[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Has anyone found a workaround? SASL/LDAP

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Steven J. Sobol

> Was wondering if anyone has found a workaround for the SASL reentrancy
> problem that occurs when... well, this is the situation I ran into the
> first time I tried this. (about a year ago, and I wasn't using a SASL
> version that shipped with saslauthd)
> I want to use LDAP as a centralized user database. Trouble
> is, OpenLDAP 2
> uses the CMU SASL Library and so does my IMAP/POP server of
> choice, CMU's
> Cyrus. So the user goes to log in, gets authenticated against the LDAP
> database using SASL, the SASL library gets called again by OpenLDAP,
> and... well... it's just messy.

> My plan is to use saslauthd and PAM (pam_ldap) to
> authenticate people to
> the Cyrus server. Would using PAM avoid this problem?
> Previously I used a
> hacked-up copy of the SASL pwcheck daemon that first checked
> /etc/passwd
> and then LDAP - perhaps using saslauthd will eliminate the reentrancy
> issue?

I'm not sure I see what advantage you're getting from using SASL and LDAP
together like this, as you're only getting plaintext authentication. But
certainly, you can use saslauthd with LDAP directly (and skip the PAM step).
As the saslauthd is a separate process, there should be no reentrancy issues.

But in the meantime, there was never any reentrancy issue in the first place.
Each piece of the transaction uses a very different part of each API:
    imapd is an application service, and uses the SASL server API.
    if your SASL library is configured to use the LDAP auxprop module, this
invokes the LDAP client API.
    if you're using the LDAP auxprop module that I wrote (in OpenLDAP's
contrib directory), this invokes the SASL client API.
    this talks to the LDAP server, and the chain of processing in this
context ends there.

The SASL library maintains completely separate context for its client and
server APIs, so there's no issue there. And the fact is, the LDAP auxprop
module works.

Note - this assumes Cyrus SASL 2.1 and OpenLDAP 2.1. If you're using Cyrus
SASL 1.5, all bets are off; there are far too many bugs remaining in that
code base.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support