Date: Mon, 28 Aug 2000 18:00:04 -0700 (PDT) From: "Scot W. Hetzel" <hetzels@westbend.net> To: freebsd-ports@FreeBSD.org Subject: Re: ports/20887: [PATCH] LDAP support and fixes for cyrus-sasl Message-ID: <200008290100.SAA52785@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/20887; it has been noted by GNATS. From: "Scot W. Hetzel" <hetzels@westbend.net> To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: Jimmy Olgeni <olgeni@uli.it> Subject: Re: ports/20887: [PATCH] LDAP support and fixes for cyrus-sasl Date: Mon, 28 Aug 2000 19:58:51 -0500 (CDT) Jimmy, Thank you for the taking the time to fix your patches. I did find one problem with LIB_DEPENDSr,it should have been defined within a ".if defined(WITH_LDAP) .. .endif". This way it becomes an optional dependance. I also, changed the patches back to unified diffs instead of context diffs. Ports commiters: Please apply the below patches to the security/cyrus-sasl port. Thanks, Scot W. Hetzel cyrus-sasl maintainer diff -ruN cyrus-sasl.orig/Makefile cyrus-sasl/Makefile --- cyrus-sasl.orig/Makefile Sat Aug 19 03:56:57 2000 +++ cyrus-sasl/Makefile Mon Aug 28 19:39:22 2000 @@ -15,6 +15,10 @@ MAINTAINER= hetzels@westbend.net +.if defined(WITH_LDAP) +LIB_DEPENDS= ldap.1:${PORTSDIR}/net/openldap +.endif + USE_OPENSSL= RSA INSTALLS_SHLIB= yes @@ -34,6 +38,7 @@ USE_AUTOCONF= YES USE_LIBTOOL= YES + CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \ --with-plugindir=${PREFIX}/lib/sasl \ --with-dbpath=${PREFIX}/etc/sasldb \ @@ -43,6 +48,13 @@ --with-pwcheck=/var/pwcheck \ --with-rc4=openssl +.if defined(WITH_LDAP) +PKGMESSAGE= ${PKGDIR}/MESSAGE.ldap +CONFIGURE_ARGS+= --enable-ldap +.else +LDAP_SUPPORT= "@comment " +.endif + # JavaSASL is currently Broken #JAVADIR= jdk1.1.8 #JAVALIBDIR= ${PREFIX}/${JAVADIR}/lib/i386/green_threads/ @@ -91,14 +103,24 @@ PLIST_SUB= PREFIX=${PREFIX} \ GSSAPI=${GSSAPI} \ EBONES=${EBONES} \ - NOPORTDOCS=${NODOCS} + NOPORTDOCS=${NODOCS} \ + LDAP_SUPPORT=${LDAP_SUPPORT} + +post-extract: + ${CP} ${FILESDIR}/pwcheck_ldap.c ${WRKSRC}/pwcheck # Create Cyrus user and group pre-install: @${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL post-install: - @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \ + ${INSTALL} ${COPY} -m600 -o root -g wheel ${FILESDIR}/pwcheck_ldap.conf.sample ${PREFIX}/etc +.if defined(WITH_LDAP) + if [ ! -e ${PREFIX}/etc/pwcheck_ldap.conf ]; then \ + ${CP} ${PREFIX}/etc/pwcheck_ldap.conf.sample ${PREFIX}/etc/pwcheck_ldap.conf ; \ + fi +.endif + @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \ > ${PREFIX}/etc/rc.d/pwcheck.sh @${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh ${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck @@ -114,6 +136,7 @@ @${INSTALL_DATA} ${WRKSRC}/doc/${file}.html ${PREFIX}/share/doc/SASL/html .endfor .endif + @${CAT} ${PKGMESSAGE} .if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc) post-clean: diff -ruN cyrus-sasl.orig/files/pwcheck.sh cyrus-sasl/files/pwcheck.sh --- cyrus-sasl.orig/files/pwcheck.sh Sat Jan 29 03:53:36 2000 +++ cyrus-sasl/files/pwcheck.sh Mon Aug 28 19:13:05 2000 @@ -5,6 +5,13 @@ PREFIX=%%PREFIX%% +if [ -r ${PREFIX}/etc/pwcheck_ldap.conf ]; then + . ${PREFIX}/etc/pwcheck_ldap.conf + export SASL_LDAP_SERVER + export SASL_LDAP_BASEDN + export SASL_LDAP_UIDATTR +fi + case "$1" in start) diff -ruN cyrus-sasl.orig/files/pwcheck_ldap.c cyrus-sasl/files/pwcheck_ldap.c --- cyrus-sasl.orig/files/pwcheck_ldap.c Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/files/pwcheck_ldap.c Mon Aug 28 19:13:05 2000 @@ -0,0 +1,129 @@ +/* pwcheck_ldap.c -- check passwords using LDAP + * + * Author: Clayton Donley <donley@cig.mot.com> + * http://www.wwa.com/~donley/ + * Version: 1.01 + * + * Note: This works by finding a DN that matches an entered UID and + * binding to the LDAP server using this UID. This uses clear-text + * passwords. A better approach with servers that support SSL and + * new LDAPv3 servers that support SASL bind methods like CRAM-MD5 + * and TSL. + * + * This version should work with both University of Michigan and Netscape + * LDAP libraries. It also gets rid of the requirement for userPassword + * attribute readability. + * + */ + +#include <stdio.h> +#include <lber.h> +#include <ldap.h> + +/* Set These to your Local Environment */ + +#define MY_LDAP_SERVER "localhost" +#define MY_LDAP_BASEDN "o=JOFA, c=UK" +#define MY_LDAP_UIDATTR "uid" + +char *pwcheck(userid, password) +char *userid; +char *password; +{ + LDAP *ld; + LDAPMessage *result; + LDAPMessage *entry; + char *attrs[2]; + char filter[200]; + char *dn; + int ldbind_res; + char **vals; + +/* If the password is NULL, reject the login...Otherwise the bind will + succeed as a reference bind. Not good... */ + + if (strcmp(password,"") == 0) + { + return "Null Password"; + } + +/* Open the LDAP connection. Change the second argument if your LDAP + server is not on port 389. */ + + if ((ld = ldap_open(MY_LDAP_SERVER,LDAP_PORT)) == NULL) + { + return "Init Failed"; + } + +/* Bind anonymously so that you can find the DN of the appropriate user. */ + + if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS) + { + ldap_unbind(ld); + return "Bind Failed"; + } + +/* Generate a filter that will return the entry with a matching UID */ + + sprintf(filter,"(%s=%s)",MY_LDAP_UIDATTR,userid); + +/* Just return country...This doesn't actually matter, since we will + not read the attributes and values, only the DN */ + + attrs[0] = "c"; + attrs[1] = NULL; + +/* Perform the search... */ + + if (ldap_search_s(ld,MY_LDAP_BASEDN,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS) + { + ldap_unbind(ld); + return "Search Failed"; + } + +/* If the entry count is not equal to one, either the UID was not unique or + there was no match */ + + if (ldap_count_entries(ld,result) != 1) + { + ldap_msgfree(result); + ldap_unbind(ld); + return "UserID Unknown"; + } + +/* Get the first entry */ + + if ((entry = ldap_first_entry(ld,result)) == NULL) + { + ldap_msgfree(result); + ldap_unbind(ld); + return "UserID Unknown"; + } + +/* Get the DN of the entry */ + + if ((dn = ldap_get_dn(ld,entry)) == NULL) + { + ldap_msgfree(entry); + ldap_unbind(ld); + return "DN Not Found"; + } + +/* Now bind as the DN with the password supplied earlier... + Successful bind means the password was correct, otherwise the + password is invalid. */ + + if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS) + { + free(dn); + ldap_msgfree(entry); + ldap_unbind(ld); + return "Invalid Login or Password"; + } + + free(dn); + ldap_msgfree(entry); + ldap_unbind(ld); + return "OK"; +} + diff -ruN cyrus-sasl.orig/files/pwcheck_ldap.conf.sample cyrus-sasl/files/pwcheck_ldap.conf.sample --- cyrus-sasl.orig/files/pwcheck_ldap.conf.sample Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/files/pwcheck_ldap.conf.sample Mon Aug 28 19:13:05 2000 @@ -0,0 +1,3 @@ +SASL_LDAP_SERVER="localhost" +SASL_LDAP_BASEDN="o=organization, c=US" +SASL_LDAP_UIDATTR="uid" diff -ruN cyrus-sasl.orig/patches/new.patch-ab cyrus-sasl/patches/new.patch-ab --- cyrus-sasl.orig/patches/new.patch-ab Mon May 22 10:19:05 2000 +++ cyrus-sasl/patches/new.patch-ab Wed Dec 31 18:00:00 1969 @@ -1,14 +0,0 @@ ---- configure.in.orig Mon May 8 12:51:13 2000 -+++ configure.in Mon May 22 09:55:01 2000 -@@ -66,8 +66,9 @@ - dnl check for -R, etc. switch - CMU_GUESS_RUNPATH_SWITCH - dnl let's just link against local. otherwise we never find anything useful. --CPPFLAGS="-I/usr/local/include ${CPPFLAGS}" --CMU_ADD_LIBPATH("/usr/local/lib") -+CPPFLAGS="-I${OPENSSLINC} -I${OPENSSLINC}/openssl ${CPPFLAGS}" -+CMU_ADD_LIBPATH("${LOCALBASE}/lib") -+CMU_ADD_LIBPATH("${OPENSSLLIB}") - - AM_DISABLE_STATIC - diff -ruN cyrus-sasl.orig/patches/patch-ab cyrus-sasl/patches/patch-ab --- cyrus-sasl.orig/patches/patch-ab Sat Aug 19 03:56:58 2000 +++ cyrus-sasl/patches/patch-ab Mon Aug 28 19:26:14 2000 @@ -1,5 +1,5 @@ ---- configure.in.orig Thu Aug 3 14:34:08 2000 -+++ configure.in Thu Aug 3 14:39:24 2000 +--- configure.in.orig Thu Jul 20 21:35:01 2000 ++++ configure.in Mon Aug 28 19:26:00 2000 @@ -66,8 +66,9 @@ dnl check for -R, etc. switch CMU_GUESS_RUNPATH_SWITCH @@ -12,3 +12,36 @@ AM_DISABLE_STATIC +@@ -296,6 +297,10 @@ + fi + AC_SUBST(LIB_PAM) + ++AC_ARG_ENABLE(ldap, [ --enable-ldap enable ldap authentication [no] ], ++ ldap=$enableval, ++ ldap=no) ++ + AC_ARG_WITH(pwcheck,[ --with-pwcheck=DIR enable use of the pwcheck daemonusing statedir DIR ], + with_pwcheck=$withval, + with_pwcheck=no) +@@ -305,7 +310,11 @@ + fi + AC_DEFINE(HAVE_PWCHECK) + AC_DEFINE_UNQUOTED(PWCHECKDIR, "$with_pwcheck") +- AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam") ++ if test "$ldap" = yes; then ++ PWCHECKMETH=ldap ++ else ++ AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam") ++ fi + AC_SUBST(PWCHECKMETH) + fi + AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no) +@@ -436,7 +445,7 @@ + if test "$with_des" != no; then + AC_CHECK_HEADER(krb.h, + AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="", +- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err", ++ AC_CHECK_LIB(krb, krb_mk_err, COM_ERR="-lcom_err", + AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err), + -ldes), + AC_WARN(No Kerberos V4 found); krb4=no) diff -ruN cyrus-sasl.orig/patches/patch-ae cyrus-sasl/patches/patch-ae --- cyrus-sasl.orig/patches/patch-ae Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/patches/patch-ae Mon Aug 28 19:34:14 2000 @@ -0,0 +1,17 @@ +--- pwcheck/Makefile.in.orig Thu Jul 20 21:36:07 2000 ++++ pwcheck/Makefile.in Mon Aug 28 19:31:59 2000 +@@ -144,8 +144,13 @@ + LIBS = @LIBS@ + pwcheck_OBJECTS = pwcheck.o + pwcheck_DEPENDENCIES = pwcheck_@PWCHECKMETH@.lo +-pwcheck_LDFLAGS = ++.if ${PWCHECKMETH} == "ldap" ++pwcheck_LDFLAGS = -llber -lldap ++CFLAGS = @CFLAGS@ -I/usr/local/include ++.else ++pwcheck_LDFLAGS = + CFLAGS = @CFLAGS@ ++.endif + COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) + LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) + CCLD = $(CC) diff -ruN cyrus-sasl.orig/patches/patch-ba cyrus-sasl/patches/patch-ba --- cyrus-sasl.orig/patches/patch-ba Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/patches/patch-ba Mon Aug 28 19:36:37 2000 @@ -0,0 +1,76 @@ +--- pwcheck/pwcheck_ldap.c.orig Mon Aug 28 19:29:52 2000 ++++ pwcheck/pwcheck_ldap.c Mon Aug 28 19:29:54 2000 +@@ -14,17 +14,24 @@ + * LDAP libraries. It also gets rid of the requirement for userPassword + * attribute readability. + * ++ * changed-by: Mon Aug 28 2000 olgeni@uli.it - environment support ++ * + */ + + #include <stdio.h> ++#include <stdlib.h> + #include <lber.h> + #include <ldap.h> + +-/* Set These to your Local Environment */ ++/* + +-#define MY_LDAP_SERVER "localhost" +-#define MY_LDAP_BASEDN "o=JOFA, c=UK" +-#define MY_LDAP_UIDATTR "uid" ++The old #defines have been removed. This version uses 3 environment variables: ++ ++SASL_LDAP_SERVER (ex: "localhost") ++SASL_LDAP_BASEDN (ex: "o=organization, c=US") ++SASL_LDAP_UIDATTR (ex: "uid") ++ ++*/ + + char *pwcheck(userid, password) + char *userid; +@@ -36,8 +43,6 @@ + char *attrs[2]; + char filter[200]; + char *dn; +- int ldbind_res; +- char **vals; + + /* If the password is NULL, reject the login...Otherwise the bind will + succeed as a reference bind. Not good... */ +@@ -50,7 +55,7 @@ + /* Open the LDAP connection. Change the second argument if your LDAP + server is not on port 389. */ + +- if ((ld = ldap_open(MY_LDAP_SERVER,LDAP_PORT)) == NULL) ++ if ((ld = ldap_open(getenv("SASL_LDAP_SERVER"),LDAP_PORT)) == NULL) + { + return "Init Failed"; + } +@@ -65,7 +70,7 @@ + + /* Generate a filter that will return the entry with a matching UID */ + +- sprintf(filter,"(%s=%s)",MY_LDAP_UIDATTR,userid); ++ sprintf(filter,"(%s=%s)",getenv("SASL_LDAP_UIDATTR"),userid); + + /* Just return country...This doesn't actually matter, since we will + not read the attributes and values, only the DN */ +@@ -75,7 +80,7 @@ + + /* Perform the search... */ + +- if (ldap_search_s(ld,MY_LDAP_BASEDN,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS) ++ if (ldap_search_s(ld,getenv("SASL_LDAP_BASEDN"),LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS) + { + ldap_unbind(ld); + return "Search Failed"; +@@ -112,6 +117,8 @@ + /* Now bind as the DN with the password supplied earlier... + Successful bind means the password was correct, otherwise the + password is invalid. */ ++ ++/* FIXME: This does not work with "{encryption-type}password" entries... */ + + if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS) + { diff -ruN cyrus-sasl.orig/pkg/MESSAGE cyrus-sasl/pkg/MESSAGE --- cyrus-sasl.orig/pkg/MESSAGE Sun Jan 23 23:22:21 2000 +++ cyrus-sasl/pkg/MESSAGE Mon Aug 28 19:14:48 2000 @@ -1,4 +1,9 @@ -Start the pwcheck program to have clients use the SASL libraries -as a non-root user: +PREFIX/etc/cyrusdb.db now needs to be created +before applications that depend on SASL are used. - /usr/local/etc/rc.d/pwcheck.sh [start|stop] + su cyrus + PREFIX/sbin/saslpasswd -c userid + +You will also need to start the pwcheck daemon: + + PREFIX/etc/rc.d/pwcheck.sh start diff -ruN cyrus-sasl.orig/pkg/MESSAGE.ldap cyrus-sasl/pkg/MESSAGE.ldap --- cyrus-sasl.orig/pkg/MESSAGE.ldap Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/pkg/MESSAGE.ldap Mon Aug 28 19:15:45 2000 @@ -0,0 +1,16 @@ +PREFIX/etc/cyrusdb.db now needs to be created +before applications that depend on SASL are used. + + su cyrus + PREFIX/sbin/saslpasswd -c userid + +PREFIX/etc/pwcheck_ldap.conf needs to be configured +to point to a LDAP server. + + SASL_LDAP_SERVER: host name of the LDAP server. + SASL_LDAP_BASEDN: root of LDAP tree to perform the search on. + SASL_LDAP_UIDATTR: name of the UID field in your tree. + +You will also need to start the pwcheck daemon: + + PREFIX/etc/rc.d/pwcheck.sh start diff -ruN cyrus-sasl.orig/pkg/PLIST cyrus-sasl/pkg/PLIST --- cyrus-sasl.orig/pkg/PLIST Sat Jun 17 03:56:22 2000 +++ cyrus-sasl/pkg/PLIST Mon Aug 28 19:13:06 2000 @@ -1,4 +1,7 @@ @unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped." +%%LDAP_SUPPORT%%@unexec if cmp -s %D/etc/pwcheck_ldap.conf %D/etc/pwcheck_ldap.conf.sample; then rm -f %D/etc/pwcheck_ldap.conf; fi +%%LDAP_SUPPORT%%etc/pwcheck_ldap.conf.sample +%%LDAP_SUPPORT%%@exec [ ! -f %B/pwcheck_ldap.conf ] && cp %B/%f %B/pwcheck_ldap.conf etc/rc.d/pwcheck.sh include/sasl/hmac-md5.h include/sasl/md5.h @@ -60,7 +63,7 @@ @exec mkdir pwcheck @exec chown cyrus:cyrus pwcheck @exec chmod go= pwcheck -@comment This file gets create by the pwcheck program -@unexec rm -f pwcheck/pwcheck -@dirrm pwcheck +@comment This file gets created by the pwcheck program +@unexec rm -f /var/pwcheck/pwcheck +@unexec rmdir /var/pwcheck 2>/dev/null || true @cwd %%PREFIX%% To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008290100.SAA52785>