SASL EXTERNAL in smbldap.c

Alexey Lobanov a.lobanov at cro-rct.ru
Thu Oct 20 06:27:34 GMT 2005 

Hello all.

On 20/10/05 01:46, Andrew Bartlett wrote:

>>/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
>>(OpenLDAP) doesnt' seem to support it */
>>
>>
>>The questions are: who and when wrote it? 
> 
> 
> A very, very long time ago.
> 
> 
>>And how to see this stuff
>>again? SASL EXTERNAL works fine in modern Linux-based systems, both
>>through Unix sockets (ldapi://) and through SSL (ldaps://).
>>
>>The aim is obvious: to remove plaintext administrative passwords from
>>any files...
> 
> 
> I would be happy to see this work.  Even other SASL mechs if it were
> fairly easy to support. 

Actually, this "EXTERNAL" means "Do nothing; underlying socket level
will authentificate you". So why it worth to be implemented even without
other SASL mechs.

SASL EXTERNAL through local Unix sockets seems to work out-of-the box in
stable Debian with it's OpenLDAP 2.2.23. Will check SuSE today.

aal at fileserver:~$  ldapwhoami -Y EXTERNAL -H ldapi://
SASL/EXTERNAL authentication started
SASL username: uidNumber=1000+gidNumber=100,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:uidnumber=1000+gidnumber=100,cn=peercred,cn=external,cn=auth

root at fileserver:~# ldapwhoami -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL
authentication started
SASL username: uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:uidnumber=0+gidnumber=0,cn=peercred,cn=external,cn=auth

Yes, LDAP server knows (from Unix socket) that the client is The Local
Root, and grants permissions. And (imho) it is enough to get rid of this
ugly "smbpasswd -w topsecret" in single-server environment.


Of course, we need the standard dance with own Certificate Authority if
we want obtain same through network. After proper cert generation:

root at admrover:~# ldapwhoami -Y EXTERNAL -H ldaps://ldap.office.rct-int
SASL/EXTERNAL authentication started
SASL username: emailAddress=postmaster at cro-rct.ru,CN=admrover,OU=Head
Office,O=RCT Global,ST=.,C=RU
SASL SSF: 0
dn:email=postmaster at cro-rct.ru,cn=admrover,ou=head office,o=rct
global,st=.,c=ru

Yes, LDAP server knows (from Secure Socket Layer) that I am someone
having access to secret SSL key for "admrover" machine. I believe, it is
still better than plaintext admin dn password, isn't it?

--
Alexey Lobanov

More information about the samba-technical mailing list