Re: Sponsoring a canon_user plugin for LDAP lookup

From: Dan White (no email)
Date: Thu Mar 08 2007 - 11:05:27 EST

  • Next message: Torsten Schlabach: "Re: Sponsoring a canon_user plugin for LDAP lookup"

    Hi Torsten,

    Thanks for the info, I'll check into this shortly. I just joined the
    list last night. I'm CCing.

    I have been using perdition with an OpenLDAP directory for a couple of
    years to solve
    exactly this problem (we're an ISP). I'm trying to move away from it for
    various minor
    reasons. As far as I'm aware you can't do IPv6 with perdition, nor can
    you proxy sieve
    connections, nor can it do any kind of authentication other than PLAIN.
    I'm wanting to
    move to a murder setup, but this canonization is one of the holdups for me.

    As I stumbled across this discussion via google last night, I had
    actually been working
    on a canon plugin of my own, but it's a bit of a struggle since my C is
    rusty. My
    approach is to duplicate the code of the internal plugin into a new one,
    and insert a
    getpwnam call to find the 'real' account name to use. This would require
    use of
    libnss-ldap (or other libnss module) that can query on a given name and
    return
    another.

    For instance, libnss-ldap could be configured to search for some
    alternate attribute
    (say, altuid) and return uid:

    uid:
    altuid: dwhite
    altuid: dwhite-olp
    altuid:
    altuid:

    I've compiled it and verified that it doesn't crash when using
    /etc/passwd, but I haven't
    tried it against libnss-ldap yet.

    I would prefer to use Howard's solution since it should be more
    efficient, and well, he's
    a lot better coder. I only saw the first patch in the discussion. Do you
    have the second one?

    Thanks!
    - Dan

    Torsten Schlabach wrote:
    > Hi Dan!
    >
    >
    >> Is the patch that
    >> was provided by Howard on the mailing list working?
    >>
    >
    > I was unable to make it work, but that might very well have been my own inability.
    >
    > There are actually two patches. Do you have both of them?
    >
    > I had been implementing the first one and tried it, but it had some problems with segfaults and proper string termination. So I communicated this back to Howard and he came up with a second patch. He said he had tested that himself with that 2nd patch and it worked for him, but I kept getting "no user found in database" problems on the LDAP level. (Not even on the IMAPd level).
    >
    > I am not sure how skilled you are with OpenLDAP SASL and proxy authorization and the like. Basically all the stuff described here:
    >
    > http://www.openldap.org/doc/admin23/sasl.html
    >
    > The first gotcha is that the name of some parameters has changed between OpenLDAP 2.2 and 2.3. But a lot of existing Linux systems still have 2.2, so if you are on 2.2, make sure you use
    >
    > http://www.openldap.org/doc/admin22/sasl.html
    >
    > In other words: I (and others) would very much appreciate if you took the time to try again and in case you will be successful, maybe come back with a little howto.
    >
    > We are currently investigating http://www.vergenet.net/linux/perdition/ as an alternative to what we planned originally (Cyrus Murder together with that patch we're discussing here). But for smaller setups with one server it would definitely make so much sense to have this canon_user functionality up and running.
    >
    > Let me know if you get stuck anywhere; I will try to help with the experience that I have made with this.
    >
    > Regards,
    > Torsten
    >
    > P.S.: Do we have this discussion off-list by purpose or did you just fall victim to the missing reply-to header on this mailinglist?
    >
    > -------- Original-Nachricht --------
    > Datum: Wed, 07 Mar 2007 23:27:43 -0600
    > Von: Dan White <>
    > An:
    > CC:
    > Betreff: Re: Sponsoring a canon_user plugin for LDAP lookup
    >
    >
    >> Hi Torsten,
    >>
    >> I just found the discussion of your sponsored patch for an LDAP SASL
    >> canon plugin and was curious how it all turned out. Is the patch that
    >> was provided by Howard on the mailing list working?
    >>
    >> I'm very interested in a similar solution.
    >>
    >> Thanks,
    >> - Dan White
    >> **
    >>


  • Next message: Torsten Schlabach: "Re: Sponsoring a canon_user plugin for LDAP lookup"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD