[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Has anyone found a workaround? SASL/LDAP

Howard Chu wrote:

Although this wasn't addressed to me, I appreciate the explanation.
however, two top Postfix LDAP (Openldap) and Cyrus SASL experts have
given warnings about combining Openldap SASL support with
Postfix SASL support. At all.

Those experts are giving you outdated information, with no understanding of the actual issues.

They write an appreciable part of the ongoing Postfix LDAP code, mostly written against Openldap. Believe me, both know what they're talking about.

The SASL auxprop libraries that I use are Simon Loader's
2.1.13, patched
by Pascal Gienger (u-konstanz in Germany).

I've just taken a look at Simon Loader's code, but I only found a 2.1.10 version.

You'd have to look at Pascal Gienger's (http://pgienger.de/postfix/) . That's for Cyrus SASL 2.1.13.

The comments within talk about problems when using OpenLDAP 2.0
built with SASL support. There's no mystery here - OpenLDAP 2.0 doesn't
support Cyrus SASL 2.1 (how many times have I had to say that on this list

Yerrrs. But I've already said that I'm up to date with Openldap. You have to look at the right code, before you slaughter other people.

but the auxprop feature only exists in SASL 2.1. If you build
OpenLDAP 2.0 with SASL then you necessarily have to build it with SASL 1.5.
If you mix SASL 1.5 and SASL 2.1 in a single process you get a crash. 100%
guaranteed not to work.

I know. I've been at this long enough, now.

I don't mean to drag Simon Loader thru the mud, but since you're relying on
input from "experts"

See above. Those "experts" contribute current LDAP code to one of the primary MTAs available (o.k., so it suffers from sometimes horrible authoritarian whims). They are not script kiddies. I've avoided mentioning names. One very occasionally even writes on this list.

I must point out that there were a number of bugs in
Cyrus' auxprop support, which I found and fixed. Simon's code has scattered
comments about "do I have to do XX only testing will tell (probably)". There
is quite a difference in design/philosophy between his work and mine - he is
willing to work in the dark, make guesses, and wonder that things don't work
all the time. I find the facts and make things work, no guessing. His code is
about 25K in size and some 3000 lines long. My code is under 7K, less than
800 lines long. Which do you suppose is easier to debug?

Yours. But Pascal Gienger's auxprop libraries work on this machine.

Given the two
authors' familiarity with both the Cyrus and OpenLDAP codebases, what do you
suppose is the likelihood that either one is doing something wrong?

The mechanisms are entirely different. Anyway, I'm not using Simon Loader's code, as I said. I'm using Pascal Gienger's, which is a rewrite.

I have a RH 7.2 system that works perfectly with the combination
Openldap 2.1.22/Cyrus SASL (above auxprop) and Postfix 2.0.16
(this one, same SASL auxprop), and a RH 9.0 system that barfs
on Postfix
SASL startup. I have to find out why. My only way is to try what my
betters advise ;)

Make sure you're not using the RedHat bundled OpenLDAP RPMs as they're still
shipping OpenLDAP 2.0.

Howard, what does it say in my quote? Was I born yesterday? I compile my own and make my own rpms for installs on my machines.

I'll let everyone know, maybe sometime next week.

Good luck...

Thanks for bothering :) Actually, the real question was whether it's important to compile Openldap 2.1 with SASL support at all, if the client (i.e. Postfix 2.0.16 snapshot in this case) implements all the SASL stuff itself. And what other clients expect SASL support from Openldap at all?

I have my heroes round and about, and believe me you're one of them.



Tony Earnshaw

Once the camel's head has entered your tent,
it's very difficult to stop the rest of the
animal from following it

Mail: billy-at-billy.demon.nl