mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
94 lines
4.0 KiB
Plaintext
94 lines
4.0 KiB
Plaintext
LDAP auxprop plugin for SASL-enabled servers.
|
|
Copyright (C) 2002,2003 by Howard Chu, hyc@symas.com
|
|
|
|
This software is licensed under the terms of the OpenLDAP license.
|
|
|
|
The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3.
|
|
Due to various bugs in the Cyrus source you should use Cyrus SASL 2.1.15
|
|
or newer. You need at least Cyrus SASL 2.1.16 to use the auxprop-store
|
|
functionality.
|
|
|
|
The version of ldapdb bundled with OpenLDAP 2.1.22 and older will work
|
|
with all OpenLDAP releases 2.1.3 and up. The ldapdb in OpenLDAP 2.1.23
|
|
uses a different LDAP request and requires the server to be 2.1.23 or newer.
|
|
|
|
It can be compiled by copying into the Cyrus SASL source tree, in the
|
|
plugins subdirectory. No configuration or build script is provided.
|
|
|
|
To compile, type "make ldapdb.lo". To link, you'll have to copy the
|
|
link rule for one of the other plugins. Below is a sample on my Linux
|
|
system:
|
|
|
|
/bin/sh ../libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto
|
|
|
|
Once installed, you need to add some config items to the SASL server's
|
|
config file in /usr/lib/sasl2. For example:
|
|
|
|
ldapdb_uri: ldap://ldap.example.com
|
|
ldapdb_id: root
|
|
ldapdb_pw: secret
|
|
ldapdb_mech: DIGEST-MD5
|
|
|
|
This config assumes an LDAP server on the same machine as the server
|
|
that is using SASL. The LDAP server must be configured to map the SASL
|
|
authcId "root" into a DN that has proxy authorization privileges to
|
|
every account that is allowed to login to this server. (See the OpenLDAP
|
|
Admin Guide section 10 for details.)
|
|
|
|
Unlike other LDAP-enabled plugins for other services that are common
|
|
on the web, this plugin does not require you to configure DN search
|
|
patterns to map usernames to LDAP DNs. This plugin requires SASL name
|
|
mapping to be configured on the target slapd. This approach keeps the
|
|
LDAP-specific configuration details in one place, the slapd.conf, and
|
|
makes the configuration of remote services much simpler.
|
|
|
|
An additional keyword "ldapdb_rc" may be specified in the config file.
|
|
The filename specified here will be put into the server's LDAPRC
|
|
environment variable, and libldap-specific config options may be set
|
|
in that ldaprc file. The main purpose behind this option is to allow
|
|
a client TLS certificate to be configured, so that SASL/EXTERNAL may
|
|
be used between the SASL server and the LDAP server. This is the most
|
|
optimal way to use this plugin when the servers are on separate machines.
|
|
|
|
Note: this plugin is not for use with slapd itself. When OpenLDAP is
|
|
built with SASL support, slapd uses its own internal auxprop module.
|
|
By default, without configuring anything else, slapd will fail to load
|
|
the ldapdb module when it's present. This is as it should be. If you
|
|
don't like the "auxpropfunc: error -7" message that is sent to syslog
|
|
by slapd, you can stop it by creating /usr/lib/sasl2/slapd.conf with:
|
|
|
|
auxprop_plugin: slapd
|
|
|
|
which will force the SASL library to ignore all other auxprop modules.
|
|
|
|
This plugin has been in use for over a year at many sites with good
|
|
results. If you have questions or problems, please send feedback via
|
|
the openldap-software mailing list.
|
|
|
|
-- Howard Chu
|
|
|
|
Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://.
|
|
This is fast and secure, and needs no username or password to be stored.
|
|
The SASL config file is just
|
|
|
|
ldapdb_uri: ldapi://
|
|
ldapdb_mech: EXTERNAL
|
|
|
|
The slapd.conf will need to map these usernames to LDAP DNs:
|
|
|
|
sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
|
|
ldap:///dc=example,dc=com??sub?(&(uidNumber=$1)(gidNumber=$2))
|
|
|
|
sasl-regexp uid=(.*),cn=external,cn=auth
|
|
ldap:///dc=example,dc=com??sub?(uid=$1)
|
|
|
|
Update... With OpenLDAP 2.1.23 you can use the ldapdb_starttls keyword
|
|
to use the StartTLS extended operation on an LDAP session. This item
|
|
may be set to either "try" or "demand", e.g.:
|
|
|
|
ldapdb_uri: ldap://ldap.example.com
|
|
ldapdb_starttls: try
|
|
|
|
When set to "try" any failure in StartTLS is ignored. When set to "demand"
|
|
then any failure aborts the connection.
|