[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL authentication, authorization and data encryption support (ITS#501)
Full_Name: Gábor Gombás
Version: 2.0-devel
OS: Debian Linux 2.2
URL: http://valerie.inf.elte.hu/~gombasg/ldap/openldap-sasl.patch
Submission from: (NULL) (157.181.161.14)
Hello,
I've managed to get SASL authentication, authorization and data encryption
working for
OpenLDAP 2.0-devel. It was inspired by (and contains code from) the patch
created
by Mark Adamson. The patch contains:
- SASL support for the programs in the clients/tools directory. New command line
flags:
'-C' to use Cyrus SASL authentication (the small letter 'c' was already used
for
other purposes in some of the programs), '-m mech' to specify the SASL
mechanism and
'-Z authzid' to specify an authorization ID (see below)
- Security layer support changes in liblber
- 3 new config. options for slapd: SASLMinSSF, SASLMaxSSF and SASLDefaultDb. The
first
two enables the setting of the minimal/maximal SSF. SASLDeafultDb marks a
database
definition to be used when the client does not provide a DN for SASL bind and
the DN
needs to be determined from the authentication ID
- I've added a new mutex to the Connection structure to block all input between
sending
the final result of the SASL bind and installing the security layer functions
to
the socket. Without it ber_get_next() tries to interpret encrypted data and
fails which
causes the connection to be dropped just after the bind
- The ldbm backend supports SASL authentication and two forms of authorization.
If the
client did not specify a DN to bound to, it's determined from the given
authorization
ID using the "externalAuthName" attribute. The authorization ID can be
specified
either as "dn:<dn>" or as "u:<userid>" as the authmech draft says. The
permissions
for the authorization can be stored in either the authenticated entry's
"allowAuthorizeAs"
attribute or in the target entry's "allowAuthorizationTo" attribute. Both are
regular
expressions which the authorized/authenticated DN must match
What's missing:
- Client-side configuration of the desired data integrity and encryption level
Gabor