[Date Prev][Date Next]
RE: SASL EXTERNAL
> -----Original Message-----
> From: Norbert Klasen [mailto:firstname.lastname@example.org]
> Thanks Howard, this works now. Some new issues:
> - I need to clear the 'noanonymous' flag from ldapsearch's sasl secprops.
> Otherwise ldap_sasl_interactive_bind_s returns 'Unknown authentication
In Cyrus 1.5.27 the EXTERNAL mech's flags are set to NOPLAINTEXT and
NODICTIONARY, but omits NOANONYMOUS. This is a bug in Cyrus SASL 1.5; the
mechanism itself always requires an identity so it is never actually
anonymous but the mech's security flags don't reflect this fact. (In Cyrus
2.1 the flags are correct.) I suggest you patch your Cyrus 1.5.27 source in
lib/client.c around line 189 and add the flag yourself. I've submitted a
number of patches to CMU but I don't have any idea if there will be another
> - In slap_sasl_regexp_config a ber_str2bv is attempted on the replace
> pattern. This fails if the replace pattern is an URI:
> >>> dnNormalize: <ldap://localhost/c=de??sub?cn=$1>
> => ldap_bv2dn(ldap://localhost/c=de??sub?cn=$1,0)
> <= ldap_bv2dn(ldap://localhost/c=de??sub?cn=$1,0)=84
> SASL replace pattern ldap://localhost/c=de??sub?cn=$1 could not be
> ber_str2bv and the subsequent dnNormalize2 should probably be called only
> on the DN part of the URI.
This is now fixed.
> - Then there is an issue with non-ascii chars and sasl-regex:
This looks like it ought to work. There are issues with UTF-8 and regexps,
I don't know enough to go into detail.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support