ctrl, NULL);
+        free(authzid);
+        if ( rc != LDAP_SUCCESS || !dn ) {
+            if (rc == LDAP_SERVER_DOWN) {
+                ldap_unbind(ptsm->ld);
+                ptsm->ld = NULL;
+                return PTSM_RETRY;
+            }
+            return PTSM_FAIL;
          }
-        return PTSM_FAIL;
-    }

-    if ( dn->bv_val &&
-        !strncmp(dn->bv_val, "dn:", 3) )
-        *ret = strdup(dn->bv_val+3);
-    ber_bvfree(dn);
-
-#else
-
-    rc = ptsmodule_expand_tokens(ptsm->filter, canon_id, NULL, &filter);
-    if (rc != PTSM_OK)
-        return rc;
-
-    rc = ptsmodule_expand_tokens(ptsm->base, canon_id, NULL, &base);
-    if (rc != PTSM_OK)
-        return rc;
-
-    rc = ldap_search_st(ptsm->ld, base, ptsm->scope, filter, attrs, 0, &(ptsm->timeout), &res);
-    free(filter);
-    free(base);
-    if (rc != LDAP_SUCCESS) {
-        if (rc == LDAP_SERVER_DOWN) {
-            ldap_unbind(ptsm->ld);
-            ptsm->ld = NULL;
-            return PTSM_RETRY;
-        }
-        return PTSM_FAIL;
-    }
+        if ( dn->bv_val &&
+            !strncmp(dn->bv_val, "dn:", 3) )
+            *ret = strdup(dn->bv_val+3);
+        ber_bvfree(dn);
+    } else
+
+#endif

-    if ( (entry = ldap_first_entry(ptsm->ld, res)) != NULL )
-        *ret = ldap_get_dn(ptsm->ld, entry);
+    {
+        rc = ptsmodule_expand_tokens(ptsm->filter, canon_id, NULL, &filter);
+        if (rc != PTSM_OK)
+            return rc;
+
+        rc = ptsmodule_expand_tokens(ptsm->base, canon_id, NULL, &base);
+        if (rc != PTSM_OK)
+            return rc;
+
+        rc = ldap_search_st(ptsm->ld, base, ptsm->scope, filter, attrs, 0, &(ptsm->timeout), &res);
+        free(filter);
+        free(base);
+        if (rc != LDAP_SUCCESS) {
+            if (rc == LDAP_SERVER_DOWN) {
+                ldap_unbind(ptsm->ld);
+                ptsm->ld = NULL;
+                return PTSM_RETRY;
+            }
+            return PTSM_FAIL;
+        }

-    ldap_msgfree(res);
-    res = NULL;
+        if ( (entry = ldap_first_entry(ptsm->ld, res)) != NULL )
+            *ret = ldap_get_dn(ptsm->ld, entry);

-#endif
+        ldap_msgfree(res);
+        res = NULL;
+    }

      return (*ret ? PTSM_OK : PTSM_FAIL);
  }


-- 
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html


