Skip to content
Snippets Groups Projects
Commit 340e56ed authored by Howard Chu's avatar Howard Chu
Browse files

LDAP auxprop plugin for external SASL-enabled servers

parent e5146851
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
contrib/ldapsasl/README 0 → 100644
+ 50
0
View file @ 340e56ed
LDAP auxprop plugin for SASL-enabled servers.
Copyright (C) 2002 by Howard Chu, hyc@symas.com
This software is an experimental proof-of-concept and is not intended for
general use. It is licensed under the terms ofthe OpenLDAP license.
The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3.
It can be compiled by copying into the Cyrus SASL source tree, in the
plugins subdirectory. No configuration or build script is provided.
To compile, type "make ldapdb.lo". To link, you'll have to copy the
link rule for one of the other plugins. Below is a sample on my Linux
system:
/bin/sh ./libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto
Once installed, you need to add some config items to the SASL server's
config file in /usr/lib/sasl2. For example:
ldapdb_uri: ldapi://
ldapdb_id: root
ldapdb_pw: secret
ldapdb_mech: PLAIN
This config assumes an LDAP server on the same machine as the server
that is using SASL. The LDAP server must be configured to map the SASL
authcId "root" into a DN that has proxy authorization privileges to
every account that is allowed to login to this server. (See the OpenLDAP
Admin Guide for details.)
Unlike other LDAP-enabled plugins for other services that are common
on the web, this plugin does not require you to configure DN search
patterns to map usernames to LDAP DNs. This plugin requires SASL name
mapping to be configured on the target slapd. This approach keeps the
LDAP-specific configuration details in one place, the slapd.conf, and
makes the configuration of remote services much simpler.
One additional keyword "ldapdb_rc" may be specified in the config file.
The filename specified here will be put into the server's LDAPRC
environment variable, and libldap-specific config options may be set
in that ldaprc file. The main purpose behind this option is to allow
a client TLS certificate to be configured, so that SASL/EXTERNAL may
be used between the SASL server and the LDAP server. This is the most
optimal way to use this plugin when the servers are on separate machines.
This plugin likely has very poor performance. You'll need something
better for a real production environment. Please send feedback via the
openldap-software mailing list for now.
-- Howard Chu, 2002-07-12
contrib/ldapsasl/ldapdb.c 0 → 100644
+ 220
0
View file @ 340e56ed
/* SASL LDAP auxprop implementation
* Copyright (C) 2002 Howard Chu, hyc@symas.com
*/
#include <config.h>
#include <stdio.h>
#include "sasl.h"
#include "saslutil.h"
#include "saslplug.h"
#include "plugin_common.h"
#include <ldap.h>
static char ldapdb[] = "ldapdb";
SASL_AUXPROP_PLUG_INIT( ldapdb )
typedef struct ldapctx {
const char *uri; /* URI of LDAP server */
const char *id; /* SASL authcid to bind as */
const char *pw; /* password for bind */
const char *mech; /* SASL mech */
} ldapctx;
typedef struct gluectx {
ldapctx *lc;
sasl_server_params_t *lp;
const char *user;
} gluectx;
static int ldapdb_interact(LDAP *ld, unsigned flags __attribute__((unused)),
void *def, void *inter)
{
sasl_interact_t *in = inter;
gluectx *gc = def;
const char *p;
for (;in->id != SASL_CB_LIST_END;in++)
{
p = NULL;
switch(in->id)
{
case SASL_CB_GETREALM:
ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &p);
break;
case SASL_CB_AUTHNAME:
p = gc->lc->id;
break;
case SASL_CB_PASS:
p = gc->lc->pw;
break;
case SASL_CB_USER:
p = gc->user;
break;
}
if (p)
{
int l = strlen(p);
in->result = gc->lp->utils->malloc(l+1);
if (!in->result)
return LDAP_NO_MEMORY;
strcpy((char *)in->result, p);
in->len = l;
}
}
return LDAP_SUCCESS;
}
static void ldapdb_auxprop_lookup(void *glob_context,
sasl_server_params_t *sparams,
unsigned flags,
const char *user,
unsigned ulen)
{
ldapctx *ctx = glob_context;
int ret, i, n, *aindx;
const struct propval *pr;
LDAP *ld = NULL;
gluectx gc = { ctx, sparams, NULL };
struct berval *dn = NULL, **bvals;
LDAPMessage *msg, *res;
char **attrs = NULL, *authzid = NULL;
if(!ctx || !sparams || !user) return;
pr = sparams->utils->prop_get(sparams->propctx);
if(!pr) return;
/* count how many attrs to fetch */
for(i = 0, n = 0; pr[i].name; i++) {
if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
continue;
if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
continue;
n++;
}
/* nothing to do, bail out */
if (!n) return;
/* alloc an array of attr names for search, and index to the props */
attrs = sparams->utils->malloc((n+1)*sizeof(char *)*2);
if (!attrs) return;
aindx = (int *)(attrs + n + 1);
/* copy attr list */
for (i=0, n=0; pr[i].name; i++) {
if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
continue;
if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
continue;
attrs[n] = (char *)pr[i].name;
if (pr[i].name[0] == '*') attrs[n]++;
aindx[n] = i;
n++;
}
attrs[n] = NULL;
if(ldap_initialize(&ld, ctx->uri)) {
sparams->utils->free(attrs);
return;
}
authzid = sparams->utils->malloc(ulen + sizeof("u:"));
if (!authzid) goto done;
strcpy(authzid, "u:");
strcpy(authzid+2, user);
gc.user = authzid;
i = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &i);
ret = ldap_sasl_interactive_bind_s(ld, NULL, ctx->mech, NULL, NULL,
LDAP_SASL_QUIET, ldapdb_interact, &gc);
if (ret != LDAP_SUCCESS) goto done;
ret = ldap_extended_operation_s(ld, LDAP_EXOP_X_WHO_AM_I, NULL, NULL,
NULL, NULL, &dn);
if (ret != LDAP_SUCCESS || !dn) goto done;
if (dn->bv_val && !strncmp(dn->bv_val, "dn:", 3))
ret = ldap_search_s(ld, dn->bv_val+3, LDAP_SCOPE_BASE, "(objectclass=*)",
attrs, 0, &res);
ber_bvfree(dn);
if (ret != LDAP_SUCCESS) goto done;
for(msg=ldap_first_message(ld, res); msg; msg=ldap_next_message(ld, msg))
{
if (ldap_msgtype(msg) != LDAP_RES_SEARCH_ENTRY) continue;
for (i=0; i<n; i++)
{
bvals = ldap_get_values_len(ld, msg, attrs[i]);
if (!bvals) continue;
if (pr[aindx[i]].values)
sparams->utils->prop_erase(sparams->propctx, pr[aindx[i]].name);
sparams->utils->prop_set(sparams->propctx, pr[aindx[i]].name,
bvals[0]->bv_val, bvals[0]->bv_len);
ber_bvecfree(bvals);
}
}
ldap_msgfree(res);
done:
if(authzid) sparams->utils->free(authzid);
if(attrs) sparams->utils->free(attrs);
if(ld) ldap_unbind(ld);
}
static void ldapdb_auxprop_free(void *glob_ctx, const sasl_utils_t *utils)
{
utils->free(glob_ctx);
}
static sasl_auxprop_plug_t ldapdb_auxprop_plugin = {
0, /* Features */
0, /* spare */
NULL, /* glob_context */
ldapdb_auxprop_free, /* auxprop_free */
ldapdb_auxprop_lookup, /* auxprop_lookup */
ldapdb, /* name */
NULL /* spare */
};
int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
int max_version,
int *out_version,
sasl_auxprop_plug_t **plug,
const char *plugname __attribute__((unused)))
{
ldapctx tmp, *p;
const char *s;
if(!out_version || !plug) return SASL_BADPARAM;
if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &tmp.uri, NULL);
if(!tmp.uri) return SASL_BADPARAM;
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_id", &tmp.id, NULL);
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_pw", &tmp.pw, NULL);
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_mech", &tmp.mech, NULL);
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_rc", &s, NULL);
if(s && setenv("LDAPRC", s, 1)) return SASL_BADPARAM;
p = utils->malloc(sizeof(ldapctx));
if (!p) return SASL_NOMEM;
*p = tmp;
ldapdb_auxprop_plugin.glob_context = p;
*out_version = SASL_AUXPROP_PLUG_VERSION;
*plug = &ldapdb_auxprop_plugin;
return SASL_OK;
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment