[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL secrets in LDAP

OK, this commit handles the above. It adds an auxprop plugin that the SASL
library will use to lookup authentication secrets. The plugin just uses
slapd's backend_attribute function to lookup the properties of interest.

The way things are right now, the slapd plugin is last in the list, so
sasldb gets the first crack at the password lookup. (All plugins are used in
turn. You can also specify a single one to use with the auxprop_plugin SASL
config keyword. This plugin's name is "slapd".) Since the slapd plugin is
last, it won't interfere with any users you have that are currently in a
sasldb database.

The main change that requires Cyrus 2.1.3 is in the username
canonicalization; the code now converts the userIDs to DNs and then stores
them in an auxprop instead of overwriting the names that SASL passed in.
This means that the "normal" SASL-format userIDs are still available for the
sasldb plugin and anything else that expects names in "user@realm" format.
Due to a bug in Cyrus 2.1.2, the auxprops containing these DNs will be
erased before slap_sasl_bind gets a chance to retrieve them. This is why you
must use 2.1.3. (There are many crashes and other problems fixed in 2.1.3

Support for Cyrus 1.5 is unchanged.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

-----Original Message-----
From: owner-openldap-commit@OpenLDAP.org
[mailto:owner-openldap-commit@OpenLDAP.org]On Behalf Of hyc@OpenLDAP.org
Sent: Tuesday, May 07, 2002 2:08 PM
To: OpenLDAP Commit
Subject: commit: ldap/servers/slapd proto-slap.h sasl.c saslauthz.c

Update of /repo/OpenLDAP/pkg/ldap/servers/slapd

Modified Files:
	proto-slap.h  1.344 -> 1.345
	sasl.c  1.93 -> 1.94
	saslauthz.c  1.44 -> 1.45

Log Message:
Cyrus 2 support now requires Cyrus 2.1.3. Adds support for in-directory
SASL secrets. (Only works with plaintext userpassword tho.)


Changes are generally available on cvs.openldap.org (and CVSweb)
within 30 minutes of being committed.