Date: Mon, 28 Aug 2000 18:00:04 -0700 (PDT) From: "Scot W. Hetzel" <hetzels@westbend.net> To: freebsd-ports@FreeBSD.org Subject: Re: ports/20887: [PATCH] LDAP support and fixes for cyrus-sasl Message-ID: <200008290100.SAA52785@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/20887; it has been noted by GNATS.
From: "Scot W. Hetzel" <hetzels@westbend.net>
To: FreeBSD-gnats-submit@FreeBSD.ORG
Cc: Jimmy Olgeni <olgeni@uli.it>
Subject: Re: ports/20887: [PATCH] LDAP support and fixes for cyrus-sasl
Date: Mon, 28 Aug 2000 19:58:51 -0500 (CDT)
Jimmy,
Thank you for the taking the time to fix your patches. I did find one
problem with LIB_DEPENDSr,it should have been defined within a
".if defined(WITH_LDAP) .. .endif". This way it becomes an optional
dependance.
I also, changed the patches back to unified diffs instead of context diffs.
Ports commiters:
Please apply the below patches to the security/cyrus-sasl port.
Thanks,
Scot W. Hetzel
cyrus-sasl maintainer
diff -ruN cyrus-sasl.orig/Makefile cyrus-sasl/Makefile
--- cyrus-sasl.orig/Makefile Sat Aug 19 03:56:57 2000
+++ cyrus-sasl/Makefile Mon Aug 28 19:39:22 2000
@@ -15,6 +15,10 @@
MAINTAINER= hetzels@westbend.net
+.if defined(WITH_LDAP)
+LIB_DEPENDS= ldap.1:${PORTSDIR}/net/openldap
+.endif
+
USE_OPENSSL= RSA
INSTALLS_SHLIB= yes
@@ -34,6 +38,7 @@
USE_AUTOCONF= YES
USE_LIBTOOL= YES
+
CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \
--with-plugindir=${PREFIX}/lib/sasl \
--with-dbpath=${PREFIX}/etc/sasldb \
@@ -43,6 +48,13 @@
--with-pwcheck=/var/pwcheck \
--with-rc4=openssl
+.if defined(WITH_LDAP)
+PKGMESSAGE= ${PKGDIR}/MESSAGE.ldap
+CONFIGURE_ARGS+= --enable-ldap
+.else
+LDAP_SUPPORT= "@comment "
+.endif
+
# JavaSASL is currently Broken
#JAVADIR= jdk1.1.8
#JAVALIBDIR= ${PREFIX}/${JAVADIR}/lib/i386/green_threads/
@@ -91,14 +103,24 @@
PLIST_SUB= PREFIX=${PREFIX} \
GSSAPI=${GSSAPI} \
EBONES=${EBONES} \
- NOPORTDOCS=${NODOCS}
+ NOPORTDOCS=${NODOCS} \
+ LDAP_SUPPORT=${LDAP_SUPPORT}
+
+post-extract:
+ ${CP} ${FILESDIR}/pwcheck_ldap.c ${WRKSRC}/pwcheck
# Create Cyrus user and group
pre-install:
@${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL
post-install:
- @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
+ ${INSTALL} ${COPY} -m600 -o root -g wheel ${FILESDIR}/pwcheck_ldap.conf.sample ${PREFIX}/etc
+.if defined(WITH_LDAP)
+ if [ ! -e ${PREFIX}/etc/pwcheck_ldap.conf ]; then \
+ ${CP} ${PREFIX}/etc/pwcheck_ldap.conf.sample ${PREFIX}/etc/pwcheck_ldap.conf ; \
+ fi
+.endif
+ @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
> ${PREFIX}/etc/rc.d/pwcheck.sh
@${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh
${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck
@@ -114,6 +136,7 @@
@${INSTALL_DATA} ${WRKSRC}/doc/${file}.html ${PREFIX}/share/doc/SASL/html
.endfor
.endif
+ @${CAT} ${PKGMESSAGE}
.if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc)
post-clean:
diff -ruN cyrus-sasl.orig/files/pwcheck.sh cyrus-sasl/files/pwcheck.sh
--- cyrus-sasl.orig/files/pwcheck.sh Sat Jan 29 03:53:36 2000
+++ cyrus-sasl/files/pwcheck.sh Mon Aug 28 19:13:05 2000
@@ -5,6 +5,13 @@
PREFIX=%%PREFIX%%
+if [ -r ${PREFIX}/etc/pwcheck_ldap.conf ]; then
+ . ${PREFIX}/etc/pwcheck_ldap.conf
+ export SASL_LDAP_SERVER
+ export SASL_LDAP_BASEDN
+ export SASL_LDAP_UIDATTR
+fi
+
case "$1" in
start)
diff -ruN cyrus-sasl.orig/files/pwcheck_ldap.c cyrus-sasl/files/pwcheck_ldap.c
--- cyrus-sasl.orig/files/pwcheck_ldap.c Wed Dec 31 18:00:00 1969
+++ cyrus-sasl/files/pwcheck_ldap.c Mon Aug 28 19:13:05 2000
@@ -0,0 +1,129 @@
+/* pwcheck_ldap.c -- check passwords using LDAP
+ *
+ * Author: Clayton Donley <donley@cig.mot.com>
+ * http://www.wwa.com/~donley/
+ * Version: 1.01
+ *
+ * Note: This works by finding a DN that matches an entered UID and
+ * binding to the LDAP server using this UID. This uses clear-text
+ * passwords. A better approach with servers that support SSL and
+ * new LDAPv3 servers that support SASL bind methods like CRAM-MD5
+ * and TSL.
+ *
+ * This version should work with both University of Michigan and Netscape
+ * LDAP libraries. It also gets rid of the requirement for userPassword
+ * attribute readability.
+ *
+ */
+
+#include <stdio.h>
+#include <lber.h>
+#include <ldap.h>
+
+/* Set These to your Local Environment */
+
+#define MY_LDAP_SERVER "localhost"
+#define MY_LDAP_BASEDN "o=JOFA, c=UK"
+#define MY_LDAP_UIDATTR "uid"
+
+char *pwcheck(userid, password)
+char *userid;
+char *password;
+{
+ LDAP *ld;
+ LDAPMessage *result;
+ LDAPMessage *entry;
+ char *attrs[2];
+ char filter[200];
+ char *dn;
+ int ldbind_res;
+ char **vals;
+
+/* If the password is NULL, reject the login...Otherwise the bind will
+ succeed as a reference bind. Not good... */
+
+ if (strcmp(password,"") == 0)
+ {
+ return "Null Password";
+ }
+
+/* Open the LDAP connection. Change the second argument if your LDAP
+ server is not on port 389. */
+
+ if ((ld = ldap_open(MY_LDAP_SERVER,LDAP_PORT)) == NULL)
+ {
+ return "Init Failed";
+ }
+
+/* Bind anonymously so that you can find the DN of the appropriate user. */
+
+ if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS)
+ {
+ ldap_unbind(ld);
+ return "Bind Failed";
+ }
+
+/* Generate a filter that will return the entry with a matching UID */
+
+ sprintf(filter,"(%s=%s)",MY_LDAP_UIDATTR,userid);
+
+/* Just return country...This doesn't actually matter, since we will
+ not read the attributes and values, only the DN */
+
+ attrs[0] = "c";
+ attrs[1] = NULL;
+
+/* Perform the search... */
+
+ if (ldap_search_s(ld,MY_LDAP_BASEDN,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS)
+ {
+ ldap_unbind(ld);
+ return "Search Failed";
+ }
+
+/* If the entry count is not equal to one, either the UID was not unique or
+ there was no match */
+
+ if (ldap_count_entries(ld,result) != 1)
+ {
+ ldap_msgfree(result);
+ ldap_unbind(ld);
+ return "UserID Unknown";
+ }
+
+/* Get the first entry */
+
+ if ((entry = ldap_first_entry(ld,result)) == NULL)
+ {
+ ldap_msgfree(result);
+ ldap_unbind(ld);
+ return "UserID Unknown";
+ }
+
+/* Get the DN of the entry */
+
+ if ((dn = ldap_get_dn(ld,entry)) == NULL)
+ {
+ ldap_msgfree(entry);
+ ldap_unbind(ld);
+ return "DN Not Found";
+ }
+
+/* Now bind as the DN with the password supplied earlier...
+ Successful bind means the password was correct, otherwise the
+ password is invalid. */
+
+ if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS)
+ {
+ free(dn);
+ ldap_msgfree(entry);
+ ldap_unbind(ld);
+ return "Invalid Login or Password";
+ }
+
+ free(dn);
+ ldap_msgfree(entry);
+ ldap_unbind(ld);
+ return "OK";
+}
+
diff -ruN cyrus-sasl.orig/files/pwcheck_ldap.conf.sample cyrus-sasl/files/pwcheck_ldap.conf.sample
--- cyrus-sasl.orig/files/pwcheck_ldap.conf.sample Wed Dec 31 18:00:00 1969
+++ cyrus-sasl/files/pwcheck_ldap.conf.sample Mon Aug 28 19:13:05 2000
@@ -0,0 +1,3 @@
+SASL_LDAP_SERVER="localhost"
+SASL_LDAP_BASEDN="o=organization, c=US"
+SASL_LDAP_UIDATTR="uid"
diff -ruN cyrus-sasl.orig/patches/new.patch-ab cyrus-sasl/patches/new.patch-ab
--- cyrus-sasl.orig/patches/new.patch-ab Mon May 22 10:19:05 2000
+++ cyrus-sasl/patches/new.patch-ab Wed Dec 31 18:00:00 1969
@@ -1,14 +0,0 @@
---- configure.in.orig Mon May 8 12:51:13 2000
-+++ configure.in Mon May 22 09:55:01 2000
-@@ -66,8 +66,9 @@
- dnl check for -R, etc. switch
- CMU_GUESS_RUNPATH_SWITCH
- dnl let's just link against local. otherwise we never find anything useful.
--CPPFLAGS="-I/usr/local/include ${CPPFLAGS}"
--CMU_ADD_LIBPATH("/usr/local/lib")
-+CPPFLAGS="-I${OPENSSLINC} -I${OPENSSLINC}/openssl ${CPPFLAGS}"
-+CMU_ADD_LIBPATH("${LOCALBASE}/lib")
-+CMU_ADD_LIBPATH("${OPENSSLLIB}")
-
- AM_DISABLE_STATIC
-
diff -ruN cyrus-sasl.orig/patches/patch-ab cyrus-sasl/patches/patch-ab
--- cyrus-sasl.orig/patches/patch-ab Sat Aug 19 03:56:58 2000
+++ cyrus-sasl/patches/patch-ab Mon Aug 28 19:26:14 2000
@@ -1,5 +1,5 @@
---- configure.in.orig Thu Aug 3 14:34:08 2000
-+++ configure.in Thu Aug 3 14:39:24 2000
+--- configure.in.orig Thu Jul 20 21:35:01 2000
++++ configure.in Mon Aug 28 19:26:00 2000
@@ -66,8 +66,9 @@
dnl check for -R, etc. switch
CMU_GUESS_RUNPATH_SWITCH
@@ -12,3 +12,36 @@
AM_DISABLE_STATIC
+@@ -296,6 +297,10 @@
+ fi
+ AC_SUBST(LIB_PAM)
+
++AC_ARG_ENABLE(ldap, [ --enable-ldap enable ldap authentication [no] ],
++ ldap=$enableval,
++ ldap=no)
++
+ AC_ARG_WITH(pwcheck,[ --with-pwcheck=DIR enable use of the pwcheck daemonusing statedir DIR ],
+ with_pwcheck=$withval,
+ with_pwcheck=no)
+@@ -305,7 +310,11 @@
+ fi
+ AC_DEFINE(HAVE_PWCHECK)
+ AC_DEFINE_UNQUOTED(PWCHECKDIR, "$with_pwcheck")
+- AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam")
++ if test "$ldap" = yes; then
++ PWCHECKMETH=ldap
++ else
++ AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam")
++ fi
+ AC_SUBST(PWCHECKMETH)
+ fi
+ AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
+@@ -436,7 +445,7 @@
+ if test "$with_des" != no; then
+ AC_CHECK_HEADER(krb.h,
+ AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
+- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err",
++ AC_CHECK_LIB(krb, krb_mk_err, COM_ERR="-lcom_err",
+ AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err),
+ -ldes),
+ AC_WARN(No Kerberos V4 found); krb4=no)
diff -ruN cyrus-sasl.orig/patches/patch-ae cyrus-sasl/patches/patch-ae
--- cyrus-sasl.orig/patches/patch-ae Wed Dec 31 18:00:00 1969
+++ cyrus-sasl/patches/patch-ae Mon Aug 28 19:34:14 2000
@@ -0,0 +1,17 @@
+--- pwcheck/Makefile.in.orig Thu Jul 20 21:36:07 2000
++++ pwcheck/Makefile.in Mon Aug 28 19:31:59 2000
+@@ -144,8 +144,13 @@
+ LIBS = @LIBS@
+ pwcheck_OBJECTS = pwcheck.o
+ pwcheck_DEPENDENCIES = pwcheck_@PWCHECKMETH@.lo
+-pwcheck_LDFLAGS =
++.if ${PWCHECKMETH} == "ldap"
++pwcheck_LDFLAGS = -llber -lldap
++CFLAGS = @CFLAGS@ -I/usr/local/include
++.else
++pwcheck_LDFLAGS =
+ CFLAGS = @CFLAGS@
++.endif
+ COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+ LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+ CCLD = $(CC)
diff -ruN cyrus-sasl.orig/patches/patch-ba cyrus-sasl/patches/patch-ba
--- cyrus-sasl.orig/patches/patch-ba Wed Dec 31 18:00:00 1969
+++ cyrus-sasl/patches/patch-ba Mon Aug 28 19:36:37 2000
@@ -0,0 +1,76 @@
+--- pwcheck/pwcheck_ldap.c.orig Mon Aug 28 19:29:52 2000
++++ pwcheck/pwcheck_ldap.c Mon Aug 28 19:29:54 2000
+@@ -14,17 +14,24 @@
+ * LDAP libraries. It also gets rid of the requirement for userPassword
+ * attribute readability.
+ *
++ * changed-by: Mon Aug 28 2000 olgeni@uli.it - environment support
++ *
+ */
+
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <lber.h>
+ #include <ldap.h>
+
+-/* Set These to your Local Environment */
++/*
+
+-#define MY_LDAP_SERVER "localhost"
+-#define MY_LDAP_BASEDN "o=JOFA, c=UK"
+-#define MY_LDAP_UIDATTR "uid"
++The old #defines have been removed. This version uses 3 environment variables:
++
++SASL_LDAP_SERVER (ex: "localhost")
++SASL_LDAP_BASEDN (ex: "o=organization, c=US")
++SASL_LDAP_UIDATTR (ex: "uid")
++
++*/
+
+ char *pwcheck(userid, password)
+ char *userid;
+@@ -36,8 +43,6 @@
+ char *attrs[2];
+ char filter[200];
+ char *dn;
+- int ldbind_res;
+- char **vals;
+
+ /* If the password is NULL, reject the login...Otherwise the bind will
+ succeed as a reference bind. Not good... */
+@@ -50,7 +55,7 @@
+ /* Open the LDAP connection. Change the second argument if your LDAP
+ server is not on port 389. */
+
+- if ((ld = ldap_open(MY_LDAP_SERVER,LDAP_PORT)) == NULL)
++ if ((ld = ldap_open(getenv("SASL_LDAP_SERVER"),LDAP_PORT)) == NULL)
+ {
+ return "Init Failed";
+ }
+@@ -65,7 +70,7 @@
+
+ /* Generate a filter that will return the entry with a matching UID */
+
+- sprintf(filter,"(%s=%s)",MY_LDAP_UIDATTR,userid);
++ sprintf(filter,"(%s=%s)",getenv("SASL_LDAP_UIDATTR"),userid);
+
+ /* Just return country...This doesn't actually matter, since we will
+ not read the attributes and values, only the DN */
+@@ -75,7 +80,7 @@
+
+ /* Perform the search... */
+
+- if (ldap_search_s(ld,MY_LDAP_BASEDN,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS)
++ if (ldap_search_s(ld,getenv("SASL_LDAP_BASEDN"),LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS)
+ {
+ ldap_unbind(ld);
+ return "Search Failed";
+@@ -112,6 +117,8 @@
+ /* Now bind as the DN with the password supplied earlier...
+ Successful bind means the password was correct, otherwise the
+ password is invalid. */
++
++/* FIXME: This does not work with "{encryption-type}password" entries... */
+
+ if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS)
+ {
diff -ruN cyrus-sasl.orig/pkg/MESSAGE cyrus-sasl/pkg/MESSAGE
--- cyrus-sasl.orig/pkg/MESSAGE Sun Jan 23 23:22:21 2000
+++ cyrus-sasl/pkg/MESSAGE Mon Aug 28 19:14:48 2000
@@ -1,4 +1,9 @@
-Start the pwcheck program to have clients use the SASL libraries
-as a non-root user:
+PREFIX/etc/cyrusdb.db now needs to be created
+before applications that depend on SASL are used.
- /usr/local/etc/rc.d/pwcheck.sh [start|stop]
+ su cyrus
+ PREFIX/sbin/saslpasswd -c userid
+
+You will also need to start the pwcheck daemon:
+
+ PREFIX/etc/rc.d/pwcheck.sh start
diff -ruN cyrus-sasl.orig/pkg/MESSAGE.ldap cyrus-sasl/pkg/MESSAGE.ldap
--- cyrus-sasl.orig/pkg/MESSAGE.ldap Wed Dec 31 18:00:00 1969
+++ cyrus-sasl/pkg/MESSAGE.ldap Mon Aug 28 19:15:45 2000
@@ -0,0 +1,16 @@
+PREFIX/etc/cyrusdb.db now needs to be created
+before applications that depend on SASL are used.
+
+ su cyrus
+ PREFIX/sbin/saslpasswd -c userid
+
+PREFIX/etc/pwcheck_ldap.conf needs to be configured
+to point to a LDAP server.
+
+ SASL_LDAP_SERVER: host name of the LDAP server.
+ SASL_LDAP_BASEDN: root of LDAP tree to perform the search on.
+ SASL_LDAP_UIDATTR: name of the UID field in your tree.
+
+You will also need to start the pwcheck daemon:
+
+ PREFIX/etc/rc.d/pwcheck.sh start
diff -ruN cyrus-sasl.orig/pkg/PLIST cyrus-sasl/pkg/PLIST
--- cyrus-sasl.orig/pkg/PLIST Sat Jun 17 03:56:22 2000
+++ cyrus-sasl/pkg/PLIST Mon Aug 28 19:13:06 2000
@@ -1,4 +1,7 @@
@unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped."
+%%LDAP_SUPPORT%%@unexec if cmp -s %D/etc/pwcheck_ldap.conf %D/etc/pwcheck_ldap.conf.sample; then rm -f %D/etc/pwcheck_ldap.conf; fi
+%%LDAP_SUPPORT%%etc/pwcheck_ldap.conf.sample
+%%LDAP_SUPPORT%%@exec [ ! -f %B/pwcheck_ldap.conf ] && cp %B/%f %B/pwcheck_ldap.conf
etc/rc.d/pwcheck.sh
include/sasl/hmac-md5.h
include/sasl/md5.h
@@ -60,7 +63,7 @@
@exec mkdir pwcheck
@exec chown cyrus:cyrus pwcheck
@exec chmod go= pwcheck
-@comment This file gets create by the pwcheck program
-@unexec rm -f pwcheck/pwcheck
-@dirrm pwcheck
+@comment This file gets created by the pwcheck program
+@unexec rm -f /var/pwcheck/pwcheck
+@unexec rmdir /var/pwcheck 2>/dev/null || true
@cwd %%PREFIX%%
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008290100.SAA52785>