Hello, I made some more tests with PLAIN and LOGIN: - require sasl_secprops with one of the following: * none * noanonymous - slapd do not disable them when no TLS as I read - slapd use saslauthd (with *-MD5, it use /etc/sasldb2 directly) - PLAIN ask for optional authzid, not LOGIN
Here is my final (for now ;-)) patch, I added some requirement informations (minssf and secprops) for some mechanisms but do not set them automatically when selecting mechanisms. Thanks. -- Daniel Dehennin Récupérer ma clef GPG: gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
=== modified file 'debian/nslcd.config'
--- debian/nslcd.config 2010-05-03 19:29:36 +0000
+++ debian/nslcd.config 2010-06-22 20:11:26 +0000
@@ -136,6 +136,38 @@
reqcert=`echo "$reqcert" | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/'`
[ -n "$reqcert" ] && db_set nslcd/ldap-reqcert "$reqcert"
fi
+ # check SASL option
+ db_get nslcd/ldap-sasl
+ if [ -z "$RET" ]
+ then
+ if grep -qi '^SASL_MECH[[:space:]]*GSSAPI' "$cfgfile"
+ then
+ db_set nslcd/ldap-sasl "true"
+ else
+ db_set nslcd/ldap-sasl "false"
+ fi
+ fi
+ # check SASL mechanism
+ db_get nslcd/ldap-sasl-mech
+ if [ -z "$RET" ]
+ then
+ saslmech=`sed -n 's/^SASL_MECH[[:space:]]*\(GSSAPI\)[[:space:]]*$/\1/ip' "$cfgfile"`
+ [ -n "$saslmech" ] && db_set nslcd/ldap-sasl-mech "$saslmech"
+ fi
+ # check SASL realm
+ db_get nslcd/ldap-sasl-realm
+ if [ -z "$RET" ]
+ then
+ saslrealm=`sed -n 's/^SASL_REALM[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
+ [ -n "$saslrealm" ] && db_set nslcd/ldap-sasl-realm "$saslrealm"
+ fi
+ # check SASL security properties
+ db_get nslcd/ldap-sasl-secprops
+ if [ -z "$RET" ]
+ then
+ saslsecprops=`sed -n 's/^SASL_SECPROPS[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile"`
+ [ -n "$saslsecprops" ] && db_set nslcd/ldap-sasl-secprops "$saslsecprops"
+ fi
# we're done
return 0
}
@@ -150,6 +182,12 @@
db_set nslcd/ldap-binddn ""
db_set nslcd/ldap-bindpw ""
db_set nslcd/ldap-starttls ""
+ db_set nslcd/ldap-sasl ""
+ db_set nslcd/ldap-sasl-mech ""
+ db_set nslcd/ldap-sasl-realm ""
+ db_set nslcd/ldap-sasl-authcid ""
+ db_set nslcd/ldap-sasl-authzid ""
+ db_set nslcd/ldap-sasl-secprops ""
# parse current configuration
parsecfg "$CONFFILE"
else
@@ -170,6 +208,10 @@
db_get nslcd/ldap-starttls
[ -z "$RET" ] && db_set nslcd/ldap-starttls "false"
+# fallback for krb5_ccname
+db_get nslcd/ldap-sasl-krb5-ccname
+[ -z "$RET" ] && db_set nslcd/ldap-sasl-krb5-ccname "/var/run/nslcd/nslcd.tkt"
+
#
# This is the second part of the script. In this part the configurable
# settings will be presented to the user for approval. The postinst
@@ -197,16 +239,8 @@
db_go || state="server"
;;
bindpw)
- # only ask question if we have a binddn
- db_get nslcd/ldap-binddn
- if [ -n "$RET" ]
- then
- # ask for login information
- db_input medium nslcd/ldap-bindpw || true
- else
- # clear password
- db_set nslcd/ldap-bindpw ""
- fi
+ # ask for login information
+ db_input medium nslcd/ldap-bindpw || true
# ask the question, go to the next question or back
state="starttls"
db_go || state="binddn"
@@ -240,8 +274,112 @@
db_input high nslcd/ldap-reqcert || true
fi
# ask the question, go to the next question or back
+ state="sasl"
+ db_go || state="bindpw"
+ ;;
+ sasl)
+ db_input medium nslcd/ldap-sasl || true
+ # ask the question, go to the next question or back
+ state="saslmech"
+ db_go || state="reqcert"
+ ;;
+ saslmech)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ if [ "$RET" = "true" ]
+ then
+ db_input medium nslcd/ldap-sasl-mech || true
+ else
+ db_set nslcd/ldap-sasl-mech ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslrealm"
+ db_go || state="sasl"
+ ;;
+ saslrealm)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not ANONYMOUS
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "ANONYMOUS" ]
+ then
+ db_input medium nslcd/ldap-sasl-realm || true
+ else
+ db_set nslcd/ldap-sasl-realm ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslauthcid"
+ db_go || state="saslmech"
+ ;;
+ saslauthcid)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not ANONYMOUS
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "ANONYMOUS" ]
+ then
+ db_input medium nslcd/ldap-sasl-authcid || true
+ else
+ db_set nslcd/ldap-sasl-authcid ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslauthzid"
+ db_go || state="saslrealm"
+ ;;
+ saslauthzid)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not ANONYMOUS
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "ANONYMOUS" ]
+ then
+ db_input medium nslcd/ldap-sasl-authzid || true
+ else
+ db_set nslcd/ldap-sasl-authzid ""
+ fi
+ # ask the question, go to the next question or back
+ state="saslsecprops"
+ db_go || state="saslauthcid"
+ ;;
+ saslsecprops)
+ # check if SASL is enabled
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is not ANONYMOUS
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" != "ANONYMOUS" ]
+ then
+ db_input medium nslcd/ldap-sasl-secprops || true
+ else
+ db_set nslcd/ldap-sasl-secprops ""
+ fi
+ # ask the question, go to the next question or back
+ state="krb5ccname"
+ db_go || state="saslauthzid"
+ ;;
+ krb5ccname)
+ # check if SASL mech is GSSAPI
+ db_get nslcd/ldap-sasl
+ sasl="$RET"
+ # check if SASL mechanism is GSSAPI
+ db_get nslcd/ldap-sasl-mech
+ saslmech="$RET"
+ if [ "$sasl" = "true" ] && [ "$saslmech" = "GSSAPI" ]
+ then
+ db_input low nslcd/ldap-sasl-krb5-ccname || true
+ else
+ db_set nslcd/ldap-sasl-krb5-ccname ""
+ fi
+ # ask the question, go to the next question or back
state="done"
- db_go || state="bindpw"
+ db_go || state="saslsecprops"
;;
esac
done
=== modified file 'debian/nslcd.postinst'
--- debian/nslcd.postinst 2010-05-09 09:39:45 +0000
+++ debian/nslcd.postinst 2010-06-22 20:25:13 +0000
@@ -199,8 +199,6 @@
cfg_disable bindpw
fi
fi
- # remove password from database
- db_set nslcd/ldap-bindpw ""
# set ssl option
db_get nslcd/ldap-starttls
if [ "$RET" = "true" ]
@@ -221,6 +219,96 @@
# clear debconf value so that this option is only set if the question is asked
db_set nslcd/ldap-reqcert ""
fi
+ # set SASL options
+ db_get nslcd/ldap-sasl
+ if [ -n "$RET" ]
+ then
+ db_get nslcd/ldap-sasl-mech
+ if [ -n "$RET" ] && [ "$RET" != "ANONYMOUS" ]
+ then
+ saslmech="$RET"
+ cfg_set sasl_mech "$RET"
+ if [ "$saslmech" = "GSSAPI" ]
+ then
+ # Set kerberos credential cache name
+ db_get nslcd/ldap-sasl-krb5-ccname
+ if [ -n "$RET" ]
+ then
+ cfg_set krb5_ccname "$RET"
+ else
+ # default value
+ cfg_set krb5_ccname "/var/run/nslcd/nslcd.tkt"
+ fi
+ elif [ "$saslmech" = "LOGIN" ] || [ "$saslmech" = "PLAIN" ] || [ "$saslmech" = "CRAM-MD5" ] || [ "$saslmech" = "DIGEST-MD5" ]
+ then
+ # authcid must be set
+ db_get nslcd/ldap-sasl-authcid
+ saslauthcid="$RET"
+ if [ -n "$saslauthcid" ]
+ then
+ # bindpw must be set
+ db_get nslcd/ldap-bindpw
+ bindpw="$RET"
+ if [ -n "$bindpw" ]
+ then
+ cfg_set sasl_authcid "$saslauthcid"
+ cfg_set bindpw "$bindpw"
+ else
+ cfg_disable sasl_authcid "$saslauthcid"
+ cfg_disable bindpw "$bindpw"
+ fi
+ fi
+ fi
+ else
+ if grep -qi '^sasl_mech' $CONFFILE
+ then
+ cfg_disable sasl_mech
+ fi
+ if grep -qi '^krb5_ccname' $CONFFILE
+ then
+ cfg_disable krb5_ccname
+ fi
+ fi
+ db_get nslcd/ldap-sasl-realm
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_realm "$RET"
+ else
+ cfg_disable sasl_realm
+ fi
+ db_get nslcd/ldap-sasl-authcid
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_authcid "$RET"
+ else
+ cfg_disable sasl_authcid
+ fi
+ db_get nslcd/ldap-sasl-authzid
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_authzid "$RET"
+ else
+ cfg_disable sasl_authzid
+ fi
+ db_get nslcd/ldap-sasl-secprops
+ if [ -n "$RET" ]
+ then
+ cfg_set sasl_secprops "$RET"
+ else
+ cfg_disable sasl_secprops
+ fi
+ else
+ # Disable all SASL options
+ for saslitem in sasl_mech sasl_realm sasl_authcid sasl_authzid sasl_secprops krb5_ccname
+ do
+ if grep -qi "^saslitem" $CONFFILE
+ then
+ cfg_disable $saslitem
+ fi
+ done
+ fi
+ # remove password from database
+ db_set nslcd/ldap-bindpw ""
# we're done
db_stop
# rename reconnect_maxsleeptime to reconnect_retrytime
=== modified file 'debian/nslcd.templates'
--- debian/nslcd.templates 2009-08-31 20:46:01 +0000
+++ debian/nslcd.templates 2010-06-25 19:34:00 +0000
@@ -29,7 +29,8 @@
Template: nslcd/ldap-bindpw
Type: password
_Description: LDAP user password:
- Enter the password that will be used to log in to the LDAP database.
+ Enter the password that will be used to log in to the LDAP database
+ or to use SASL authentication.
Template: nslcd/ldap-starttls
Type: boolean
@@ -52,3 +53,115 @@
* demand: a certificate will be requested, required, and checked.
If certificate checking is enabled, at least one of the tls_cacertdir or
tls_cacertfile options must be put in /etc/nslcd.conf.
+
+Template: nslcd/ldap-sasl
+Type: boolean
+Default: false
+_Description: Configure LDAP SASL authentication?
+ LDAP binding can be performed with the Simple Authentication and
+ Security Layer.
+ .
+ For the moment, only GSSAPI/Kerberos authentication mechanism is
+ tested and configurable via debconf. It needs the suggested package
+ kstart to acquire and maintain the kerberos credential cache.
+ .
+ You can try other mechanisms by editing /etc/nslcd.conf configuration file
+ directly and report any successful configuration.
+
+Template: nslcd/ldap-sasl-mech
+Type: select
+__Choices: ANONYMOUS, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, GSSAPI, OTP
+Default: none
+_Description: SASL mechanism to configure:
+ Simple Authentication and Security Layer mechanism to use for LDAP
+ authentication.
+ .
+ You can choose in the following list:
+ * ANONYMOUS: for unauthenticated guest access (no SASL).
+ * LOGIN: a simple cleartext password mechanism (need SASL SECPROPS
+ none or noanonymous).
+ * PLAIN: a simple cleartext password mechanism. PLAIN obsoleted the
+ LOGIN mechanism (need SASL SECPROPS none or noanonymous).
+ * NTLM: an NT LAN Manager authentication mechanism.
+ * CRAM-MD5: a simple challenge-response scheme based on HMAC-MD5
+ (need SASL SECPROPS minssf=0).
+ * DIGEST-MD5: HTTP Digest compatible challenge-response scheme based
+ upon MD5. DIGEST-MD5 offers a data security layer.
+ * GSSAPI: Generic Security Services Application Program Interface
+ (Kerberos, needs libsasl2-modules-gssapi-mit or
+ libsasl2-modules-gssapi-heimdal)
+ * OTP: a One Time Password mechanism. OTP obsoleted the SKEY
+ mechanism (untested, needs libsasl2-modules-otp).
+ .
+ With OpenLDAP, weak mechanisms need TLS (LOGIN and PLAIN) or
+ sasl-secprops minssf=0 (CRAM-MD5).
+
+Template: nslcd/ldap-sasl-realm
+Type: string
+_Description: SASL realm:
+ Simple Authentication and Security Layer realm to use for LDAP
+ authentication.
+ .
+ If empty, the GSSAPI mechanism will use informations from the kerberos
+ credential cache. Others may need @<REALM> suffixing sasl_authcid and
+ sasl_authzid.
+ .
+ The realm is appended to authentication and authorisation identities.
+
+Template: nslcd/ldap-sasl-authcid
+Type: string
+_Description: SASL authentication identity:
+ Simple Authentication and Security Layer identity.
+ .
+ This is the login used in LOGIN, PLAIN, CRAM-MD5 and DIGEST-MD5 mechanisms.
+
+Template: nslcd/ldap-sasl-authzid
+Type: string
+_Description: SASL proxy authorisation identity:
+ Simple Authentication and Security Layer proxy authorisation
+ identity.
+ .
+ This is the object in the name of witch the LDAP request are
+ done. They should have a DN syntax.
+
+Template: nslcd/ldap-sasl-secprops
+Type: string
+_Description: Cyrus SASL security properties:
+ The Cyrus Simple Authentication and Security Layer library provides
+ the following security properties:
+ * none: (without any other properties) causes the properties
+ defaults ("noanonymous,noplain") to be cleared.
+ Use it to enable ANONYMOUS and LOGIN and PLAIN.
+ * noplain: disables mechanisms susceptible to simple passive
+ attacks. Use it to enable ANONYMOUS.
+ * noactive: disables mechanisms susceptible to active attacks.
+ * nodict: disables mechanisms susceptible to passive dictionary
+ attacks.
+ * noanonymous: disables mechanisms which support anonymous login,
+ can be used to enable LOGIN and PLAIN.
+ * forwardsec: requires forward secrecy between sessions.
+ * passcred: requires mechanisms which pass client credentials (and
+ allows mechanisms which can pass credentials to do so).
+ * minssf=<factor>: specifies the minimum acceptable security strength
+ factor as an integer approximating the effective
+ key length used for encryption. 0 (zero) implies
+ no protection, 1 implies integrity protection
+ only, 56 allows DES or other weak ciphers, 112
+ allows triple DES and other strong ciphers, 128
+ allows RC4, Blowfish and other modern strong
+ ciphers. The default is 0.
+ * maxssf=<factor>: specifies the maximum acceptable security
+ strength factor as an integer (see minssf
+ description). The default is INT_MAX.
+ * maxbufsize=<factor>: specifies the maximum security layer receive
+ buffer size allowed. 0 disables security
+ layers. The default is 65536.
+
+Template: nslcd/ldap-sasl-krb5-ccname
+Type: string
+Default: /var/run/nslcd/nslcd.tkt
+_Description: Kerberos credential cache file path:
+ The GSSAPI/Kerberos authentication mechanism needs a credential cache
+ file.
+ .
+ The cache file is initialised and maintained by k5start.
pgpFZX45lcDkh.pgp
Description: PGP signature
