[Date Prev][Date Next]
RE: SASL secrets in LDAP
OK, this commit handles the above. It adds an auxprop plugin that the SASL
library will use to lookup authentication secrets. The plugin just uses
slapd's backend_attribute function to lookup the properties of interest.
The way things are right now, the slapd plugin is last in the list, so
sasldb gets the first crack at the password lookup. (All plugins are used in
turn. You can also specify a single one to use with the auxprop_plugin SASL
config keyword. This plugin's name is "slapd".) Since the slapd plugin is
last, it won't interfere with any users you have that are currently in a
The main change that requires Cyrus 2.1.3 is in the username
canonicalization; the code now converts the userIDs to DNs and then stores
them in an auxprop instead of overwriting the names that SASL passed in.
This means that the "normal" SASL-format userIDs are still available for the
sasldb plugin and anything else that expects names in "user@realm" format.
Due to a bug in Cyrus 2.1.2, the auxprops containing these DNs will be
erased before slap_sasl_bind gets a chance to retrieve them. This is why you
must use 2.1.3. (There are many crashes and other problems fixed in 2.1.3
Support for Cyrus 1.5 is unchanged.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support
[mailto:owner-openldap-commit@OpenLDAP.org]On Behalf Of hyc@OpenLDAP.org
Sent: Tuesday, May 07, 2002 2:08 PM
To: OpenLDAP Commit
Subject: commit: ldap/servers/slapd proto-slap.h sasl.c saslauthz.c
Update of /repo/OpenLDAP/pkg/ldap/servers/slapd
proto-slap.h 1.344 -> 1.345
sasl.c 1.93 -> 1.94
saslauthz.c 1.44 -> 1.45
Cyrus 2 support now requires Cyrus 2.1.3. Adds support for in-directory
SASL secrets. (Only works with plaintext userpassword tho.)
CVS Web URLs:
Changes are generally available on cvs.openldap.org (and CVSweb)
within 30 minutes of being committed.