Date: Sun, 27 Aug 2000 18:48:32 +0200 (CEST) From: Jimmy Olgeni <olgeni@uli.it> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/20887: [PATCH] LDAP support and fixes for cyrus-sasl Message-ID: <Pine.BSF.4.21.0008271847350.58985-100000@olgeni.localdomain.net>
next in thread | raw e-mail | index | archive | help
>Number: 20887
>Category: ports
>Synopsis: [PATCH] LDAP support and fixes for cyrus-sasl
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun Aug 27 09:50:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Jimmy Olgeni
>Release: FreeBSD 4.1-STABLE i386
>Organization:
Colby
>Environment:
Current cyrus-sasl port (1.5.24).
>Description:
NOTE: This PR supersedes PR 20623.
Changes:
* Enable support for LDAP in Makefile. It can be enabled by defining
the WITH_LDAP macro (make -DWITH_LDAP). Enabling LDAP will install the
pwcheck_ldap.conf.sample file in ${PREFIX}/etc. The pwcheck daemon
will then query the specified LDAP server to authenticate users.
The pwcheck_ldap.conf.sample file should be copied to
pwcheck_ldap.conf, and edited to reflect the site's LDAP
configuration. The "make deinstall" command will leave
pwcheck_ldap.conf alone.
pwcheck_ldap.conf contains 3 variables:
===
SASL_LDAP_SERVER="localhost"
SASL_LDAP_BASEDN="o=organization, c=US"
SASL_LDAP_UIDATTR="uid"
===
SASL_LDAP_SERVER: host name of the LDAP server.
SASL_LDAP_BASEDN: root of LDAP tree to perform the search
SASL_LDAP_UIDATTR: name of the UID field.
The pwcheck daemon will bind to the LDAP server using the user
identifier and password provided by the application requesting the
service. If the bind is successful the user is
authenticated.
Reference binds (with empty passwords) are denied.
LDAP authentication is handled by a new file:
pwcheck_ldap.c (version 1.01)
Author: Clayton Donley <donley@cig.mot.com>
http://www.wwa.com/~donley/
NOTE: I modified the file to support configuration via environment
variables in place of fixed #defines in the source.
patch-ag now changes Makefile.in in the pwcheck subdirectory to link
LDAP libraries, but only if LDAP is enabled.
Also, patches/patch-ab has been changed to integrate PR 20623 (fix for
Kerberos libraries detection).
The PLIST now includes pwcheck_ldap.conf.sample.
The last @unexec in the PLIST has been changed: the original version
didn't remove the file. A @comment typo has been fixed.
Changed files:
Makefile (LDAP support: WITH_LDAP macro and pwcheck_ldap.conf.sample)
files/pwcheck.sh (load and evaluate pwcheck_ldap.conf)
patches/patch-ab (configure.in changes for Kerberos)
pkg/PLIST (add pwcheck_ldap.conf.sample, @unexec and @comment fixes)
New files:
pwcheck_ldap.conf.sample (sample pwcheck LDAP configuration)
patches/patch-ac (pwcheck_ldap.c)
patches/patch-ae (LDAP support: listed pwcheck_ldap.c in
EXTRA_pwcheck_SOURCES)
patches/patch-af (configure.in: add --enable-ldap option)
patches/patch-ag (LDAP support in Makefile.in)
Please note: patches/patch-ag adds a conditional to the Makefile, with
BSD make syntax.
>How-To-Repeat:
>Fix:
diff -rcN cyrus-sasl.orig/Makefile cyrus-sasl/Makefile
*** cyrus-sasl.orig/Makefile Sat Aug 12 22:47:01 2000
--- cyrus-sasl/Makefile Sun Aug 27 16:39:44 2000
***************
*** 34,39 ****
--- 34,40 ----
USE_AUTOCONF= YES
USE_LIBTOOL= YES
+
CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \
--with-plugindir=${PREFIX}/lib/sasl \
--with-dbpath=${PREFIX}/etc/sasldb \
***************
*** 43,48 ****
--- 44,55 ----
--with-pwcheck=/var/pwcheck \
--with-rc4=openssl
+ .if defined(WITH_LDAP)
+ CONFIGURE_ARGS+= --enable-ldap
+ .else
+ LDAP_SUPPORT= "@comment "
+ .endif
+
# JavaSASL is currently Broken
#JAVADIR= jdk1.1.8
#JAVALIBDIR= ${PREFIX}/${JAVADIR}/lib/i386/green_threads/
***************
*** 91,104 ****
PLIST_SUB= PREFIX=${PREFIX} \
GSSAPI=${GSSAPI} \
EBONES=${EBONES} \
! NOPORTDOCS=${NODOCS}
# Create Cyrus user and group
pre-install:
@${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL
post-install:
! @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
> ${PREFIX}/etc/rc.d/pwcheck.sh
@${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh
${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck
--- 98,113 ----
PLIST_SUB= PREFIX=${PREFIX} \
GSSAPI=${GSSAPI} \
EBONES=${EBONES} \
! NOPORTDOCS=${NODOCS} \
! LDAP_SUPPORT=${LDAP_SUPPORT}
# Create Cyrus user and group
pre-install:
@${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL
post-install:
! ${INSTALL} ${COPY} -m600 -o root -g wheel ${FILESDIR}/pwcheck_ldap.conf.sample ${PREFIX}/etc
! @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
> ${PREFIX}/etc/rc.d/pwcheck.sh
@${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh
${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck
diff -rcN cyrus-sasl.orig/files/pwcheck.sh cyrus-sasl/files/pwcheck.sh
*** cyrus-sasl.orig/files/pwcheck.sh Mon Jan 24 06:22:15 2000
--- cyrus-sasl/files/pwcheck.sh Sun Aug 27 16:21:38 2000
***************
*** 5,10 ****
--- 5,17 ----
PREFIX=%%PREFIX%%
+ if [ -r ${PREFIX}/etc/pwcheck_ldap.conf ]; then
+ . ${PREFIX}/etc/pwcheck_ldap.conf
+ export SASL_LDAP_SERVER
+ export SASL_LDAP_BASEDN
+ export SASL_LDAP_UIDATTR
+ fi
+
case "$1" in
start)
diff -rcN cyrus-sasl.orig/files/pwcheck_ldap.conf.sample cyrus-sasl/files/pwcheck_ldap.conf.sample
*** cyrus-sasl.orig/files/pwcheck_ldap.conf.sample Thu Jan 1 01:00:00 1970
--- cyrus-sasl/files/pwcheck_ldap.conf.sample Sun Aug 27 16:21:38 2000
***************
*** 0 ****
--- 1,3 ----
+ SASL_LDAP_SERVER="localhost"
+ SASL_LDAP_BASEDN="o=organization, c=US"
+ SASL_LDAP_UIDATTR="uid"
diff -rcN cyrus-sasl.orig/patches/patch-ab cyrus-sasl/patches/patch-ab
*** cyrus-sasl.orig/patches/patch-ab Sat Aug 12 22:47:01 2000
--- cyrus-sasl/patches/patch-ab Fri Aug 18 16:31:39 2000
***************
*** 1,14 ****
! --- configure.in.orig Thu Aug 3 14:34:08 2000
! +++ configure.in Thu Aug 3 14:39:24 2000
! @@ -66,8 +66,9 @@
! dnl check for -R, etc. switch
! CMU_GUESS_RUNPATH_SWITCH
! dnl let's just link against local. otherwise we never find anything useful.
! -CPPFLAGS="-I/usr/local/include ${CPPFLAGS}"
! -CMU_ADD_LIBPATH("/usr/local/lib")
! +CPPFLAGS="-I${OPENSSLINC} -I${OPENSSLINC}/openssl ${CPPFLAGS}"
! +CMU_ADD_LIBPATH("${LOCALBASE}/lib")
! +CMU_ADD_LIBPATH("${OPENSSLLIB}")
!
! AM_DISABLE_STATIC
!
--- 1,39 ----
! *** configure.in.orig Fri Jul 21 04:35:01 2000
! --- configure.in Fri Aug 18 16:31:21 2000
! ***************
! *** 66,73 ****
! dnl check for -R, etc. switch
! CMU_GUESS_RUNPATH_SWITCH
! dnl let's just link against local. otherwise we never find anything useful.
! ! CPPFLAGS="-I/usr/local/include ${CPPFLAGS}"
! ! CMU_ADD_LIBPATH("/usr/local/lib")
!
! AM_DISABLE_STATIC
!
! --- 66,74 ----
! dnl check for -R, etc. switch
! CMU_GUESS_RUNPATH_SWITCH
! dnl let's just link against local. otherwise we never find anything useful.
! ! CPPFLAGS="-I${OPENSSLINC} -I${OPENSSLINC}/openssl ${CPPFLAGS}"
! ! CMU_ADD_LIBPATH("${LOCALBASE}/lib")
! ! CMU_ADD_LIBPATH("${OPENSSLLIB}")
!
! AM_DISABLE_STATIC
!
! ***************
! *** 436,442 ****
! if test "$with_des" != no; then
! AC_CHECK_HEADER(krb.h,
! AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
! ! AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err",
! AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err),
! -ldes),
! AC_WARN(No Kerberos V4 found); krb4=no)
! --- 437,443 ----
! if test "$with_des" != no; then
! AC_CHECK_HEADER(krb.h,
! AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
! ! AC_CHECK_LIB(krb, krb_mk_err, COM_ERR="-lcom_err",
! AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err),
! -ldes),
! AC_WARN(No Kerberos V4 found); krb4=no)
diff -rcN cyrus-sasl.orig/patches/patch-ac cyrus-sasl/patches/patch-ac
*** cyrus-sasl.orig/patches/patch-ac Thu Jan 1 01:00:00 1970
--- cyrus-sasl/patches/patch-ac Sun Aug 27 16:21:38 2000
***************
*** 0 ****
--- 1,138 ----
+ *** pwcheck/pwcheck_ldap.c.orig Tue Aug 1 18:55:40 2000
+ --- pwcheck/pwcheck_ldap.c Tue Aug 1 19:09:36 2000
+ ***************
+ *** 0 ****
+ --- 1,133 ----
+ + /* pwcheck_ldap.c -- check passwords using LDAP
+ + *
+ + * Author: Clayton Donley <donley@cig.mot.com>
+ + * http://www.wwa.com/~donley/
+ + * Version: 1.01
+ + *
+ + * Note: This works by finding a DN that matches an entered UID and
+ + * binding to the LDAP server using this UID. This uses clear-text
+ + * passwords. A better approach with servers that support SSL and
+ + * new LDAPv3 servers that support SASL bind methods like CRAM-MD5
+ + * and TSL.
+ + *
+ + * This version should work with both University of Michigan and Netscape
+ + * LDAP libraries. It also gets rid of the requirement for userPassword
+ + * attribute readability.
+ + *
+ + */
+ +
+ + #include <stdio.h>
+ + #include <stdlib.h>
+ + #include <lber.h>
+ + #include <ldap.h>
+ +
+ + /*
+ +
+ + The old #defines have been removed. This version uses 3 environment variables:
+ +
+ + SASL_LDAP_SERVER (ex: "localhost")
+ + SASL_LDAP_BASEDN (ex: "o=organization, c=US")
+ + SASL_LDAP_UIDATTR (ex: "uid")
+ +
+ + */
+ +
+ + char *pwcheck(userid, password)
+ + char *userid;
+ + char *password;
+ + {
+ + LDAP *ld;
+ + LDAPMessage *result;
+ + LDAPMessage *entry;
+ + char *attrs[2];
+ + char filter[200];
+ + char *dn;
+ +
+ + /* If the password is NULL, reject the login...Otherwise the bind will
+ + succeed as a reference bind. Not good... */
+ +
+ + if (strcmp(password,"") == 0)
+ + {
+ + return "Null Password";
+ + }
+ +
+ + /* Open the LDAP connection. Change the second argument if your LDAP
+ + server is not on port 389. */
+ +
+ + if ((ld = ldap_open(getenv("SASL_LDAP_SERVER"),LDAP_PORT)) == NULL)
+ + {
+ + return "Init Failed";
+ + }
+ +
+ + /* Bind anonymously so that you can find the DN of the appropriate user. */
+ +
+ + if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS)
+ + {
+ + ldap_unbind(ld);
+ + return "Bind Failed";
+ + }
+ +
+ + /* Generate a filter that will return the entry with a matching UID */
+ +
+ + sprintf(filter,"(%s=%s)",getenv("SASL_LDAP_UIDATTR"),userid);
+ +
+ + /* Just return country...This doesn't actually matter, since we will
+ + not read the attributes and values, only the DN */
+ +
+ + attrs[0] = "c";
+ + attrs[1] = NULL;
+ +
+ + /* Perform the search... */
+ +
+ + if (ldap_search_s(ld,getenv("SASL_LDAP_BASEDN"),LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS)
+ + {
+ + ldap_unbind(ld);
+ + return "Search Failed";
+ + }
+ +
+ + /* If the entry count is not equal to one, either the UID was not unique or
+ + there was no match */
+ +
+ + if (ldap_count_entries(ld,result) != 1)
+ + {
+ + ldap_msgfree(result);
+ + ldap_unbind(ld);
+ + return "UserID Unknown";
+ + }
+ +
+ + /* Get the first entry */
+ +
+ + if ((entry = ldap_first_entry(ld,result)) == NULL)
+ + {
+ + ldap_msgfree(result);
+ + ldap_unbind(ld);
+ + return "UserID Unknown";
+ + }
+ +
+ + /* Get the DN of the entry */
+ +
+ + if ((dn = ldap_get_dn(ld,entry)) == NULL)
+ + {
+ + ldap_msgfree(entry);
+ + ldap_unbind(ld);
+ + return "DN Not Found";
+ + }
+ +
+ + /* Now bind as the DN with the password supplied earlier...
+ + Successful bind means the password was correct, otherwise the
+ + password is invalid. */
+ +
+ + /* FIXME: This does not work with "{encryption-type}password" entries... */
+ +
+ + if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS)
+ + {
+ + free(dn);
+ + ldap_msgfree(entry);
+ + ldap_unbind(ld);
+ + return "Invalid Login or Password";
+ + }
+ +
+ + free(dn);
+ + ldap_msgfree(entry);
+ + ldap_unbind(ld);
+ + return "OK";
+ + }
diff -rcN cyrus-sasl.orig/patches/patch-ae cyrus-sasl/patches/patch-ae
*** cyrus-sasl.orig/patches/patch-ae Thu Jan 1 01:00:00 1970
--- cyrus-sasl/patches/patch-ae Sun Aug 27 16:21:38 2000
***************
*** 0 ****
--- 1,17 ----
+ *** pwcheck/Makefile.am.orig Thu Apr 6 16:50:24 2000
+ --- pwcheck/Makefile.am Sat Jul 15 18:33:03 2000
+ ***************
+ *** 25,30 ****
+ sbin_PROGRAMS = pwcheck
+
+ pwcheck_SOURCES = pwcheck.c
+ ! EXTRA_pwcheck_SOURCES = pwcheck_getpwnam.c pwcheck_getspnam.c
+ pwcheck_DEPENDECIES = pwcheck_@PWCHECKMETH@.lo
+ pwcheck_LDADD = pwcheck_@PWCHECKMETH@.lo @LIB_CRYPT@ @LIB_SOCKET@
+ --- 25,30 ----
+ sbin_PROGRAMS = pwcheck
+
+ pwcheck_SOURCES = pwcheck.c
+ ! EXTRA_pwcheck_SOURCES = pwcheck_getpwnam.c pwcheck_getspnam.c pwcheck_ldap.c
+ pwcheck_DEPENDECIES = pwcheck_@PWCHECKMETH@.lo
+ pwcheck_LDADD = pwcheck_@PWCHECKMETH@.lo @LIB_CRYPT@ @LIB_SOCKET@
diff -rcN cyrus-sasl.orig/patches/patch-af cyrus-sasl/patches/patch-af
*** cyrus-sasl.orig/patches/patch-af Thu Jan 1 01:00:00 1970
--- cyrus-sasl/patches/patch-af Sun Aug 27 16:21:38 2000
***************
*** 0 ****
--- 1,36 ----
+ *** configure.in.orig Sat Jul 15 19:21:44 2000
+ --- configure.in Sat Jul 15 19:23:34 2000
+ ***************
+ *** 275,280 ****
+ --- 275,284 ----
+ fi
+ AC_SUBST(LIB_PAM)
+
+ + AC_ARG_ENABLE(ldap, [ --enable-ldap enable ldap authentication [no] ],
+ + ldap=$enableval,
+ + ldap=no)
+ +
+ AC_ARG_WITH(pwcheck,[ --with-pwcheck=DIR enable use of the pwcheck daemonusing statedir DIR ],
+ with_pwcheck=$withval,
+ with_pwcheck=no)
+ ***************
+ *** 284,290 ****
+ fi
+ AC_DEFINE(HAVE_PWCHECK)
+ AC_DEFINE_UNQUOTED(PWCHECKDIR, "$with_pwcheck")
+ ! AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam")
+ AC_SUBST(PWCHECKMETH)
+ fi
+ AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
+ --- 288,298 ----
+ fi
+ AC_DEFINE(HAVE_PWCHECK)
+ AC_DEFINE_UNQUOTED(PWCHECKDIR, "$with_pwcheck")
+ ! if test "$ldap" = yes; then
+ ! PWCHECKMETH=ldap
+ ! else
+ ! AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam")
+ ! fi
+ AC_SUBST(PWCHECKMETH)
+ fi
+ AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
diff -rcN cyrus-sasl.orig/patches/patch-ag cyrus-sasl/patches/patch-ag
*** cyrus-sasl.orig/patches/patch-ag Thu Jan 1 01:00:00 1970
--- cyrus-sasl/patches/patch-ag Sun Aug 27 18:02:03 2000
***************
*** 0 ****
--- 1,27 ----
+ *** pwcheck/Makefile.in.orig Fri Jul 21 04:36:07 2000
+ --- pwcheck/Makefile.in Sun Aug 27 18:01:44 2000
+ ***************
+ *** 144,151 ****
+ LIBS = @LIBS@
+ pwcheck_OBJECTS = pwcheck.o
+ pwcheck_DEPENDENCIES = pwcheck_@PWCHECKMETH@.lo
+ ! pwcheck_LDFLAGS =
+ CFLAGS = @CFLAGS@
+ COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+ LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+ CCLD = $(CC)
+ --- 144,157 ----
+ LIBS = @LIBS@
+ pwcheck_OBJECTS = pwcheck.o
+ pwcheck_DEPENDENCIES = pwcheck_@PWCHECKMETH@.lo
+ ! PWCHECKMETH=@PWCHECKMETH@
+ ! .if ${PWCHECKMETH} == "ldap"
+ ! pwcheck_LDFLAGS = -llber -lldap
+ ! CFLAGS = @CFLAGS@ -I/usr/local/include
+ ! .else
+ ! pwcheck_LDFLAGS =
+ CFLAGS = @CFLAGS@
+ + .endif
+ COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+ LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+ CCLD = $(CC)
diff -rcN cyrus-sasl.orig/pkg/PLIST cyrus-sasl/pkg/PLIST
*** cyrus-sasl.orig/pkg/PLIST Fri Jun 16 21:46:22 2000
--- cyrus-sasl/pkg/PLIST Sun Aug 27 16:39:44 2000
***************
*** 1,4 ****
--- 1,5 ----
@unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped."
+ %%LDAP_SUPPORT%%etc/pwcheck_ldap.conf.sample
etc/rc.d/pwcheck.sh
include/sasl/hmac-md5.h
include/sasl/md5.h
***************
*** 60,66 ****
@exec mkdir pwcheck
@exec chown cyrus:cyrus pwcheck
@exec chmod go= pwcheck
! @comment This file gets create by the pwcheck program
! @unexec rm -f pwcheck/pwcheck
@dirrm pwcheck
@cwd %%PREFIX%%
--- 61,67 ----
@exec mkdir pwcheck
@exec chown cyrus:cyrus pwcheck
@exec chmod go= pwcheck
! @comment This file gets created by the pwcheck program
! @unexec rm -f /var/pwcheck/pwcheck
@dirrm pwcheck
@cwd %%PREFIX%%
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008271847350.58985-100000>