[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Munging an OpenLDAP slapd server

--On Wednesday, January 25, 2006 3:35 PM -0500 "J.Lance Wilkinson, 814-865-1818" <JLW@psulias.psu.edu> wrote:

In order to supply an authentication shim for a software package
which already supports LDAP by the following mechanism:

  0) Secure userid "xxx" and password "yyy" from package's client
  1) Anonymous bind to an LDAP server on specified host:port
  2) Check for existance of a DN with uid=xxx and close anonymous
connection.   3) If (2) failed, report not Authenticated because no such
user.   4) Attempt non-Anonymous bind w/ DN and yyyy
  5) Close off non-anonymous bind if succeeded.
  6) Report Authenticated if bind succeeded, report not Authenticated if
bind         failed.

We have no LDAP databases which include passwords.  For another software
package which only supported LDAP Authentication, we implemented a
version  of slapd which had bind.c mangled to spawn off a kerberos kinit
check for  the uid=xxx with the selected password.  That software package
only required what is listed in step (0) and then only steps (4) thru (6)

Hoping to use the same technology for this new software package that
presumes all the above steps.  I can easily determine if the uid=xxx is
valid for the application, and can construct a character string
representing a suitable DN easily, too.  The catch is I have no idea
which slapd module I'd need to munge, where I'd need to do it, and what
I'd need to do to build the appropriate structures for slapd to pass back
as a succesful (or failed) search.  Guidance?

I think you could just use saslauthd to forward the password stuff to the KDC, to get whether or not they can bind?


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html