mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
76 lines
3.2 KiB
Plaintext
76 lines
3.2 KiB
Plaintext
LDAP auxprop plugin for SASL-enabled servers.
|
|
Copyright (C) 2002 by Howard Chu, hyc@symas.com
|
|
|
|
This software is an experimental proof-of-concept and is not intended for
|
|
general use. It is licensed under the terms ofthe OpenLDAP license.
|
|
|
|
The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3.
|
|
It can be compiled by copying into the Cyrus SASL source tree, in the
|
|
plugins subdirectory. No configuration or build script is provided.
|
|
|
|
To compile, type "make ldapdb.lo". To link, you'll have to copy the
|
|
link rule for one of the other plugins. Below is a sample on my Linux
|
|
system:
|
|
|
|
/bin/sh ./libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto
|
|
|
|
Once installed, you need to add some config items to the SASL server's
|
|
config file in /usr/lib/sasl2. For example:
|
|
|
|
ldapdb_uri: ldapi://
|
|
ldapdb_id: root
|
|
ldapdb_pw: secret
|
|
ldapdb_mech: PLAIN
|
|
|
|
This config assumes an LDAP server on the same machine as the server
|
|
that is using SASL. The LDAP server must be configured to map the SASL
|
|
authcId "root" into a DN that has proxy authorization privileges to
|
|
every account that is allowed to login to this server. (See the OpenLDAP
|
|
Admin Guide for details.)
|
|
|
|
Unlike other LDAP-enabled plugins for other services that are common
|
|
on the web, this plugin does not require you to configure DN search
|
|
patterns to map usernames to LDAP DNs. This plugin requires SASL name
|
|
mapping to be configured on the target slapd. This approach keeps the
|
|
LDAP-specific configuration details in one place, the slapd.conf, and
|
|
makes the configuration of remote services much simpler.
|
|
|
|
One additional keyword "ldapdb_rc" may be specified in the config file.
|
|
The filename specified here will be put into the server's LDAPRC
|
|
environment variable, and libldap-specific config options may be set
|
|
in that ldaprc file. The main purpose behind this option is to allow
|
|
a client TLS certificate to be configured, so that SASL/EXTERNAL may
|
|
be used between the SASL server and the LDAP server. This is the most
|
|
optimal way to use this plugin when the servers are on separate machines.
|
|
|
|
This plugin likely has very poor performance. You'll need something
|
|
better for a real production environment. Please send feedback via the
|
|
openldap-software mailing list for now.
|
|
|
|
-- Howard Chu, 2002-07-12
|
|
|
|
Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://.
|
|
This is fast and secure, and needs no username or password to be stored.
|
|
The SASL config file is just
|
|
|
|
ldapdb_uri: ldapi://
|
|
ldapdb_mech: EXTERNAL
|
|
|
|
The slapd.conf will need to map these usernames to LDAP DNs:
|
|
|
|
sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
|
|
ldap:///dc=example,dc=com??sub?(&(uidNumber=$1)(gidNumber=$2))
|
|
|
|
sasl-regexp uid=(.*),cn=external,cn=auth
|
|
ldap:///dc=example,dc=com??sub?(uid=$1)
|
|
|
|
One more update: you can use the ldapdb_starttls keyword to use the
|
|
StartTLS extended operation on an LDAP session. This item may be set
|
|
to either "try" or "demand", e.g.:
|
|
|
|
ldapdb_uri: ldap://ldap.example.com
|
|
ldapdb_starttls: try
|
|
|
|
When set to "try" any failure in StartTLS is ignored. When set to "demand"
|
|
then any failure aborts the connection.
|