From owner-freebsd-ports Mon Sep 18 19:30:22 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id ADD4537B423 for ; Mon, 18 Sep 2000 19:30:00 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id TAA98062; Mon, 18 Sep 2000 19:30:00 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from mail.westbend.net (ns1.westbend.net [209.224.254.131]) by hub.freebsd.org (Postfix) with ESMTP id C257137B422 for ; Mon, 18 Sep 2000 19:24:35 -0700 (PDT) Received: (from root@localhost) by mail.westbend.net (8.9.3/8.9.3) id VAA10314; Mon, 18 Sep 2000 21:24:35 -0500 (CDT) (envelope-from admin) Message-Id: <200009190224.VAA10314@mail.westbend.net> Date: Mon, 18 Sep 2000 21:24:35 -0500 (CDT) From: "Scot W. Hetzel" Reply-To: "Scot W. Hetzel" To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: ports/21383: Update Cyrus-SASL (Maintainer) Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 21383 >Category: ports >Synopsis: Update Cyrus-SASL, Add MySQL & LDAP Authentication >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Sep 18 19:30:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Scot W. Hetzel >Release: FreeBSD 4.1-STABLE i386 >Organization: West Bend Internet >Environment: >Description: Cyrus-SASL 1.5.24 sources changed on Aug 15th -- changed a hard coded value to a variable. Kerberos IV detection fails due to double check on krb_mk_priv (with/without com_err), used cached value from first check for krb_mk_priv. Added addtional pwcheck methods (MySQL & LDAP Authentication). Changed Files: New Files: Makefile files/Sendmail.README files/md5 patches/patch-ag patches/patch-ab patches/patch-ah pkg/INSTALL patches/patch-ai pkg/MESSAGE patches/patch-aj pkg/PLIST patches/patch-ak scripts/configure.sasl This PR also addresses the concerns for the following PRs: PR 21266 - MD5 checksum out of date for cyrus-sasl PR 20887 - LDAP support and fixes for cyrus-sasl [CLOSED] PR 20623 - cyrus-sasl-1.5.24 does not build libkerberos4 >How-To-Repeat: >Fix: Apply the following: diff -ruN cyrus-sasl.orig/Makefile cyrus-sasl/Makefile --- cyrus-sasl.orig/Makefile Sat Aug 19 03:56:57 2000 +++ cyrus-sasl/Makefile Mon Sep 18 20:07:41 2000 @@ -7,6 +7,7 @@ PORTNAME= cyrus-sasl PORTVERSION= 1.5.24 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ \ ${MASTER_SITE_LOCAL} \ @@ -19,8 +20,6 @@ INSTALLS_SHLIB= yes -.include - Y2K= http://asg.web.cmu.edu/cyrus/imapd/y2k.html MAN3= sasl.3 sasl_authorize_t.3 sasl_callbacks.3 sasl_checkpass.3 \ @@ -32,8 +31,11 @@ sasl_setprop.3 sasl_usererr.3 MAN8= sasldblistusers.8 saslpasswd.8 -USE_AUTOCONF= YES +USE_AUTOMAKE= YES USE_LIBTOOL= YES +AUTOHEADER= autoheader +AUTOMAKE= automake --add-missing --include-deps + CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \ --with-plugindir=${PREFIX}/lib/sasl \ --with-dbpath=${PREFIX}/etc/sasldb \ @@ -43,7 +45,12 @@ --with-pwcheck=/var/pwcheck \ --with-rc4=openssl -# JavaSASL is currently Broken +SCRIPTS_ENV= WRKDIRPREFIX="${WRKDIRPREFIX}" \ + PREFIX="${PREFIX}" \ + TOUCH="${TOUCH}" \ + MKDIR="${MKDIR}" + +# JavaSASL needs someone to look at to get it to build #JAVADIR= jdk1.1.8 #JAVALIBDIR= ${PREFIX}/${JAVADIR}/lib/i386/green_threads/ @@ -93,12 +100,18 @@ EBONES=${EBONES} \ NOPORTDOCS=${NODOCS} +pre-fetch: + @${SETENV} ${SCRIPTS_ENV} ${SH} ${SCRIPTDIR}/configure.sasl + +pre-configure: + @(cd ${WRKSRC} && ${AUTOHEADER}) + # Create Cyrus user and group pre-install: @${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL post-install: - @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \ + @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \ > ${PREFIX}/etc/rc.d/pwcheck.sh @${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh ${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck @@ -110,20 +123,19 @@ .for file in ${DOC2} @${INSTALL_DATA} ${WRKSRC}/doc/${file} ${PREFIX}/share/doc/SASL .endfor + @${INSTALL_DATA} ${FILESDIR}/Sendmail.README ${PREFIX}/share/doc .for file in ${HTDOCS} @${INSTALL_DATA} ${WRKSRC}/doc/${file}.html ${PREFIX}/share/doc/SASL/html .endfor .endif + @PKG_PREFIX=${PREFIX} BATCH=${BATCH} ${SH} ${PKGDIR}/INSTALL ${PKGNAME} POST-INSTALL + @${CAT} ${PKGMESSAGE} -.if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc) post-clean: @${RM} -f ${WRKDIRPREFIX}${.CURDIR}/Makefile.inc +.if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc) .include "${WRKDIRPREFIX}${.CURDIR}/Makefile.inc" -.elif ${PREFIX} != ${LOCALBASE} -# Save PREFIX so that it can be used during make install -.BEGIN: - @echo "PREFIX= ${PREFIX}" > ${WRKDIRPREFIX}${.CURDIR}/Makefile.inc .endif -.include +.include diff -ruN cyrus-sasl.orig/files/Sendmail.README cyrus-sasl/files/Sendmail.README --- cyrus-sasl.orig/files/Sendmail.README Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/files/Sendmail.README Sat Sep 16 11:27:37 2000 @@ -0,0 +1,25 @@ +How to enable SMTP AUTH with FreeBSD default Sendmail 8.11 + +1. Edit /usr/src/usr.sbin/sendmail/Makefile, and change the line: + + LDADD= -lutil -lwrap +into + LDADD+= -lutil -lwrap + + NOTE: This change is in 5.0-CURRENT and will be MFC'd to + 4.1-STABLE later. + +2) Add the following to /etc/make.conf: + +# Add SMTP AUTH support to Sendmail +.if ${.CURDIR} == "/usr/src/usr.sbin/sendmail" +CFLAGS+=-DSASL -I/usr/local/include/sasl -L/usr/local/lib +LDADD+=-lsasl +.endif + +3) Rebuild FreeBSD (make buildworld, ...) + +4) Create /usr/local/lib/sasl/Sendmail.conf with the following. + + pwcheck_method: pwcheck + diff -ruN cyrus-sasl.orig/files/md5 cyrus-sasl/files/md5 --- cyrus-sasl.orig/files/md5 Sat Aug 19 03:56:57 2000 +++ cyrus-sasl/files/md5 Sat Sep 16 11:27:37 2000 @@ -1 +1 @@ -MD5 (cyrus-sasl-1.5.24.tar.gz) = aedc0f8b594e2a13503b375ed78f62b7 +MD5 (cyrus-sasl-1.5.24.tar.gz) = ac3837c071c258b80021325936db2583 diff -ruN cyrus-sasl.orig/patches/patch-ab cyrus-sasl/patches/patch-ab --- cyrus-sasl.orig/patches/patch-ab Sat Aug 19 03:56:58 2000 +++ cyrus-sasl/patches/patch-ab Sat Sep 16 14:01:30 2000 @@ -1,5 +1,5 @@ ---- configure.in.orig Thu Aug 3 14:34:08 2000 -+++ configure.in Thu Aug 3 14:39:24 2000 +--- configure.in.orig Thu Jul 20 21:35:01 2000 ++++ configure.in Sat Sep 16 13:58:02 2000 @@ -66,8 +66,9 @@ dnl check for -R, etc. switch CMU_GUESS_RUNPATH_SWITCH @@ -12,3 +12,112 @@ AM_DISABLE_STATIC +@@ -310,6 +311,88 @@ + fi + AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no) + ++dnl MySQL ++AC_ARG_WITH(mysql, [ --with-mysql=PATH enable authentication from MySQL database [no] ], ++ with_mysql=$withval, ++ with_mysql=no) ++ ++if test -z "$with_mysql"; then ++ for mysqlloc in lib/mysql lib ++ do ++ if test -f ${prefix}/${mysqlloc}/libmysqlclient.a; then ++ with_mysql="${prefix}" ++ break ++ elif test -f /usr/local/${mysqlloc}/libmysqlclient.a; then ++ with_mysql="/usr/local" ++ break ++ elif test -f /usr/${mysqlloc}/libmysqlclient.a; then ++ with_mysql="/usr" ++ break ++ fi ++ done ++fi ++ ++LIB_MYSQL="" ++case "$with_mysql" in ++ no) true;; ++ ""|yes) AC_CHECK_LIB(mysqlclient, mysql_select_db, ++ AC_DEFINE(HAVE_MYSQL) ++ LIB_MYSQL="-lmysqlclient", ++ with_mysql=no);; ++ *) if test -d ${with_mysql}/include/mysql; then ++ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include/mysql" ++ else ++ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include" ++ fi ++ if test -d ${with_mysql}/lib/mysql; then ++ LDFLAGS="$LDFLAGS -L${with_mysql}/lib/mysql" ++ fi ++ AC_DEFINE(HAVE_MYSQL) ++ LIB_MYSQL="-lmysqlclient";; ++esac ++AC_SUBST(LIB_MYSQL) ++ ++dnl LDAP ++AC_ARG_WITH(ldap, [ --with-ldap=PATH enable authentication from LDAP [no] ], ++ with_ldap=$withval, ++ with_ldap=no) ++ ++if test -z "$with_ldap"; then ++ for ldaploc in lib/ldap lib ++ do ++ if test -f ${prefix}/${ldaploc}/libldap.a; then ++ with_ldap="${prefix}" ++ break ++ elif test -f /usr/local/${ldaploc}/libldap.a; then ++ with_ldap="/usr/local" ++ break ++ elif test -f /usr/${ldaploc}/libldap.a; then ++ with_ldap="/usr" ++ break ++ fi ++ done ++fi ++ ++LIB_LDAP="" ++case "$with_ldap" in ++ no) true;; ++ ""|yes) AC_CHECK_LIB(ldap, ldap_open, ++ AC_DEFINE(HAVE_LDAP) ++ LIB_LDAP="-lldap -llber", ++ with_ldap=no);; ++ *) if test -d ${with_ldap}/include/ldap; then ++ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include/ldap" ++ else ++ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include" ++ fi ++ if test -d ${with_ldap}/lib/ldap; then ++ LDFLAGS="$LDFLAGS -L${with_ldap}/lib/ldap" ++ fi ++ AC_DEFINE(HAVE_LDAP) ++ LIB_LDAP="-lldap -llber";; ++esac ++AC_SUBST(LIB_LDAP) ++ + dnl CRAM-MD5 + AC_ARG_ENABLE(cram, [ --enable-cram enable CRAM-MD5 authentication [yes] ], + cram=$enableval, +@@ -434,11 +517,15 @@ + fi + + if test "$with_des" != no; then ++ case "$host_os" in ++ freebsd*) ++ COM_ERR="-lcom_err" ++ ;; ++ esac + AC_CHECK_HEADER(krb.h, +- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="", +- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err", +- AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err), +- -ldes), ++ AC_CHECK_LIB(krb, krb_mk_priv,:, ++ AC_WARN(No Kerberos V4 found); krb4=no, ++ -ldes $COM_ERR), + AC_WARN(No Kerberos V4 found); krb4=no) + else + AC_WARN(No DES library found for Kerberos V4 support) diff -ruN cyrus-sasl.orig/patches/patch-ag cyrus-sasl/patches/patch-ag --- cyrus-sasl.orig/patches/patch-ag Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/patches/patch-ag Sat Sep 16 11:27:56 2000 @@ -0,0 +1,15 @@ +--- acconfig.h.orig Wed Jul 5 11:59:25 2000 ++++ acconfig.h Fri Sep 15 20:56:28 2000 +@@ -84,6 +84,12 @@ + /* do we have PAM for plaintext password checking? */ + #undef HAVE_PAM + ++/* do we have MySQL for plaintext password checking? */ ++#undef HAVE_MYSQL ++ ++/* do we have LDAP for plaintext password checking? */ ++#undef HAVE_LDAP ++ + /* what flavor of GSSAPI are we using? */ + #undef HAVE_GSS_C_NT_HOSTBASED_SERVICE + diff -ruN cyrus-sasl.orig/patches/patch-ah cyrus-sasl/patches/patch-ah --- cyrus-sasl.orig/patches/patch-ah Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/patches/patch-ah Sat Sep 16 11:27:56 2000 @@ -0,0 +1,9 @@ +--- lib/Makefile.am.orig Thu Jul 20 21:35:02 2000 ++++ lib/Makefile.am Fri Sep 15 20:56:28 2000 +@@ -53,5 +53,5 @@ + EXTRA_libsasl_la_SOURCES = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c db_testw32.c + libsasl_la_LDFLAGS = -version-info $(sasl_version) + libsasl_la_DEPENDENCIES = $(SASL_DB_BACKEND) @LTLIBOBJS@ +-libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) ++libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) ${LIB_LDAP} ${LIB_MYSQL} + # PLAIN_LIBS are linked in for sasl_checkpass diff -ruN cyrus-sasl.orig/patches/patch-ai cyrus-sasl/patches/patch-ai --- cyrus-sasl.orig/patches/patch-ai Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/patches/patch-ai Sat Sep 16 21:08:02 2000 @@ -0,0 +1,357 @@ +--- lib/checkpw.c.orig Wed Jul 19 20:24:13 2000 ++++ lib/checkpw.c Sat Sep 16 21:07:33 2000 +@@ -95,10 +95,19 @@ + #include + #ifdef HAVE_UNISTD_H + #include +-#endif ++#endif /* HAVE_UNISTD_H */ + + extern int errno; +-#endif ++#endif /* HAVE_PWCHECK */ ++ ++#ifdef HAVE_MYSQL ++#include ++#endif /* HAVE_MYSQL */ ++ ++#ifdef HAVE_LDAP ++#include ++#include ++#endif /* HAVE_LDAP */ + + #ifdef HAVE_KRB + +@@ -170,12 +179,20 @@ + memcpy (&temp_key, "kerberos", 8); + des_fixup_key_parity (&temp_key); + des_key_sched (&temp_key, schedule); ++#ifdef __FreeBSD__ ++ des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec); ++#else + des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec); ++#endif + + memcpy (&temp_key, &ivec, sizeof temp_key); + des_fixup_key_parity (&temp_key); + des_key_sched (&temp_key, schedule); ++#ifdef __FreeBSD__ ++ des_cbc_cksum ((const unsigned char *)password, key, passlen, schedule, &ivec); ++#else + des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec); ++#endif + + des_fixup_key_parity (key); + +@@ -210,10 +227,17 @@ + return (str); + } + ++#ifdef __FreeBSD__ ++static int use_key(const char *user __attribute__((unused)), ++ char *instance __attribute__((unused)), ++ const char *realm __attribute__((unused)), ++ const void *key, des_cblock *returned_key) ++#else + static int use_key(char *user __attribute__((unused)), + char *instance __attribute__((unused)), + char *realm __attribute__((unused)), + void *key, des_cblock *returned_key) ++#endif + { + memcpy (returned_key, key, sizeof(des_cblock)); + return 0; +@@ -838,7 +862,7 @@ + + + /* pwcheck daemon-authenticated login */ +-static int pwcheck_verify_password(sasl_conn_t *conn, ++static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)), + const char *userid, + const char *passwd, + const char *service __attribute__((unused)), +@@ -853,8 +877,10 @@ + static char response[1024]; + int start, n; + char pwpath[1024]; ++#if 0 /* Not used */ + sasl_getopt_t *getopt; + void *context; ++#endif + + if (reply) { *reply = NULL; } + +@@ -902,6 +928,260 @@ + + #endif + ++#ifdef HAVE_MYSQL ++/* DMZ mysql auth 12/29/1999 ++ * Updated to 1.5.24 by SWH 09/12/2000 ++ */ ++#ifdef USE_CRYPT_PASSWORD ++#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')" ++#else ++#define QUERY_STRING "select %s from %s where %s = '%s' and %s = '%s'" ++#endif ++ ++static int mysql_verify_password(sasl_conn_t *conn, ++ const char *userid, ++ const char *password, ++ const char *service __attribute__((unused)), ++ const char *user_realm __attribute__((unused)), ++ const char **reply) ++{ ++ unsigned int numrows; ++ MYSQL mysql,*sock; ++ MYSQL_RES *result; ++ char qbuf[300]; ++ char *db_user="", ++ *db_passwd="", ++ *db_host="", ++ *db_uidcol="", ++ *db_pwcol="", ++ *db_database="", ++ *db_table=""; ++ sasl_getopt_t *getopt; ++ void *context; ++ ++ if (!userid || !password) { ++ return SASL_BADPARAM; ++ } ++ if (reply) { *reply = NULL; } ++ ++ /* check to see if the user configured a mysqluser/passwd/host/etc */ ++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) { ++ getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL); ++ if (!db_user) db_user = ""; ++ getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL); ++ if (!db_passwd) db_passwd = ""; ++ getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL); ++ if (!db_host) db_host = ""; ++ getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL); ++ if (!db_database) db_database = ""; ++ getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL); ++ if (!db_table) db_table = ""; ++ getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL); ++ if (!db_uidcol) db_uidcol = ""; ++ getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL); ++ if (!db_pwcol) db_pwcol = ""; ++ } ++ ++ if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd))) ++ { ++ if (reply) { *reply = "cannot connect to MySQL server"; } ++ return SASL_FAIL; ++ } ++ ++ if (mysql_select_db(sock,db_database) < 0) ++ { ++ mysql_close(sock); ++ if (reply) { *reply = "cannot select MySQL database"; } ++ return SASL_FAIL; ++ } ++ /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */ ++ sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password); ++ if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock))) ++ { ++ mysql_close(sock); ++ return SASL_FAIL; ++ } ++ ++ if (result) //There were some rows found ++ { ++ if ((numrows = mysql_affected_rows(&mysql)) != 1) ++ { ++ mysql_free_result(result); ++ mysql_close(sock); ++ if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; } ++ return SASL_BADAUTH; ++ } else { ++ mysql_free_result(result); ++ mysql_close(sock); ++ return SASL_OK; ++ } ++ } ++ mysql_free_result(result); ++ mysql_close(sock); ++ return SASL_BADAUTH; ++} ++#endif /* HAVE_MYSQL */ ++ ++#ifdef HAVE_LDAP ++/* simon@surf.org.uk LDAP auth 07/11/2000 ++ * Updated to 1.5.24 by SWH 09/12/2000 ++ */ ++ ++#define LDAP_SERVER "localhost" ++#define LDAP_BASEDN "o=JOFA, c=UK" ++#define LDAP_UIDATTR "uid" ++ ++#ifndef TRUE ++# define TRUE 1 ++# define FALSE 0 ++#endif ++ ++static int ldap_isdigits(char *value) ++{ ++ char *ptr; ++ int num = TRUE; ++ ++ for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) { ++ if (!isdigit(*ptr)) ++ num = FALSE; ++ } ++ ++ return num; ++} ++ ++static int ldap_verify_password(sasl_conn_t *conn, ++ const char *userid, ++ const char *password, ++ const char *service __attribute__((unused)), ++ const char *user_realm __attribute__((unused)), ++ const char **reply) ++{ ++ ++ LDAP *ld; ++ LDAPMessage *result; ++ LDAPMessage *entry; ++ char *attrs[2]; ++ char filter[200]; ++ char *dn, ++ *ldap_server="", ++ *ldap_basedn="", ++ *ldap_uidattr="", ++ *port_num=""; ++ int ldap_port = LDAP_PORT; ++ int count; ++ sasl_getopt_t *getopt; ++ void *context; ++ ++ /* If the password is NULL, reject the login... ++ * Otherwise the bind will succed as a reference bind. Not good... ++ */ ++ if (strcmp(password,"") == 0) ++ { ++ return SASL_BADPARAM; ++ } ++ ++ if (reply) { *reply = NULL; } ++ ++ /* check to see if the user configured a mysqluser/passwd/host/etc */ ++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) { ++ getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL); ++ if (!ldap_server) ldap_server = LDAP_SERVER; ++ getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL); ++ if (!ldap_basedn) { ++ if (reply) { *reply = "ldap_basedn not defined"; } ++ return SASL_BADPARAM; ++ } ++ getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL); ++ if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR; ++ getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL); ++ if (!port_num) { ++ ldap_port = LDAP_PORT; ++ } else if (!ldap_isdigits(port_num)) { ++ if (reply) { *reply = "ldap_port - invalid value"; } ++ return SASL_BADPARAM; ++ } else { ++ ldap_port = atoi(port_num); ++ } ++ } ++ ++ /* Open the LDAP connection. */ ++ if ((ld = ldap_open(ldap_server, ldap_port)) == NULL) ++ { ++ if (reply) { *reply = "cannot connect to LDAP server"; } ++ return SASL_FAIL; ++ } ++ ++ /* Bind anonymously so that you can find the DN of the appropriate user. */ ++ if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS) ++ { ++ ldap_unbind(ld); ++ if (reply) { *reply = "cannot bind to LDAP server"; } ++ return SASL_FAIL; ++ } ++ ++ /* Generate a filter that will return the entry with a matching UID */ ++ sprintf(filter,"(%s=%s)", ldap_uidattr,userid); ++ ++ /* Just return country...This doesn't actually matter, since we will ++ * not read the attributes and values, only the DN ++ */ ++ attrs[0] = "c"; ++ attrs[1] = NULL; ++ ++ /* Perform the search... */ ++ if (ldap_search_s(ld,ldap_basedn,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS ) ++ { ++ ldap_unbind(ld); ++ return SASL_BADAUTH; ++ } ++ ++ /* If the entry count is not equal to one, either the UID was not unique or ++ * there was no match ++ */ ++ if ((count = ldap_count_entries(ld,result)) != 1) ++ { ++ ldap_msgfree(result); ++ ldap_unbind(ld); ++ if ((count > 1) && (reply)) { *reply = "Detected duplicate entries for user"; } ++ return SASL_BADAUTH; ++ } ++ ++ /* Get the first entry */ ++ if ((entry = ldap_first_entry(ld,result)) == NULL) ++ { ++ ldap_msgfree(result); ++ ldap_unbind(ld); ++ return SASL_BADAUTH; ++ } ++ ++ /* Get the DN of the entry */ ++ if ((dn = ldap_get_dn(ld,entry)) == NULL) ++ { ++ ldap_msgfree(entry); ++ ldap_unbind(ld); ++ return SASL_BADAUTH; ++ } ++ ++ /* Now bind as the DN with the password supplied earlier... ++ * Successful bind means the password was correct, otherwise the ++ * password is invalid. ++ */ ++ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) ++ { ++ free(dn); ++ ldap_msgfree(entry); ++ ldap_unbind(ld); ++ return SASL_BADAUTH; ++ } ++ ++ free(dn); ++ ldap_msgfree(entry); ++ ldap_unbind(ld); ++ return SASL_OK; ++} ++ ++#endif /* HAVE_LDAP */ ++ + struct sasl_verify_password_s _sasl_verify_password[] = { + { "sasldb", &sasldb_verify_password }, + #ifdef HAVE_KRB +@@ -921,6 +1201,12 @@ + #endif + #ifdef HAVE_PWCHECK + { "pwcheck", &pwcheck_verify_password }, ++#endif ++#ifdef HAVE_MYSQL ++ { "mysql", &mysql_verify_password }, ++#endif ++#ifdef HAVE_LDAP ++ { "ldap", &ldap_verify_password }, + #endif + { NULL, NULL } + }; diff -ruN cyrus-sasl.orig/patches/patch-aj cyrus-sasl/patches/patch-aj --- cyrus-sasl.orig/patches/patch-aj Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/patches/patch-aj Sat Sep 16 11:27:56 2000 @@ -0,0 +1,46 @@ +--- doc/sysadmin.html.orig Wed Jul 12 21:59:51 2000 ++++ doc/sysadmin.html Fri Sep 15 20:56:28 2000 +@@ -171,6 +171,43 @@ +
pwcheck
checks passwords with the use of a seperate, + helper daemon. needs to be documented.

+ ++

mysql
A MySQL database can be used for plaintext ++ password checking by setting "pwcheck_method" to "mysql".

++ ++

The following SASL options are used for MySQL Authentication:

++ ++

++
mysql_user: <user>
++
mysql_passwd: <cleartext pw>
++
mysql_host: <host>
++
mysql_database: <database>
++
mysql_table: <table>
++
mysql_uidcol: <username col>
++
mysql_pwdcol: <password col>
++
++ ++

MySQL pwcheck_method created by David Matthew Zendzian ++ the original patch may be found at http://www.dmzs.com/~dmz/projects/cyrus/.

++ ++

ldap
A LDAP server can be used for plaintext password ++ checking by setting "pwcheck_method" to "ldap".

++ ++

The following SASL options are used for LDAP Authentication:

++ ++

++
ldap_server: <LDAP Server [localhost]> ++
ldap_basedn: <LDAP base dn> ++
ldap_uidattr: <LDAP uid attribute [uid]> ++
ldap_port: <LDAP port [389]> ++
++ ++

It is a requirement that "ldap_basedn" be set to the appropriate ++ value for your site
++ (ex. ldap_basedn: o=surf, c=UK)

++ ++

LDAP pwcheck_method created by Simon@surf.org.uk ++ the original patch may be found at http://www.surf.org.uk/.

++ +

write your own
Last, but not least, the most flexible + method of authentication for PLAIN is to write your own. If you do + so, any application that calls the "sasl_checkpass()" diff -ruN cyrus-sasl.orig/patches/patch-ak cyrus-sasl/patches/patch-ak --- cyrus-sasl.orig/patches/patch-ak Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/patches/patch-ak Sat Sep 16 18:50:20 2000 @@ -0,0 +1,30 @@ +--- plugins/kerberos4.c.orig Wed Apr 19 11:18:48 2000 ++++ plugins/kerberos4.c Sat Sep 16 18:49:20 2000 +@@ -696,8 +696,13 @@ + + /* decrypt; verify checksum */ + ++#ifdef __FreeBSD__ ++ des_pcbc_encrypt((const unsigned char *)in, ++ (unsigned char *)in, ++#else + des_pcbc_encrypt((des_cblock *)in, + (des_cblock *)in, ++#endif + clientinlen, + text->init_keysched, + &text->session, +@@ -1192,8 +1197,13 @@ + } + sout[len]=0; + ++#ifdef __FreeBSD__ ++ des_pcbc_encrypt((const unsigned char *)sout, ++ (unsigned char *)sout, ++#else + des_pcbc_encrypt((des_cblock *)sout, + (des_cblock *)sout, ++#endif + len, + text->init_keysched, + (des_cblock *)text->session, diff -ruN cyrus-sasl.orig/pkg/INSTALL cyrus-sasl/pkg/INSTALL --- cyrus-sasl.orig/pkg/INSTALL Sun Jan 23 23:22:21 2000 +++ cyrus-sasl/pkg/INSTALL Mon Sep 18 20:53:06 2000 @@ -7,11 +7,15 @@ #set -vx +PKG_BATCH=${BATCH:=NO} + +PKG_PREFIX=${PKG_PREFIX:=/usr/local} + # # create 'cyrus' user and group before installing # -create() { +create_user() { if [ ! -x /usr/sbin/pw ]; then echo "*** Please add a user and a group named \`cyrus' before installing this package." exit 69 @@ -65,9 +69,31 @@ fi } +create_sasldb() { + if [ ! -f ${PGK_PREFIX}/etc/sasldb.db ]; then + touch ${PGK_PREFIX}/etc/sasldb.db + chown cyrus:mail ${PGK_PREFIX}/etc/sasldb.db + chmod 640 ${PGK_PREFIX}/etc/sasldb.db + fi +} + +# This should really be installed by Sendmail + +sendmail_conf() { + if [ ! -f ${PKG_PREFIX}/lib/sasl/Sendmail.conf ]; then + echo "pwcheck_method: pwcheck" > ${PKG_PREFIX}/lib/sasl/Sendmail.conf + fi +} + case $2 in PRE-INSTALL) - create + create_user + ;; + POST-INSTALL) + if [ "${PKG_BATCH}" = "NO" ]; then + create_sasldb + sendmail_conf + fi ;; esac diff -ruN cyrus-sasl.orig/pkg/MESSAGE cyrus-sasl/pkg/MESSAGE --- cyrus-sasl.orig/pkg/MESSAGE Sun Jan 23 23:22:21 2000 +++ cyrus-sasl/pkg/MESSAGE Sat Sep 16 11:27:56 2000 @@ -1,4 +1,15 @@ -Start the pwcheck program to have clients use the SASL libraries -as a non-root user: +PREFIX/etc/cyrusdb.db now needs to be created +before applications that depend on SASL are used. - /usr/local/etc/rc.d/pwcheck.sh [start|stop] + su cyrus + PREFIX/sbin/saslpasswd -c userid + +You will also need to start the pwcheck daemon: + + PREFIX/etc/rc.d/pwcheck.sh start + +Read the documentation in PREFIX/share/doc/SASL + +How to enable SMTP AUTH with system Sendmail 8.11 - Sendmail.README + +How to use LDAP or MySQL for passwords - see html/sysadmin.html diff -ruN cyrus-sasl.orig/pkg/PLIST cyrus-sasl/pkg/PLIST --- cyrus-sasl.orig/pkg/PLIST Sat Jun 17 03:56:22 2000 +++ cyrus-sasl/pkg/PLIST Mon Sep 18 20:51:56 2000 @@ -1,5 +1,7 @@ @unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped." etc/rc.d/pwcheck.sh +@comment remove ../etc/sasldb.db only if it exists and has a zero size. +@unexec [ -f %D/etc/sasldb.db -a ! -s %D/etc/sasldb.db ] && rm %D/etc/sasldb.db include/sasl/hmac-md5.h include/sasl/md5.h include/sasl/md5global.h @@ -31,7 +33,10 @@ lib/sasl/libplain.a lib/sasl/libplain.so lib/sasl/libplain.so.1 -@dirrm lib/sasl +@comment Sendmail.conf should be installed/uninstalled by Sendmail 8.11. +@comment We install it here because Sendmail 8.11 is in the base system. +@unexec echo "pwcheck_method: pwcheck" > %B/Sendmail.conf.tmp +@unexec if cmp -s %B/Sendmail.conf %B/Sendmail.conf.tmp; then rm -f %B/Sendmail.conf %B/Sendmail.conf.tmp; else rm -f %B/Sendmail.conf.tmp fi sbin/sasldblistusers sbin/saslpasswd sbin/pwcheck @@ -41,6 +46,7 @@ %%NOPORTDOCS%%share/doc/SASL/INSTALL %%NOPORTDOCS%%share/doc/SASL/NEWS %%NOPORTDOCS%%share/doc/SASL/README +%%NOPORTDOCS%%share/doc/SASL/Sendmail.README %%NOPORTDOCS%%share/doc/SASL/TODO %%NOPORTDOCS%%share/doc/SASL/draft-leach-digest-sasl-05.txt %%NOPORTDOCS%%share/doc/SASL/draft-newman-auth-scram-03.txt @@ -55,12 +61,13 @@ %%NOPORTDOCS%%share/doc/SASL/html/sysadmin.html %%NOPORTDOCS%%@dirrm share/doc/SASL/html %%NOPORTDOCS%%@dirrm share/doc/SASL +@dirrm lib/sasl @mode u=rwx,go= @cwd /var @exec mkdir pwcheck @exec chown cyrus:cyrus pwcheck @exec chmod go= pwcheck -@comment This file gets create by the pwcheck program -@unexec rm -f pwcheck/pwcheck +@comment This file gets created by the pwcheck program +@unexec rm -f /var/pwcheck/pwcheck @dirrm pwcheck @cwd %%PREFIX%% diff -ruN cyrus-sasl.orig/scripts/configure.sasl cyrus-sasl/scripts/configure.sasl --- cyrus-sasl.orig/scripts/configure.sasl Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/scripts/configure.sasl Sat Sep 16 13:18:00 2000 @@ -0,0 +1,59 @@ +#!/bin/sh +# $FreeBSD$ + +if [ -f ${WRKDIRPREFIX}${CURDIR}/Makefile.inc ]; then + exit +fi + +if [ "${BATCH}" ]; then + exit +else + /usr/bin/dialog --title "Additional pwcheck methods" --clear \ + --checklist "\n\ +Please select desired options:" -1 -1 16 \ +MySQL "MySQL password Authentication" OFF \ +OpenLDAP "OpenLDAP password Authentication" OFF \ +2> /tmp/checklist.tmp.$$ + + retval=$? + + if [ -s /tmp/checklist.tmp.$$ ]; then + set `cat /tmp/checklist.tmp.$$` + fi + rm -f /tmp/checklist.tmp.$$ + + case $retval in + 0) if [ -z "$*" ]; then + echo "Nothing selected" + fi + ;; + 1) echo "Cancel pressed." + exit 1 + ;; + esac +fi + +${MKDIR} ${WRKDIRPREFIX}${CURDIR} +exec > ${WRKDIRPREFIX}${CURDIR}/Makefile.inc + +echo "PREFIX= ${PREFIX}" + +while [ "$1" ]; do + case $1 in + \"MySQL\") + echo "LIB_DEPENDS+= mysqlclient.6:\${PORTSDIR}/databases/mysql322-client" + echo "CONFIGURE_ARGS+=--with-mysql=\${PREFIX}" + ;; + \"OpenLDAP\") + echo "LIB_DEPENDS+= ldap.1:\${PORTSDIR}/net/openldap" + echo "LIB_DEPENDS+= lber.1:\${PORTSDIR}/net/openldap" + echo "CONFIGURE_ARGS+=--with-ldap=\${PREFIX}" + ;; + *) + echo "Invalid option(s): $*" > /dev/stderr + rm -f ${WRKDIRPREFIX}${CURDIR}/Makefile.inc + exit 1 + ;; + esac + shift +done >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message