Re: Has anyone found a workaround? SASL/LDAP

[Tony Earnshaw <tonni@billy.demon.nl>]

Steven J. Sobol wrote:

> Was wondering if anyone has found a workaround for the SASL reentrancy
> problem that occurs when... well, this is the situation I ran into the
> first time I tried this. (about a year ago, and I wasn't using a SASL
> version that shipped with saslauthd)
>
> I want to use LDAP as a centralized user database. Trouble is, OpenLDAP 2
> uses the CMU SASL Library and so does my IMAP/POP server of choice, CMU's
> Cyrus. So the user goes to log in, gets authenticated against the LDAP
> database using SASL, the SASL library gets called again by OpenLDAP,
> and... well... it's just messy.

Interesting. My experience is parallel to yours (I use Courier imapd and 
Postfix), but perhaps relevant.

Postfix sometimes goes into the same sort of spin when Openldap is 
compiled against SASL. This is not constant, it can happen on the one 
compile but not on the other - my experience is from Red Hat 7.2 and 
9.0, Openldap 2.1.22, Postfix 2.0.16 snapshot and Cyrus SASL 2.1.3.

Postfix has its own SASL implementation for SMTP AUTH (I use SASL 
auxprop libs rather than saslauthd). Two very LDAP-savvy developers on 
the Postfix mailing list recommend not including SASL support into 
Openldap for use with Postfix, presumably because of the double action 
you describe. I'm going to try a recompile of Openldap without SASL 
support on a customer RH 9.0 machine next week (on which Postfix SASL 
barfs) to try this out. I don't use any client that expects SASL support 
in Openldap (Samba 3 can use KerberosV in a Windows 2000+ environment, 
but AFAIK that is Samba-specific).

Unless you need SASL support in Openldap, you might try this instead of 
PAM. If any others on the list see problems with this approach, it'd be 
interesting to read of them.

--Tonni

--
Tony Earnshaw

http://www.billy.demon.nl
Mail: billy-at-billy.demon.nl