mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
.. | ||
ldapdb.c | ||
README |
LDAP auxprop plugin for SASL-enabled servers. Copyright (C) 2002 by Howard Chu, hyc@symas.com This software is an experimental proof-of-concept and is not intended for general use. It is licensed under the terms ofthe OpenLDAP license. The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3. It can be compiled by copying into the Cyrus SASL source tree, in the plugins subdirectory. No configuration or build script is provided. To compile, type "make ldapdb.lo". To link, you'll have to copy the link rule for one of the other plugins. Below is a sample on my Linux system: /bin/sh ./libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto Once installed, you need to add some config items to the SASL server's config file in /usr/lib/sasl2. For example: ldapdb_uri: ldapi:// ldapdb_id: root ldapdb_pw: secret ldapdb_mech: PLAIN This config assumes an LDAP server on the same machine as the server that is using SASL. The LDAP server must be configured to map the SASL authcId "root" into a DN that has proxy authorization privileges to every account that is allowed to login to this server. (See the OpenLDAP Admin Guide for details.) Unlike other LDAP-enabled plugins for other services that are common on the web, this plugin does not require you to configure DN search patterns to map usernames to LDAP DNs. This plugin requires SASL name mapping to be configured on the target slapd. This approach keeps the LDAP-specific configuration details in one place, the slapd.conf, and makes the configuration of remote services much simpler. One additional keyword "ldapdb_rc" may be specified in the config file. The filename specified here will be put into the server's LDAPRC environment variable, and libldap-specific config options may be set in that ldaprc file. The main purpose behind this option is to allow a client TLS certificate to be configured, so that SASL/EXTERNAL may be used between the SASL server and the LDAP server. This is the most optimal way to use this plugin when the servers are on separate machines. This plugin likely has very poor performance. You'll need something better for a real production environment. Please send feedback via the openldap-software mailing list for now. -- Howard Chu, 2002-07-12 Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://. This is fast and secure, and needs no username or password to be stored. The SASL config file is just ldapdb_uri: ldapi:// ldapdb_mech: EXTERNAL The slapd.conf will need to map these usernames to LDAP DNs: sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth ldap:///dc=example,dc=com??sub?(&(uidNumber=$1)(gidNumber=$2)) sasl-regexp uid=(.*),cn=external,cn=auth ldap:///dc=example,dc=com??sub?(uid=$1) One more update: you can use the ldapdb_starttls keyword to use the StartTLS extended operation on an LDAP session. This item may be set to either "try" or "demand", e.g.: ldapdb_uri: ldap://ldap.example.com ldapdb_starttls: try When set to "try" any failure in StartTLS is ignored. When set to "demand" then any failure aborts the connection.