RE: SASL EXTERNAL

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: Norbert Klasen [mailto:norbert.klasen@daasi.de]

> Thanks Howard, this works now. Some new issues:
>
> - I need to clear the 'noanonymous' flag from ldapsearch's sasl secprops.
> Otherwise ldap_sasl_interactive_bind_s returns 'Unknown authentication
> method'.

In Cyrus 1.5.27 the EXTERNAL mech's flags are set to NOPLAINTEXT and
NODICTIONARY, but omits NOANONYMOUS. This is a bug in Cyrus SASL 1.5; the
mechanism itself always requires an identity so it is never actually
anonymous but the mech's security flags don't reflect this fact. (In Cyrus
2.1 the flags are correct.) I suggest you patch your Cyrus 1.5.27 source in
lib/client.c around line 189 and add the flag yourself. I've submitted a
number of patches to CMU but I don't have any idea if there will be another
1.5.x release.

> - In slap_sasl_regexp_config a ber_str2bv is attempted on the replace
> pattern. This fails if the replace pattern is an URI:
> >>> dnNormalize: <ldap://localhost/c=de??sub?cn=$1>
> => ldap_bv2dn(ldap://localhost/c=de??sub?cn=$1,0)
> <= ldap_bv2dn(ldap://localhost/c=de??sub?cn=$1,0)=84
> SASL replace pattern ldap://localhost/c=de??sub?cn=$1 could not be
> normalized.
> ber_str2bv and the subsequent dnNormalize2 should probably be called only
> on the DN part of the URI.

This is now fixed.

> - Then there is an issue with non-ascii chars and sasl-regex:

This looks like it ought to work. There are issues with UTF-8 and regexps,
I don't know enough to go into detail.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support