Misc notes

This commit is contained in:
Howard Chu 2003-10-19 19:41:14 +00:00
parent 127c7a1381
commit e91b0435e2

View File

@ -1,10 +1,15 @@
LDAP auxprop plugin for SASL-enabled servers. LDAP auxprop plugin for SASL-enabled servers.
Copyright (C) 2002 by Howard Chu, hyc@symas.com Copyright (C) 2002,2003 by Howard Chu, hyc@symas.com
This software is an experimental proof-of-concept and is not intended for This software is licensed under the terms of the OpenLDAP license.
general use. It is licensed under the terms ofthe OpenLDAP license.
The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3. The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3.
Due to various bugs in the Cyrus source you should use Cyrus SASL 2.1.15
or newer. The version of ldapdb bundled with OpenLDAP 2.1.22 and older
will work with all OpenLDAP releases 2.1.3 and up. The ldapdb in
OpenLDAP 2.1.23 uses a different LDAP request and requires the server
to be 2.1.23 or newer.
It can be compiled by copying into the Cyrus SASL source tree, in the It can be compiled by copying into the Cyrus SASL source tree, in the
plugins subdirectory. No configuration or build script is provided. plugins subdirectory. No configuration or build script is provided.
@ -12,21 +17,21 @@ To compile, type "make ldapdb.lo". To link, you'll have to copy the
link rule for one of the other plugins. Below is a sample on my Linux link rule for one of the other plugins. Below is a sample on my Linux
system: system:
/bin/sh ./libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto /bin/sh ../libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto
Once installed, you need to add some config items to the SASL server's Once installed, you need to add some config items to the SASL server's
config file in /usr/lib/sasl2. For example: config file in /usr/lib/sasl2. For example:
ldapdb_uri: ldapi:// ldapdb_uri: ldap://ldap.example.com
ldapdb_id: root ldapdb_id: root
ldapdb_pw: secret ldapdb_pw: secret
ldapdb_mech: PLAIN ldapdb_mech: DIGEST-MD5
This config assumes an LDAP server on the same machine as the server This config assumes an LDAP server on the same machine as the server
that is using SASL. The LDAP server must be configured to map the SASL that is using SASL. The LDAP server must be configured to map the SASL
authcId "root" into a DN that has proxy authorization privileges to authcId "root" into a DN that has proxy authorization privileges to
every account that is allowed to login to this server. (See the OpenLDAP every account that is allowed to login to this server. (See the OpenLDAP
Admin Guide for details.) Admin Guide section 10 for details.)
Unlike other LDAP-enabled plugins for other services that are common Unlike other LDAP-enabled plugins for other services that are common
on the web, this plugin does not require you to configure DN search on the web, this plugin does not require you to configure DN search
@ -35,7 +40,7 @@ mapping to be configured on the target slapd. This approach keeps the
LDAP-specific configuration details in one place, the slapd.conf, and LDAP-specific configuration details in one place, the slapd.conf, and
makes the configuration of remote services much simpler. makes the configuration of remote services much simpler.
One additional keyword "ldapdb_rc" may be specified in the config file. An additional keyword "ldapdb_rc" may be specified in the config file.
The filename specified here will be put into the server's LDAPRC The filename specified here will be put into the server's LDAPRC
environment variable, and libldap-specific config options may be set environment variable, and libldap-specific config options may be set
in that ldaprc file. The main purpose behind this option is to allow in that ldaprc file. The main purpose behind this option is to allow
@ -43,11 +48,11 @@ a client TLS certificate to be configured, so that SASL/EXTERNAL may
be used between the SASL server and the LDAP server. This is the most be used between the SASL server and the LDAP server. This is the most
optimal way to use this plugin when the servers are on separate machines. optimal way to use this plugin when the servers are on separate machines.
This plugin likely has very poor performance. You'll need something This plugin has been in use for over a year at many sites with good
better for a real production environment. Please send feedback via the results. If you have questions or problems, please send feedback via
openldap-software mailing list for now. the openldap-software mailing list.
-- Howard Chu, 2002-07-12 -- Howard Chu
Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://. Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://.
This is fast and secure, and needs no username or password to be stored. This is fast and secure, and needs no username or password to be stored.
@ -64,9 +69,9 @@ sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
sasl-regexp uid=(.*),cn=external,cn=auth sasl-regexp uid=(.*),cn=external,cn=auth
ldap:///dc=example,dc=com??sub?(uid=$1) ldap:///dc=example,dc=com??sub?(uid=$1)
One more update: you can use the ldapdb_starttls keyword to use the Update... With OpenLDAP 2.1.23 you can use the ldapdb_starttls keyword
StartTLS extended operation on an LDAP session. This item may be set to use the StartTLS extended operation on an LDAP session. This item
to either "try" or "demand", e.g.: may be set to either "try" or "demand", e.g.:
ldapdb_uri: ldap://ldap.example.com ldapdb_uri: ldap://ldap.example.com
ldapdb_starttls: try ldapdb_starttls: try