[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL authentication, authorization and data encryption support (ITS#501)



Full_Name: Gábor Gombás
Version: 2.0-devel
OS: Debian Linux 2.2
URL: http://valerie.inf.elte.hu/~gombasg/ldap/openldap-sasl.patch
Submission from: (NULL) (157.181.161.14)


Hello,

I've managed to get SASL authentication, authorization and data encryption
working for
OpenLDAP 2.0-devel. It was inspired by (and contains code from) the patch
created
by Mark Adamson. The patch contains:

- SASL support for the programs in the clients/tools directory. New command line
flags:
  '-C' to use Cyrus SASL authentication (the small letter 'c' was already used
for
  other purposes in some of the programs), '-m mech' to specify the SASL
mechanism and
  '-Z authzid' to specify an authorization ID (see below)
- Security layer support changes in liblber
- 3 new config. options for slapd: SASLMinSSF, SASLMaxSSF and SASLDefaultDb. The
first
  two enables the setting of the minimal/maximal SSF. SASLDeafultDb marks a
database
  definition to be used when the client does not provide a DN for SASL bind and
the DN
  needs to be determined from the authentication ID
- I've added a new mutex to the Connection structure to block all input between
sending
  the final result of the SASL bind and installing the security layer functions
to
  the socket. Without it ber_get_next() tries to interpret encrypted data and
fails which
  causes the connection to be dropped just after the bind
- The ldbm backend supports SASL authentication and two forms of authorization.
If the
  client did not specify a DN to bound to, it's determined from the given
authorization
  ID using the "externalAuthName" attribute. The authorization ID can be
specified
  either as "dn:<dn>" or as "u:<userid>" as the authmech draft says. The
permissions
  for the authorization can be stored in either the authenticated entry's
"allowAuthorizeAs"
  attribute or in the target entry's "allowAuthorizationTo" attribute. Both are
regular
  expressions which the authorized/authenticated DN must match

What's missing:
- Client-side configuration of the desired data integrity and encryption level

Gabor