[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL authentication, authorization and data encryption support (ITS#501)

Full_Name: Gábor Gombás
Version: 2.0-devel
OS: Debian Linux 2.2
URL: http://valerie.inf.elte.hu/~gombasg/ldap/openldap-sasl.patch
Submission from: (NULL) (


I've managed to get SASL authentication, authorization and data encryption
working for
OpenLDAP 2.0-devel. It was inspired by (and contains code from) the patch
by Mark Adamson. The patch contains:

- SASL support for the programs in the clients/tools directory. New command line
  '-C' to use Cyrus SASL authentication (the small letter 'c' was already used
  other purposes in some of the programs), '-m mech' to specify the SASL
mechanism and
  '-Z authzid' to specify an authorization ID (see below)
- Security layer support changes in liblber
- 3 new config. options for slapd: SASLMinSSF, SASLMaxSSF and SASLDefaultDb. The
  two enables the setting of the minimal/maximal SSF. SASLDeafultDb marks a
  definition to be used when the client does not provide a DN for SASL bind and
the DN
  needs to be determined from the authentication ID
- I've added a new mutex to the Connection structure to block all input between
  the final result of the SASL bind and installing the security layer functions
  the socket. Without it ber_get_next() tries to interpret encrypted data and
fails which
  causes the connection to be dropped just after the bind
- The ldbm backend supports SASL authentication and two forms of authorization.
If the
  client did not specify a DN to bound to, it's determined from the given
  ID using the "externalAuthName" attribute. The authorization ID can be
  either as "dn:<dn>" or as "u:<userid>" as the authmech draft says. The
  for the authorization can be stored in either the authenticated entry's
  attribute or in the target entry's "allowAuthorizationTo" attribute. Both are
  expressions which the authorized/authenticated DN must match

What's missing:
- Client-side configuration of the desired data integrity and encryption level