[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Has anyone found a workaround? SASL/LDAP

On 4 October 2003, Howard Chu <hyc@highlandsun.com> wrote:
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw
> 
> > Howard Chu wrote:
> >
> > [...]
> >
> > >     if you're using the LDAP auxprop module that I wrote (in
> > > OpenLDAP's contrib directory), this invokes the SASL client API.
> > > this talks to the LDAP server, and the chain of processing in this
> > > context ends there.
> >
> > Although this wasn't addressed to me, I appreciate the explanation.
> > however, two top Postfix LDAP (Openldap) and Cyrus SASL experts have
> > given warnings about combining Openldap SASL support with Postfix
> > SASL support. At all.
>
> Those experts are giving you outdated information, with no
> understanding of the actual issues.
[...]

    I don't consider myself an "expert" in either Postfix, OpenLDAP,
or Cyrus SASL, but since I'm one of the guys that made the claim about
Postfix Tony was referring to, I suppose I should step forward.

    The way I see it:

(1) The the pre-jail code of the smtp daemon in Postfix calls
    sasl_client_init();
(2) The LDAP dictionary in Postfix calls ldap_init(), which in turn
    calls sasl_client_init() again;
(3) In cyrus-sasl-2.1.15/lib/client.c we have:

     64 static sasl_global_callbacks_t global_callbacks;
     65
     66 static int _sasl_client_active = 0;
[...]
    198 int sasl_client_init(const sasl_callback_t *callbacks)
    199 {
    200   int ret;
    201   const add_plugin_list_t ep_list[] = {
    202       { "sasl_client_plug_init", (add_plugin_t *)sasl_client_add_plugin },
    203       { "sasl_canonuser_init", (add_plugin_t *)sasl_canonuser_add_plugin },
    204       { NULL, NULL }
    205   };
    206
    207   if(_sasl_client_active) {
    208       /* We're already active, just increase our refcount */
    209       /* xxx do something with the callback structure? */
    210       _sasl_client_active++;
    211       return SASL_OK;
    212   }
    213
    214   global_callbacks.callbacks = callbacks;
    215   global_callbacks.appname = NULL;

(4) If both Postfix and OpenLDAP are linked dynamically against SASL,
    you have a re-entrancy problem.

    FWIW, Postfix also calls sasl_server_init() in the smtpd daemon, but
that's not really relevant here.

    If you can prove that any of (1)-(4) contain outdated information,
or if you can enlighten me with a better understanding of the "actual
issues", please do.

    Also please note that I said nothing about either SASL auxprop,
Simon Loader's patch, or the initial topic of this thread.

On 4 October 2003, Tony Earnshaw <tonni@billy.demon.nl> wrote:
[...]
> Postfix has its own SASL implementation for SMTP AUTH (I use SASL
> auxprop libs rather than saslauthd).
[...]

    No, Tony.  As I pointed out on the postfix-users list, Courier has
its own SASL implementation, Postfix doesn't (although some people
believe that it should).

    Regards,

    Liviu Daia

-- 
Dr. Liviu Daia               e-mail:   Liviu.Daia@imar.ro
Institute of Mathematics     web page: http://www.imar.ro/~daia
of the Romanian Academy      PGP key:  http://www.imar.ro/~daia/daia.asc