netbsd-bugs: pkg/22184: Adding support for LDAP backend to security/cyrus-sasl

Subject: pkg/22184: Adding support for LDAP backend to security/cyrus-sasl
To: None <gnats-bugs@gnats.netbsd.org>
From: None <eggert@macvaerk.dtu.dk>
List: netbsd-bugs
Date: 07/18/2003 19:06:40
>Number:         22184
>Category:       pkg
>Synopsis:       Adding support for LDAP backend to security/cyrus-sasl
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Jul 18 19:07:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Daniel Eggert
>Release:        NetBSD 1.6.1
>Organization:
Macvaerk
>Environment:
System: NetBSD kelvin.macvaerk.dtu.dk 1.6.1 NetBSD 1.6.1 (ANS700MLX) #1: Tue May 6 10:49:47 UTC 2003 eggert@macvaerk.dtu.dk:/usr/src/sys/arch/macppc/compile/ANS700MLX macppc
Architecture: powerpc
Machine: macppc
>Description:
There's a patch out for Cyrus-Sasl, that adds support for an LDAP backend. MySQL
support is done in (almost) the same way. This is _very_ handy for email (Postfix)
with an account databse inside an LDAP directory.

>How-To-Repeat:
n/a
>Fix:
I've patched Cyrus SASL myself to allow SMTP_AUTH with TLS support. Works like a
charm.

Here's how it's done. Hopefully someone with the needed know-how will add this to
the security/cyrus-sasl package.

The security/cyrus-sasl/Makefile needs to be changed maybe something like this:

*** /usr/pkgsrc/security/cyrus-sasl/Makefile.org        Fri Jul 18 17:57:54 2003
--- /usr/pkgsrc/security/cyrus-sasl/Makefile    Fri Jul 18 18:01:46 2003
***************
*** 28,33 ****
--- 28,39 ----
  PLIST_SRC+=           ${.CURDIR}/PLIST.krb5
  .endif
  
+ .if defined(SASL_USE_LDAP) && ${SASL_USE_LDAP} == "YES"
+ .include "../../databases/openldap/buildlink2.mk"
+ CONFIGURE_ARGS+=        --with-ldap=${PREFIX}/lib
+ BUILD_DEFS+=          SASL_USE_LDAP
+ .endif
+ 
  PLIST_SRC+=           ${.CURDIR}/PLIST.plugins
  
  USE_PKGINSTALL=               YES


This will setup some of the stuff, but _not_ everything. With this fix you still
manually need to download the patch from
   http://www.surf.org.uk/downloads/sasl-1.5.27-ldap-ssl-filter-mysql-patch4.tgz
extract the patch and run the following instead of make:

cd /usr/pkgsrc/security/cyrus-sasl/
make clean
make extract
cd work/cyrus-sasl-1.5.27/
patch -b -p1 < INSERT_PATH_TO_PATCH/ldap-mysql_sasl-1.5.27/sasl-ldap+mysql.patch
autoheader-2.13
autoconf-2.13
automake-1.4 -i
cd ../..
make SASL_USE_LDAP=YES

and finally 'make install'.

Notes:
All of the above needs to be put into the Makefile. I know it can be done,
but don't know exactly how. You'll need dependencies on autoheader-2.13,
autoconf-2.13, and automake-1.4 for this to work.

It will most likely go inside some sort of 'pre-patch:'. Perhaps something like
this inside the '.if' (I'm pretty sure, there's some errors in the below, but the
overall idea should be clear):

+DISTFILES+=       sasl-1.5.27-ldap-ssl-filter-mysql-patch4.tgz
+SITES_sasl-1.5.27-ldap-ssl-filter-mysql-patch4.tgz=http://www.surf.org.uk/downloads/
+BUILD_DEPENDS+=   autoconf-2.13*:../../devel/autoconf213
+BUILD_DEPENDS+=   automake-1.4*:../../devel/automake14
+
+pre-patch
+    ${GUNZIP} ${DISTDIR} | ${GTAR} -x sasl-ldap+mysql.patch > ${WRKDIR}/sasl-ldap+mysql.patch
+    cd ${WRKSRC}
+    patch -b -p1 < ${WRKDIR}/sasl-ldap+mysql.patch
+    autoheader-2.13
+    autoconf-2.13
+    automake-1.4 -i


Have a look at:
    http://www.surf.org.uk/src/cyrussasl.html

This might do as a MESSAGE.ldap (copy from above html-page):

+A LDAP server can be used for plaintext password checking by setting
+"pwcheck_method" to "ldap".
+
+The following SASL options are used for LDAP Authentication:
+
+ldap_server: <LDAP Servers spearted by , [localhost]> 
+ldap_basedn: <LDAP base dn> 
+ldap_uidattr: <LDAP uid attribute [uid]> 
+ldap_port: <LDAP port [389]> 
+ldap_ssl: <yes/no/true/fasle> Use ssl (untested) 
+ldap_filter_mode: <yes/no/true/fasle> Use the filter below 
+ldap_filter: <Additional search filter [(objectClass=posixAccount)]> 
+ldap_bind_dn: <DN to bind with [NULL]> 
+ldap_bind_pw: <Password for DN to bind with [NULL]> 
+ldap_alias_deref: <n|s|f|a> n is default 
+It is a requirement that "ldap_basedn" be set to the appropriate value for
+your site (ex. ldap_basedn: o=surf, c=UK)
+
+ldap_alias_deref: n = LDAP_DEREF_NEVER
+s = LDAP_DEREF_SEARCHING
+f = LDAP_DEREF_FINDING
+a = LDAP_DEREF_ALWAYS
+If you dont know what ldap alias is just leave this alone.
+
+NULL values for ldap_dn and ldap_passwd mean do an anonymous bind and search.


Comments are very welcome, and I'lll gladly help, if I can.


Kind regards,
Daniel
eggert@macvaerk.dtu.dk



>Release-Note:
>Audit-Trail:
>Unformatted: