Remove ldapsasl, it is now part of Cyrus SASL

contrib/README

@@ -14,6 +14,8 @@ Current contributions:
 	ldapsasl
 		LDAP SASL auxprop plugin
 		Contributed by Symas Corp.
+		Note: this module is now part of Cyrus SASL
+		and no longer included here.
 
 	ldaptcl
 		LDAP TCL API

contrib/ldapsasl/README

@@ -1,93 +0,0 @@
-LDAP auxprop plugin for SASL-enabled servers.
-Copyright (C) 2002,2003 by Howard Chu, hyc@symas.com
-
-This software is licensed under the terms of the OpenLDAP license.
-
-The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3.
-Due to various bugs in the Cyrus source you should use Cyrus SASL 2.1.15
-or newer. You need at least Cyrus SASL 2.1.16 to use the auxprop-store
-functionality.
-
-The version of ldapdb bundled with OpenLDAP 2.1.22 and older will work
-with all OpenLDAP releases 2.1.3 and up. The ldapdb in OpenLDAP 2.1.23
-uses a different LDAP request and requires the server to be 2.1.23 or newer.
-
-It can be compiled by copying into the Cyrus SASL source tree, in the
-plugins subdirectory. No configuration or build script is provided.
-
-To compile, type "make ldapdb.lo". To link, you'll have to copy the
-link rule for one of the other plugins. Below is a sample on my Linux
-system:
-
-	/bin/sh ../libtool --mode=link gcc  -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la  -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto
-
-Once installed, you need to add some config items to the SASL server's
-config file in /usr/lib/sasl2. For example:
-
-ldapdb_uri: ldap://ldap.example.com
-ldapdb_id: root
-ldapdb_pw: secret
-ldapdb_mech: DIGEST-MD5
-
-This config assumes an LDAP server on the same machine as the server
-that is using SASL. The LDAP server must be configured to map the SASL
-authcId "root" into a DN that has proxy authorization privileges to
-every account that is allowed to login to this server. (See the OpenLDAP
-Admin Guide section 10 for details.)
-
-Unlike other LDAP-enabled plugins for other services that are common
-on the web, this plugin does not require you to configure DN search
-patterns to map usernames to LDAP DNs. This plugin requires SASL name
-mapping to be configured on the target slapd. This approach keeps the
-LDAP-specific configuration details in one place, the slapd.conf, and
-makes the configuration of remote services much simpler.
-
-An additional keyword "ldapdb_rc" may be specified in the config file.
-The filename specified here will be put into the server's LDAPRC
-environment variable, and libldap-specific config options may be set
-in that ldaprc file. The main purpose behind this option is to allow
-a client TLS certificate to be configured, so that SASL/EXTERNAL may
-be used between the SASL server and the LDAP server. This is the most
-optimal way to use this plugin when the servers are on separate machines.
-
-Note: this plugin is not for use with slapd itself. When OpenLDAP is
-built with SASL support, slapd uses its own internal auxprop module.
-By default, without configuring anything else, slapd will fail to load
-the ldapdb module when it's present. This is as it should be. If you
-don't like the "auxpropfunc: error -7" message that is sent to syslog
-by slapd, you can stop it by creating /usr/lib/sasl2/slapd.conf with:
-
-	auxprop_plugin: slapd
-
-which will force the SASL library to ignore all other auxprop modules.
-
-This plugin has been in use for over a year at many sites with good
-results. If you have questions or problems, please send feedback via
-the openldap-software mailing list.
-
-  -- Howard Chu
-
-Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://.
-This is fast and secure, and needs no username or password to be stored.
-The SASL config file is just
-
-ldapdb_uri: ldapi://
-ldapdb_mech: EXTERNAL
-
-The slapd.conf will need to map these usernames to LDAP DNs:
-
-sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
-	ldap:///dc=example,dc=com??sub?(&(uidNumber=$1)(gidNumber=$2))
-
-sasl-regexp uid=(.*),cn=external,cn=auth
-	ldap:///dc=example,dc=com??sub?(uid=$1)
-
-Update... With OpenLDAP 2.1.23 you can use the ldapdb_starttls keyword
-to use the StartTLS extended operation on an LDAP session. This item
-may be set to either "try" or "demand", e.g.:
-
-ldapdb_uri: ldap://ldap.example.com
-ldapdb_starttls: try
-
-When set to "try" any failure in StartTLS is ignored. When set to "demand"
-then any failure aborts the connection.

contrib/ldapsasl/ldapdb.c

@@ -1,348 +0,0 @@
-/* $OpenLDAP$ */
-/* SASL LDAP auxprop implementation
- * Copyright (C) 2002,2003 Howard Chu, All rights reserved. <hyc@symas.com>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-
-#include <config.h>
-
-#include <stdio.h>
-
-#include "sasl.h"
-#include "saslutil.h"
-#include "saslplug.h"
-
-#ifndef SASL_VERSION_FULL
-#define SASL_VERSION_FULL ((SASL_VERSION_MAJOR << 16) |\
-	(SASL_VERSION_MINOR << 8) |SASL_VERSION_STEP)
-#endif
-
-#include "plugin_common.h"
-
-#include <ldap.h>
-
-static char ldapdb[] = "ldapdb";
-
-typedef struct ldapctx {
-	const char *uri;	/* URI of LDAP server */
-	struct berval id;	/* SASL authcid to bind as */
-	struct berval pw;	/* password for bind */
-	struct berval mech;	/* SASL mech */
-	int use_tls;		/* Issue StartTLS request? */
-} ldapctx;
-
-static int ldapdb_interact(LDAP *ld, unsigned flags __attribute__((unused)),
-	void *def, void *inter)
-{
-	sasl_interact_t *in = inter;
-	ldapctx *ctx = def;
-	struct berval p;
-
-	for (;in->id != SASL_CB_LIST_END;in++)
-	{
-		p.bv_val = NULL;
-		switch(in->id)
-		{
-			case SASL_CB_GETREALM:
-				ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &p.bv_val);
-				if (p.bv_val) p.bv_len = strlen(p.bv_val);
-				break;		
-			case SASL_CB_AUTHNAME:
-				p = ctx->id;
-				break;
-			case SASL_CB_PASS:
-				p = ctx->pw;
-				break;
-		}
-		if (p.bv_val)
-		{
-			in->result = p.bv_val;
-			in->len = p.bv_len;
-		}
-	}
-	return LDAP_SUCCESS;
-}
-
-typedef struct connparm {
-	LDAP *ld;
-	LDAPControl c;
-	LDAPControl *ctrl[2];
-	struct berval *dn;
-} connparm;
-
-static int ldapdb_connect(ldapctx *ctx, sasl_server_params_t *sparams,
-	const char *user, unsigned ulen, connparm *cp)
-{
-    int i;
-    char *authzid;
-
-    if((i=ldap_initialize(&cp->ld, ctx->uri))) {
-    	return i;
-    }
-
-    authzid = sparams->utils->malloc(ulen + sizeof("u:"));
-    if (!authzid) {
-    	return LDAP_NO_MEMORY;
-    } 
-    strcpy(authzid, "u:");
-    strcpy(authzid+2, user);
-    cp->c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
-    cp->c.ldctl_value.bv_val = authzid;
-    cp->c.ldctl_value.bv_len = ulen + 2;
-    cp->c.ldctl_iscritical = 1;
-
-    i = LDAP_VERSION3;
-    ldap_set_option(cp->ld, LDAP_OPT_PROTOCOL_VERSION, &i);
-
-    /* If TLS is set and it fails, continue or bail out as requested */
-    if (ctx->use_tls && (i=ldap_start_tls_s(cp->ld, NULL, NULL)) != LDAP_SUCCESS
-    	&& ctx->use_tls > 1) {
-    	sparams->utils->free(authzid);
-	return i;
-    }
-
-    i = ldap_sasl_interactive_bind_s(cp->ld, NULL, ctx->mech.bv_val, NULL,
-    	NULL, LDAP_SASL_QUIET, ldapdb_interact, ctx);
-    if (i != LDAP_SUCCESS) {
-    	sparams->utils->free(authzid);
-	return i;
-    }
-    
-    cp->ctrl[0] = &cp->c;
-    cp->ctrl[1] = NULL;
-    i = ldap_whoami_s(cp->ld, &cp->dn, cp->ctrl, NULL);
-    if (i == LDAP_SUCCESS && cp->dn) {
-    	if (!cp->dn->bv_val || strncmp(cp->dn->bv_val, "dn:", 3)) {
-	    ber_bvfree(cp->dn);
-	    cp->dn = NULL;
-	    i = LDAP_INVALID_SYNTAX;
-	} else {
-    	    cp->c.ldctl_value = *(cp->dn);
-	}
-    }
-    sparams->utils->free(authzid);
-    return i;
-}
-
-static void ldapdb_auxprop_lookup(void *glob_context,
-				  sasl_server_params_t *sparams,
-				  unsigned flags,
-				  const char *user,
-				  unsigned ulen)
-{
-    ldapctx *ctx = glob_context;
-    connparm cp;
-    int ret, i, n, *aindx;
-    const struct propval *pr;
-    struct berval **bvals;
-    LDAPMessage *msg, *res;
-    char **attrs = NULL;
-    
-    if(!ctx || !sparams || !user) return;
-
-    pr = sparams->utils->prop_get(sparams->propctx);
-    if(!pr) return;
-
-    /* count how many attrs to fetch */
-    for(i = 0, n = 0; pr[i].name; i++) {
-	if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
-	    continue;
-	if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
-	    continue;
-	n++;
-    }
-    /* nothing to do, bail out */
-    if (!n) return;
-
-    /* alloc an array of attr names for search, and index to the props */
-    attrs = sparams->utils->malloc((n+1)*sizeof(char *)*2);
-    if (!attrs) return;
-
-    aindx = (int *)(attrs + n + 1);
-
-    /* copy attr list */
-    for (i=0, n=0; pr[i].name; i++) {
-	if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
-	    continue;
-	if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
-	    continue;
-    	attrs[n] = (char *)pr[i].name;
-	if (pr[i].name[0] == '*') attrs[n]++;
-	aindx[n] = i;
-	n++;
-    }
-    attrs[n] = NULL;
-
-    if(ldapdb_connect(ctx, sparams, user, ulen, &cp)) {
-    	goto done;
-    }
-
-    ret = ldap_search_ext_s(cp.ld, cp.dn->bv_val+3, LDAP_SCOPE_BASE,
-    	"(objectclass=*)", attrs, 0, cp.ctrl, NULL, NULL, 1, &res);
-    ber_bvfree(cp.dn);
-
-    if (ret != LDAP_SUCCESS) goto done;
-
-    for(msg=ldap_first_message(cp.ld, res); msg; msg=ldap_next_message(cp.ld, msg))
-    {
-    	if (ldap_msgtype(msg) != LDAP_RES_SEARCH_ENTRY) continue;
-	for (i=0; i<n; i++)
-	{
-	    bvals = ldap_get_values_len(cp.ld, msg, attrs[i]);
-	    if (!bvals) continue;
-	    if (pr[aindx[i]].values)
-	    	sparams->utils->prop_erase(sparams->propctx, pr[aindx[i]].name);
-	    sparams->utils->prop_set(sparams->propctx, pr[aindx[i]].name,
-				 bvals[0]->bv_val, bvals[0]->bv_len);
-	    ber_bvecfree(bvals);
-	}
-    }
-    ldap_msgfree(res);
-
- done:
-    if(attrs) sparams->utils->free(attrs);
-    if(cp.ld) ldap_unbind(cp.ld);
-}
-
-#if SASL_VERSION_FULL >= 0x020110
-static int ldapdb_auxprop_store(void *glob_context,
-				  sasl_server_params_t *sparams,
-				  struct propctx *prctx,
-				  const char *user,
-				  unsigned ulen)
-{
-    ldapctx *ctx = glob_context;
-    connparm cp;
-    const struct propval *pr;
-    int i, n;
-    LDAPMod **mods;
-
-    /* just checking if we are enabled */
-    if (!prctx) return SASL_OK;
-
-    if (!sparams || !user) return SASL_BADPARAM;
-
-    pr = sparams->utils->prop_get(prctx);
-    if (!pr) return SASL_BADPARAM;
-
-    for (n=0; pr[n].name; n++);
-    if (!n) return SASL_BADPARAM;
-
-    mods = sparams->utils->malloc((n+1) * sizeof(LDAPMod*) + n * sizeof(LDAPMod));
-    if (!mods) return SASL_NOMEM;
-
-    if((i=ldapdb_connect(ctx, sparams, user, ulen, &cp)) == 0) {
-
-	for (i=0; i<n; i++) {
-	    mods[i] = (LDAPMod *)((char *)(mods+n+1) + i * sizeof(LDAPMod));
-	    mods[i]->mod_op = LDAP_MOD_REPLACE;
-	    mods[i]->mod_type = (char *)pr[i].name;
-	    mods[i]->mod_values = (char **)pr[i].values;
-	}
-	mods[i] = NULL;
-
-	i = ldap_modify_ext_s(cp.ld, cp.dn->bv_val+3, mods, cp.ctrl, NULL);
-	ber_bvfree(cp.dn);
-    }
-
-    sparams->utils->free(mods);
-
-    if (i) {
-    	sparams->utils->seterror(sparams->utils->conn, 0,
-	    ldap_err2string(i));
-	if (i == LDAP_NO_MEMORY) i = SASL_NOMEM;
-	else i = SASL_FAIL;
-    }
-    if (cp.ld) ldap_unbind(cp.ld);
-    return i;
-}
-#endif /* SASL_VERSION_FULL >= 2.1.16 */
-
-static void ldapdb_auxprop_free(void *glob_ctx, const sasl_utils_t *utils)
-{
-	utils->free(glob_ctx);
-}
-
-static sasl_auxprop_plug_t ldapdb_auxprop_plugin = {
-    0,           /* Features */
-    0,           /* spare */
-    NULL,        /* glob_context */
-    ldapdb_auxprop_free,	/* auxprop_free */
-    ldapdb_auxprop_lookup,	/* auxprop_lookup */
-    ldapdb,    /* name */
-#if SASL_VERSION_FULL >=0x020110
-    ldapdb_auxprop_store	/* spare if <2.1.16*/
-#else
-    NULL
-#endif
-};
-
-static int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
-                             int max_version,
-                             int *out_version,
-                             sasl_auxprop_plug_t **plug,
-                             const char *plugname __attribute__((unused))) 
-{
-    ldapctx tmp, *p;
-    const char *s;
-    unsigned len;
-
-    if(!out_version || !plug) return SASL_BADPARAM;
-
-    if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
-    
-    memset(&tmp, 0, sizeof(tmp));
-
-    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &tmp.uri, NULL);
-    if(!tmp.uri) return SASL_BADPARAM;
-
-    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_id",
-    	(const char **)&tmp.id.bv_val, &len);
-    tmp.id.bv_len = len;
-    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_pw",
-    	(const char **)&tmp.pw.bv_val, &len);
-    tmp.pw.bv_len = len;
-    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_mech",
-    	(const char **)&tmp.mech.bv_val, &len);
-    tmp.mech.bv_len = len;
-    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_starttls", &s, NULL);
-    if (s)
-    {
-    	if (!strcasecmp(s, "demand")) tmp.use_tls = 2;
-	else if (!strcasecmp(s, "try")) tmp.use_tls = 1;
-    }
-    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_rc", &s, &len);
-    if (s)
-    {
-    	char *str = utils->malloc(sizeof("LDAPRC=")+len);
-	if (!str) return SASL_NOMEM;
-	strcpy( str, "LDAPRC=" );
-	strcpy( str + sizeof("LDAPRC=")-1, s );
-	if (putenv(str))
-	{
-	    utils->free(str);
-	    return SASL_NOMEM;
-	}
-    }
-
-    p = utils->malloc(sizeof(ldapctx));
-    if (!p) return SASL_NOMEM;
-    *p = tmp;
-    ldapdb_auxprop_plugin.glob_context = p;
-
-    *out_version = SASL_AUXPROP_PLUG_VERSION;
-
-    *plug = &ldapdb_auxprop_plugin;
-
-    return SASL_OK;
-}
-
-SASL_AUXPROP_PLUG_INIT( ldapdb )
-