SASL EXTERNAL in smbldap.c
Alexey Lobanov
a.lobanov at cro-rct.ru
Thu Oct 20 06:27:34 GMT 2005
Hello all.
On 20/10/05 01:46, Andrew Bartlett wrote:
>>/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite
>>(OpenLDAP) doesnt' seem to support it */
>>
>>
>>The questions are: who and when wrote it?
>
>
> A very, very long time ago.
>
>
>>And how to see this stuff
>>again? SASL EXTERNAL works fine in modern Linux-based systems, both
>>through Unix sockets (ldapi://) and through SSL (ldaps://).
>>
>>The aim is obvious: to remove plaintext administrative passwords from
>>any files...
>
>
> I would be happy to see this work. Even other SASL mechs if it were
> fairly easy to support.
Actually, this "EXTERNAL" means "Do nothing; underlying socket level
will authentificate you". So why it worth to be implemented even without
other SASL mechs.
SASL EXTERNAL through local Unix sockets seems to work out-of-the box in
stable Debian with it's OpenLDAP 2.2.23. Will check SuSE today.
aal at fileserver:~$ ldapwhoami -Y EXTERNAL -H ldapi://
SASL/EXTERNAL authentication started
SASL username: uidNumber=1000+gidNumber=100,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:uidnumber=1000+gidnumber=100,cn=peercred,cn=external,cn=auth
root at fileserver:~# ldapwhoami -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL
authentication started
SASL username: uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:uidnumber=0+gidnumber=0,cn=peercred,cn=external,cn=auth
Yes, LDAP server knows (from Unix socket) that the client is The Local
Root, and grants permissions. And (imho) it is enough to get rid of this
ugly "smbpasswd -w topsecret" in single-server environment.
Of course, we need the standard dance with own Certificate Authority if
we want obtain same through network. After proper cert generation:
root at admrover:~# ldapwhoami -Y EXTERNAL -H ldaps://ldap.office.rct-int
SASL/EXTERNAL authentication started
SASL username: emailAddress=postmaster at cro-rct.ru,CN=admrover,OU=Head
Office,O=RCT Global,ST=.,C=RU
SASL SSF: 0
dn:email=postmaster at cro-rct.ru,cn=admrover,ou=head office,o=rct
global,st=.,c=ru
Yes, LDAP server knows (from Secure Socket Layer) that I am someone
having access to secret SSL key for "admrover" machine. I believe, it is
still better than plaintext admin dn password, isn't it?
--
Alexey Lobanov
More information about the samba-technical
mailing list