- Previous message: Per Steinar Iversen: "A problem with sieveshell"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Stef (no email)
Date: Thu Jul 03 2008 - 21:19:05 EDT
I've put together a cyrus-sasl plugin which forwards all authentication
directly to an LDAP SASL capable server.
This is designed so that the authenticated server (eg: mail server)
doesn't need to have access to the entire user database and all the
passwords.
Tarball here:
http://memberwebs.com/stef/software/sasl-delegateldap/snmp-delegateldap-0.0.2.tar.gz
However for this to work with DIGEST-MD5 authentication, the LDAP server
must skip the validation of the uri portion of the MD5 auth. Already as
implemented, only the first 'service' part is compared with the SASL
service type. The remainder of the uri is not checked.
The attached patch adds a 'validate_uri' configuration option, so that
the validation of the DIGEST-MD5 uri can be turned off all together,
which allows forwarding of SASL authentication to an LDAP server to work.
How would I go about getting this added to cyrus-sasl? I'm certainly
also open to suggestions of better ways to accomplish this, if this
patch is not acceptable as is.
Cheers,
Stef Walter
--- plugins/digestmd5.c.orig 2008-06-02 15:36:43.000000000 -0500
+++ plugins/digestmd5.c 2008-06-02 15:46:54.000000000 -0500
@@ -212,6 +212,7 @@
/* global context for reauth use */
typedef struct digest_glob_context {
reauth_cache_t *reauth;
+ bool validate_service;
} digest_glob_context_t;
/* context that stores info */
@@ -220,6 +221,7 @@
enum Context_type i_am; /* are we the client or server? */
reauth_cache_t *reauth;
+ bool validate_service;
char *authid;
char *realm;
@@ -1809,7 +1811,8 @@
text->state = 1;
text->i_am = SERVER;
text->reauth = ((digest_glob_context_t *) glob_context)->reauth;
-
+ text->validate_service = ((digest_glob_context_t *) glob_context)->validate_service;
+
*conn_context = text;
return SASL_OK;
}
@@ -2136,8 +2139,9 @@
/* make sure it's the service that we're expecting */
service_len = strlen(sparams->service);
- if (strncasecmp(digesturi, sparams->service, service_len) ||
- digesturi[service_len] != '/') {
+ if (server_glob_context.validate_service &&
+ (strncasecmp(digesturi, sparams->service, service_len) ||
+ digesturi[service_len] != '/')) {
result = SASL_BADAUTH;
SETERROR(sparams->utils,
"bad digest-uri: doesn't match service");
@@ -2745,7 +2749,9 @@
{
reauth_cache_t *reauth_cache;
const char *timeout = NULL;
+ const char *option = NULL;
unsigned int len;
+ bool validate_service;
if (maxversion < SASL_SERVER_PLUG_VERSION)
return SASL_BADVERS;
@@ -2782,6 +2788,12 @@
((digest_glob_context_t *) digestmd5_server_plugins[0].glob_context)->reauth = reauth_cache;
+ validate_service = TRUE;
+ utils->getopt(utils->getopt_context, "DIGEST-MD5", "validate_service", &option, &len);
+ if (option && strcasecmp (option, "no") == 0)
+ validate_service = FALSE;
+ ((digest_glob_context_t *) digestmd5_server_plugins[0].glob_context)->validate_service = validate_service;
+
*out_version = SASL_SERVER_PLUG_VERSION;
*pluglist = digestmd5_server_plugins;
*plugcount = 1;
|
|
|