[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: newbie openldap/sasl question ...

At 06:35 PM 1/24/01 -0800, Adam Shand wrote:
>i'm in the process of building openldap solaris packages and trying to do
>it the "right way" with sasl/openssl etc.  i'm getting there (slowly) but
>i have a couple questions.
>first i don't quite understand why i need/want sasl?

To provide secure authentication mechanisms.

>i understand that
>it's an authentication library

SASL is a security framework used by application protocols.
The Cyrus SASL library implements this framework.

>, however so long as it's using openssl for
>tls shouldn't simple authentications be secure?

TLS may be used in a manner which provides enough protection
to secure simple authentication.

>further my intention is
>to use ldap to store user authentication information for access via pam
>(instead of passwd/shadow/etc) so i don't understand the purpose of
>wanting an external authentication file to ldap (ie. sasldb).

Different strokes for different folks.

>the reason
>i'm installing it is because of the note that it won't be fully v3 without
>sasl and i'm worried about client interoperability.

SASL/DIGEST-MD5 is one and only LDAPv3 mandatory-to-implement
secure authentication mechanism [RFC2829].  However, just because
it's mandatory-to-implement does not mean it's mandatory to use.
As noted in RFC2829, there are other secure authentication

>i assume i'm misunderstanding something, what do i loose by not having
>openldap linked to the sasl libraries?

You lose SASL.

>second i can't get it to recognise the sasl libraries.  i compiled sasl
>like this (might be wrong but it worked for someone on my postfix list and
>seemed like a reasonable place to start) this is what i'm doing:
># export LDFLAGS="-L/usr/local/BerkeleyDB.3.1/lib -R/usr/local/BerkeleyDB.3.1/lib"
># export CPPFLAGS="-I/usr/local/BerkeleyDB.3.1/include"
># ./configure  --enable-login --disable-krb4 --disable-gssapi --disable-anon
>and openldap like this:
># export LDFLAGS="-L/usr/local/BerkeleyDB.3.1/lib -L/usr/local/sasl"
># export CPPFLAGS="-I/usr/local/BerkeleyDB.3.1/include"
># ./configure --enable-wrappers --with-cyrus-sasl
>and the error i'm getting is:
>checking for sasl.h... yes
>checking for sasl_client_init in -lsasl... no
>configure: error: Could not locate Cyrus SASL

>and when i look in config.log it looks like the problem is with sasl
>finding the berkely db libraries?
>configure:13274: checking for sasl.h
>configure:13284: gcc -E -I/usr/local/BerkeleyDB.3.1/include conftest.c
>l 2>conftest.out
>configure:13313: checking for sasl_client_init in -lsasl
>configure:13332: gcc -o conftest -g -O2
>-I/usr/local/BerkeleyDB.3.1/include -L/u
>sr/local -L/usr/local/BerkeleyDB.3.1/lib conftest.c -lsasl  -lnsl -lresolv
> -lnsl -lsocket  1>&5
>Undefined                       first referenced
> symbol                             in file
>db_create                           /usr/local/lib/libsasl.so
>ld: fatal: Symbol referencing errors. No output written to conftest
>collect2: ld returned 1 exit status
>configure: failed program was:
>#line 13321 "configure"
>#include "confdefs.h"
>/* Override any gcc2 internal prototype to avoid an error.  */
>/* We use char because int might match the return type of a gcc2
>    builtin and then its argument prototype would still apply.  */
>char sasl_client_init();
>any advice would be much appreciated.

You build Cyrus SASL with dependencies upon Berkeley DB.  Normally
these dependencies are resolved dynamically, that is failing.
Likely due to path environment settings (at the time you built
Cyrus SASL or now).