[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Has anyone found a workaround? SASL/LDAP
On 4 October 2003, Howard Chu <hyc@highlandsun.com> wrote:
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw
>
> > Howard Chu wrote:
> >
> > [...]
> >
> > > if you're using the LDAP auxprop module that I wrote (in
> > > OpenLDAP's contrib directory), this invokes the SASL client API.
> > > this talks to the LDAP server, and the chain of processing in this
> > > context ends there.
> >
> > Although this wasn't addressed to me, I appreciate the explanation.
> > however, two top Postfix LDAP (Openldap) and Cyrus SASL experts have
> > given warnings about combining Openldap SASL support with Postfix
> > SASL support. At all.
>
> Those experts are giving you outdated information, with no
> understanding of the actual issues.
[...]
I don't consider myself an "expert" in either Postfix, OpenLDAP,
or Cyrus SASL, but since I'm one of the guys that made the claim about
Postfix Tony was referring to, I suppose I should step forward.
The way I see it:
(1) The the pre-jail code of the smtp daemon in Postfix calls
sasl_client_init();
(2) The LDAP dictionary in Postfix calls ldap_init(), which in turn
calls sasl_client_init() again;
(3) In cyrus-sasl-2.1.15/lib/client.c we have:
64 static sasl_global_callbacks_t global_callbacks;
65
66 static int _sasl_client_active = 0;
[...]
198 int sasl_client_init(const sasl_callback_t *callbacks)
199 {
200 int ret;
201 const add_plugin_list_t ep_list[] = {
202 { "sasl_client_plug_init", (add_plugin_t *)sasl_client_add_plugin },
203 { "sasl_canonuser_init", (add_plugin_t *)sasl_canonuser_add_plugin },
204 { NULL, NULL }
205 };
206
207 if(_sasl_client_active) {
208 /* We're already active, just increase our refcount */
209 /* xxx do something with the callback structure? */
210 _sasl_client_active++;
211 return SASL_OK;
212 }
213
214 global_callbacks.callbacks = callbacks;
215 global_callbacks.appname = NULL;
(4) If both Postfix and OpenLDAP are linked dynamically against SASL,
you have a re-entrancy problem.
FWIW, Postfix also calls sasl_server_init() in the smtpd daemon, but
that's not really relevant here.
If you can prove that any of (1)-(4) contain outdated information,
or if you can enlighten me with a better understanding of the "actual
issues", please do.
Also please note that I said nothing about either SASL auxprop,
Simon Loader's patch, or the initial topic of this thread.
On 4 October 2003, Tony Earnshaw <tonni@billy.demon.nl> wrote:
[...]
> Postfix has its own SASL implementation for SMTP AUTH (I use SASL
> auxprop libs rather than saslauthd).
[...]
No, Tony. As I pointed out on the postfix-users list, Courier has
its own SASL implementation, Postfix doesn't (although some people
believe that it should).
Regards,
Liviu Daia
--
Dr. Liviu Daia e-mail: Liviu.Daia@imar.ro
Institute of Mathematics web page: http://www.imar.ro/~daia
of the Romanian Academy PGP key: http://www.imar.ro/~daia/daia.asc