[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authorization on UIDs without bind



--On Monday, March 06, 2006 9:34 PM +0100 Geert Jansen <geert@boskant.nl> wrote:

Kurt D. Zeilenga wrote: 
At 09:42 AM 3/5/2006, Geert Jansen wrote:

The attached patch implements UID based authorization for anonymous
connections. It adds an keyword "uid=xxx" to the access control syntax,
much like the "ssf=xxx" keyword that is already there (in fact the
implementation is largely copied from that). This feature is useful for
granting local processes access to protected attributes without the
requirement of adding clear-text passwords to configuration files.


Or you could just use SASL/EXTERNAL bind (assuming your client
supports it, of course.  If not, well, I'd work with its developer
to add it.)

I will try that as well. However, current support for this is very poor
amongst LDAP clients. My email server (postfix), IMAP server (dovecot)
and web server (apache) all do not support SASL binds.

Of course, fixing postfix is trivial. I was able to write a patch for it to support SASL binds in about 20 minutes.

See:

<http://www.stanford.edu/services/directory/openldap/integration/postfix.html>

for that patch.

You should be able to patch anything you have source to fairly easily.

Stanford already wrote a module (mod_webauth) that does SASL binds to our directory servers.

We also already have an updated version of Shibboleth that supports SASL binds via JNDI, too.

As for your 'dovecot' IMAP server, if you have access to the source and it has even basic LDAP support, you should be able to patch it fairly simply. The solution here really is to fix the clients, not break the server.

--Quanah




--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html