Subject: pkg/22184: Adding support for LDAP backend to security/cyrus-sasl
To: None <gnats-bugs@gnats.netbsd.org>
From: None <eggert@macvaerk.dtu.dk>
List: netbsd-bugs
Date: 07/18/2003 19:06:40
>Number: 22184
>Category: pkg
>Synopsis: Adding support for LDAP backend to security/cyrus-sasl
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Fri Jul 18 19:07:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: Daniel Eggert
>Release: NetBSD 1.6.1
>Organization:
Macvaerk
>Environment:
System: NetBSD kelvin.macvaerk.dtu.dk 1.6.1 NetBSD 1.6.1 (ANS700MLX) #1: Tue May 6 10:49:47 UTC 2003 eggert@macvaerk.dtu.dk:/usr/src/sys/arch/macppc/compile/ANS700MLX macppc
Architecture: powerpc
Machine: macppc
>Description:
There's a patch out for Cyrus-Sasl, that adds support for an LDAP backend. MySQL
support is done in (almost) the same way. This is _very_ handy for email (Postfix)
with an account databse inside an LDAP directory.
>How-To-Repeat:
n/a
>Fix:
I've patched Cyrus SASL myself to allow SMTP_AUTH with TLS support. Works like a
charm.
Here's how it's done. Hopefully someone with the needed know-how will add this to
the security/cyrus-sasl package.
The security/cyrus-sasl/Makefile needs to be changed maybe something like this:
*** /usr/pkgsrc/security/cyrus-sasl/Makefile.org Fri Jul 18 17:57:54 2003
--- /usr/pkgsrc/security/cyrus-sasl/Makefile Fri Jul 18 18:01:46 2003
***************
*** 28,33 ****
--- 28,39 ----
PLIST_SRC+= ${.CURDIR}/PLIST.krb5
.endif
+ .if defined(SASL_USE_LDAP) && ${SASL_USE_LDAP} == "YES"
+ .include "../../databases/openldap/buildlink2.mk"
+ CONFIGURE_ARGS+= --with-ldap=${PREFIX}/lib
+ BUILD_DEFS+= SASL_USE_LDAP
+ .endif
+
PLIST_SRC+= ${.CURDIR}/PLIST.plugins
USE_PKGINSTALL= YES
This will setup some of the stuff, but _not_ everything. With this fix you still
manually need to download the patch from
http://www.surf.org.uk/downloads/sasl-1.5.27-ldap-ssl-filter-mysql-patch4.tgz
extract the patch and run the following instead of make:
cd /usr/pkgsrc/security/cyrus-sasl/
make clean
make extract
cd work/cyrus-sasl-1.5.27/
patch -b -p1 < INSERT_PATH_TO_PATCH/ldap-mysql_sasl-1.5.27/sasl-ldap+mysql.patch
autoheader-2.13
autoconf-2.13
automake-1.4 -i
cd ../..
make SASL_USE_LDAP=YES
and finally 'make install'.
Notes:
All of the above needs to be put into the Makefile. I know it can be done,
but don't know exactly how. You'll need dependencies on autoheader-2.13,
autoconf-2.13, and automake-1.4 for this to work.
It will most likely go inside some sort of 'pre-patch:'. Perhaps something like
this inside the '.if' (I'm pretty sure, there's some errors in the below, but the
overall idea should be clear):
+DISTFILES+= sasl-1.5.27-ldap-ssl-filter-mysql-patch4.tgz
+SITES_sasl-1.5.27-ldap-ssl-filter-mysql-patch4.tgz=http://www.surf.org.uk/downloads/
+BUILD_DEPENDS+= autoconf-2.13*:../../devel/autoconf213
+BUILD_DEPENDS+= automake-1.4*:../../devel/automake14
+
+pre-patch
+ ${GUNZIP} ${DISTDIR} | ${GTAR} -x sasl-ldap+mysql.patch > ${WRKDIR}/sasl-ldap+mysql.patch
+ cd ${WRKSRC}
+ patch -b -p1 < ${WRKDIR}/sasl-ldap+mysql.patch
+ autoheader-2.13
+ autoconf-2.13
+ automake-1.4 -i
Have a look at:
http://www.surf.org.uk/src/cyrussasl.html
This might do as a MESSAGE.ldap (copy from above html-page):
+A LDAP server can be used for plaintext password checking by setting
+"pwcheck_method" to "ldap".
+
+The following SASL options are used for LDAP Authentication:
+
+ldap_server: <LDAP Servers spearted by , [localhost]>
+ldap_basedn: <LDAP base dn>
+ldap_uidattr: <LDAP uid attribute [uid]>
+ldap_port: <LDAP port [389]>
+ldap_ssl: <yes/no/true/fasle> Use ssl (untested)
+ldap_filter_mode: <yes/no/true/fasle> Use the filter below
+ldap_filter: <Additional search filter [(objectClass=posixAccount)]>
+ldap_bind_dn: <DN to bind with [NULL]>
+ldap_bind_pw: <Password for DN to bind with [NULL]>
+ldap_alias_deref: <n|s|f|a> n is default
+It is a requirement that "ldap_basedn" be set to the appropriate value for
+your site (ex. ldap_basedn: o=surf, c=UK)
+
+ldap_alias_deref: n = LDAP_DEREF_NEVER
+s = LDAP_DEREF_SEARCHING
+f = LDAP_DEREF_FINDING
+a = LDAP_DEREF_ALWAYS
+If you dont know what ldap alias is just leave this alone.
+
+NULL values for ldap_dn and ldap_passwd mean do an anonymous bind and search.
Comments are very welcome, and I'lll gladly help, if I can.
Kind regards,
Daniel
eggert@macvaerk.dtu.dk
>Release-Note:
>Audit-Trail:
>Unformatted: