From olgeni@uli.it  Sun Aug 27 09:48:44 2000
Return-Path: <olgeni@uli.it>
Received: from vega.uli.it (vega.uli.it [62.212.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id 6855537B440
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 27 Aug 2000 09:48:43 -0700 (PDT)
Received: from olgeni.uli.it (olgeni.uli.it [62.212.0.22])
	by vega.uli.it (Postfix) with ESMTP id 36F4E3B00C
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 27 Aug 2000 18:48:34 +0200 (CEST)
Message-Id: <Pine.BSF.4.21.0008271847350.58985-100000@olgeni.localdomain.net>
Date: Sun, 27 Aug 2000 18:48:32 +0200 (CEST)
From: Jimmy Olgeni <olgeni@uli.it>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] LDAP support and fixes for cyrus-sasl

>Number:         20887
>Category:       ports
>Synopsis:       [PATCH] LDAP support and fixes for cyrus-sasl
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 27 09:50:00 PDT 2000
>Closed-Date:    Mon Sep 18 08:55:58 PDT 2000
>Last-Modified:  Mon Sep 18 08:57:15 PDT 2000
>Originator:     Jimmy Olgeni
>Release:        FreeBSD 4.1-STABLE i386
>Organization:
Colby
>Environment:

Current cyrus-sasl port (1.5.24).

>Description:

NOTE: This PR supersedes PR 20623.

Changes:

* Enable support for LDAP in Makefile. It can be enabled by defining
the WITH_LDAP macro (make -DWITH_LDAP). Enabling LDAP will install the
pwcheck_ldap.conf.sample file in ${PREFIX}/etc. The pwcheck daemon
will then query the specified LDAP server to authenticate users.

The pwcheck_ldap.conf.sample file should be copied to
pwcheck_ldap.conf, and edited to reflect the site's LDAP
configuration. The "make deinstall" command will leave
pwcheck_ldap.conf alone.

pwcheck_ldap.conf contains 3 variables:

===
SASL_LDAP_SERVER="localhost"
SASL_LDAP_BASEDN="o=organization, c=US"
SASL_LDAP_UIDATTR="uid"
===

SASL_LDAP_SERVER: host name of the LDAP server. 
SASL_LDAP_BASEDN: root of LDAP tree to perform the search
SASL_LDAP_UIDATTR: name of the UID field.

The pwcheck daemon will bind to the LDAP server using the user
identifier and password provided by the application requesting the
service. If the bind is successful the user is
authenticated. 

Reference binds (with empty passwords) are denied.

LDAP authentication is handled by a new file:

        pwcheck_ldap.c (version 1.01)
        Author: Clayton Donley <donley@cig.mot.com>
        http://www.wwa.com/~donley/

NOTE: I modified the file to support configuration via environment
variables in place of fixed #defines in the source.

patch-ag now changes Makefile.in in the pwcheck subdirectory to link
LDAP libraries, but only if LDAP is enabled.

Also, patches/patch-ab has been changed to integrate PR 20623 (fix for
Kerberos libraries detection).

The PLIST now includes pwcheck_ldap.conf.sample.

The last @unexec in the PLIST has been changed: the original version
didn't remove the file. A @comment typo has been fixed.

Changed files:

        Makefile (LDAP support: WITH_LDAP macro and pwcheck_ldap.conf.sample)

        files/pwcheck.sh (load and evaluate pwcheck_ldap.conf)

        patches/patch-ab (configure.in changes for Kerberos)

        pkg/PLIST (add pwcheck_ldap.conf.sample, @unexec and @comment fixes)

New files:

        pwcheck_ldap.conf.sample (sample pwcheck LDAP configuration)

        patches/patch-ac (pwcheck_ldap.c)

        patches/patch-ae (LDAP support: listed pwcheck_ldap.c in
                          EXTRA_pwcheck_SOURCES)

        patches/patch-af (configure.in: add --enable-ldap option)

        patches/patch-ag (LDAP support in Makefile.in)

Please note: patches/patch-ag adds a conditional to the Makefile, with
BSD make syntax.

>How-To-Repeat:

>Fix:

diff -rcN cyrus-sasl.orig/Makefile cyrus-sasl/Makefile
*** cyrus-sasl.orig/Makefile	Sat Aug 12 22:47:01 2000
--- cyrus-sasl/Makefile	Sun Aug 27 16:39:44 2000
***************
*** 34,39 ****
--- 34,40 ----
  
  USE_AUTOCONF=	YES
  USE_LIBTOOL=	YES
+ 
  CONFIGURE_ARGS=	--sysconfdir=${PREFIX}/etc \
  		--with-plugindir=${PREFIX}/lib/sasl \
  		--with-dbpath=${PREFIX}/etc/sasldb \
***************
*** 43,48 ****
--- 44,55 ----
  		--with-pwcheck=/var/pwcheck \
  		--with-rc4=openssl
  
+ .if defined(WITH_LDAP)
+ CONFIGURE_ARGS+= --enable-ldap
+ .else
+ LDAP_SUPPORT=	"@comment "
+ .endif
+ 
  # JavaSASL is currently Broken
  #JAVADIR=        jdk1.1.8
  #JAVALIBDIR=     ${PREFIX}/${JAVADIR}/lib/i386/green_threads/
***************
*** 91,104 ****
  PLIST_SUB=	PREFIX=${PREFIX} \
  		GSSAPI=${GSSAPI} \
  		EBONES=${EBONES} \
! 		NOPORTDOCS=${NODOCS}
  
  # Create Cyrus user and group
  pre-install:
  	@${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL
  
  post-install:
! 	@${SED}  -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
  		> ${PREFIX}/etc/rc.d/pwcheck.sh
  	@${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh
  	${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck
--- 98,113 ----
  PLIST_SUB=	PREFIX=${PREFIX} \
  		GSSAPI=${GSSAPI} \
  		EBONES=${EBONES} \
! 		NOPORTDOCS=${NODOCS} \
! 		LDAP_SUPPORT=${LDAP_SUPPORT}
  
  # Create Cyrus user and group
  pre-install:
  	@${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL
  
  post-install:
! 	${INSTALL} ${COPY} -m600 -o root -g wheel ${FILESDIR}/pwcheck_ldap.conf.sample ${PREFIX}/etc
! 	@${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
  		> ${PREFIX}/etc/rc.d/pwcheck.sh
  	@${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh
  	${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck
diff -rcN cyrus-sasl.orig/files/pwcheck.sh cyrus-sasl/files/pwcheck.sh
*** cyrus-sasl.orig/files/pwcheck.sh	Mon Jan 24 06:22:15 2000
--- cyrus-sasl/files/pwcheck.sh	Sun Aug 27 16:21:38 2000
***************
*** 5,10 ****
--- 5,17 ----
  
  PREFIX=%%PREFIX%%
  
+ if [ -r ${PREFIX}/etc/pwcheck_ldap.conf ]; then
+ 	. ${PREFIX}/etc/pwcheck_ldap.conf
+ 	export SASL_LDAP_SERVER
+ 	export SASL_LDAP_BASEDN
+ 	export SASL_LDAP_UIDATTR
+ fi
+ 
  case "$1" in
  
  start)
diff -rcN cyrus-sasl.orig/files/pwcheck_ldap.conf.sample cyrus-sasl/files/pwcheck_ldap.conf.sample
*** cyrus-sasl.orig/files/pwcheck_ldap.conf.sample	Thu Jan  1 01:00:00 1970
--- cyrus-sasl/files/pwcheck_ldap.conf.sample	Sun Aug 27 16:21:38 2000
***************
*** 0 ****
--- 1,3 ----
+ SASL_LDAP_SERVER="localhost"
+ SASL_LDAP_BASEDN="o=organization, c=US"
+ SASL_LDAP_UIDATTR="uid"
diff -rcN cyrus-sasl.orig/patches/patch-ab cyrus-sasl/patches/patch-ab
*** cyrus-sasl.orig/patches/patch-ab	Sat Aug 12 22:47:01 2000
--- cyrus-sasl/patches/patch-ab	Fri Aug 18 16:31:39 2000
***************
*** 1,14 ****
! --- configure.in.orig	Thu Aug  3 14:34:08 2000
! +++ configure.in	Thu Aug  3 14:39:24 2000
! @@ -66,8 +66,9 @@
!  dnl check for -R, etc. switch
!  CMU_GUESS_RUNPATH_SWITCH
!  dnl let's just link against local.  otherwise we never find anything useful.
! -CPPFLAGS="-I/usr/local/include ${CPPFLAGS}"
! -CMU_ADD_LIBPATH("/usr/local/lib")
! +CPPFLAGS="-I${OPENSSLINC} -I${OPENSSLINC}/openssl ${CPPFLAGS}"
! +CMU_ADD_LIBPATH("${LOCALBASE}/lib")
! +CMU_ADD_LIBPATH("${OPENSSLLIB}")
!  
!  AM_DISABLE_STATIC
!  
--- 1,39 ----
! *** configure.in.orig	Fri Jul 21 04:35:01 2000
! --- configure.in	Fri Aug 18 16:31:21 2000
! ***************
! *** 66,73 ****
!   dnl check for -R, etc. switch
!   CMU_GUESS_RUNPATH_SWITCH
!   dnl let's just link against local.  otherwise we never find anything useful.
! ! CPPFLAGS="-I/usr/local/include ${CPPFLAGS}"
! ! CMU_ADD_LIBPATH("/usr/local/lib")
!   
!   AM_DISABLE_STATIC
!   
! --- 66,74 ----
!   dnl check for -R, etc. switch
!   CMU_GUESS_RUNPATH_SWITCH
!   dnl let's just link against local.  otherwise we never find anything useful.
! ! CPPFLAGS="-I${OPENSSLINC} -I${OPENSSLINC}/openssl ${CPPFLAGS}"
! ! CMU_ADD_LIBPATH("${LOCALBASE}/lib")
! ! CMU_ADD_LIBPATH("${OPENSSLLIB}")
!   
!   AM_DISABLE_STATIC
!   
! ***************
! *** 436,442 ****
!     if test "$with_des" != no; then
!       AC_CHECK_HEADER(krb.h,
!         AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
! ! 	AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err",
!                        AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err),
!           -ldes),
!         AC_WARN(No Kerberos V4 found); krb4=no)
! --- 437,443 ----
!     if test "$with_des" != no; then
!       AC_CHECK_HEADER(krb.h,
!         AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
! ! 	AC_CHECK_LIB(krb, krb_mk_err, COM_ERR="-lcom_err",
!                        AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err),
!           -ldes),
!         AC_WARN(No Kerberos V4 found); krb4=no)
diff -rcN cyrus-sasl.orig/patches/patch-ac cyrus-sasl/patches/patch-ac
*** cyrus-sasl.orig/patches/patch-ac	Thu Jan  1 01:00:00 1970
--- cyrus-sasl/patches/patch-ac	Sun Aug 27 16:21:38 2000
***************
*** 0 ****
--- 1,138 ----
+ *** pwcheck/pwcheck_ldap.c.orig	Tue Aug  1 18:55:40 2000
+ --- pwcheck/pwcheck_ldap.c	Tue Aug  1 19:09:36 2000
+ ***************
+ *** 0 ****
+ --- 1,133 ----
+ + /* pwcheck_ldap.c -- check passwords using LDAP
+ +  *
+ +  * Author: Clayton Donley <donley@cig.mot.com>
+ +  *         http://www.wwa.com/~donley/
+ +  * Version: 1.01
+ +  *
+ +  * Note: This works by finding a DN that matches an entered UID and
+ +  * binding to the LDAP server using this UID.  This uses clear-text
+ +  * passwords.  A better approach with servers that support SSL and
+ +  * new LDAPv3 servers that support SASL bind methods like CRAM-MD5
+ +  * and TSL.
+ +  *
+ +  * This version should work with both University of Michigan and Netscape
+ +  * LDAP libraries.  It also gets rid of the requirement for userPassword
+ +  * attribute readability.
+ +  *
+ +  */
+ + 
+ + #include <stdio.h>
+ + #include <stdlib.h>
+ + #include <lber.h>
+ + #include <ldap.h>
+ + 
+ + /*
+ + 
+ + The old #defines have been removed. This version uses 3 environment variables:
+ + 
+ + SASL_LDAP_SERVER (ex: "localhost")
+ + SASL_LDAP_BASEDN (ex: "o=organization, c=US")
+ + SASL_LDAP_UIDATTR (ex: "uid")
+ + 
+ + */
+ + 
+ + char *pwcheck(userid, password)
+ + char *userid;
+ + char *password;
+ + {
+ +     LDAP *ld;
+ +     LDAPMessage *result;
+ +     LDAPMessage *entry;
+ +     char *attrs[2];
+ +     char filter[200]; 
+ +     char *dn;
+ + 
+ + /* If the password is NULL, reject the login...Otherwise the bind will
+ +    succeed as a reference bind.  Not good... */
+ + 
+ +     if (strcmp(password,"") == 0)
+ +     {
+ +        return "Null Password";
+ +     }
+ + 
+ + /* Open the LDAP connection.  Change the second argument if your LDAP
+ +    server is not on port 389. */
+ + 
+ +     if ((ld = ldap_open(getenv("SASL_LDAP_SERVER"),LDAP_PORT)) == NULL)
+ +     {
+ +        return "Init Failed";
+ +     }
+ + 
+ + /* Bind anonymously so that you can find the DN of the appropriate user. */
+ + 
+ +     if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS)
+ +     {
+ +         ldap_unbind(ld);
+ +         return "Bind Failed";
+ +     }
+ + 
+ + /* Generate a filter that will return the entry with a matching UID */
+ + 
+ +     sprintf(filter,"(%s=%s)",getenv("SASL_LDAP_UIDATTR"),userid);
+ + 
+ + /* Just return country...This doesn't actually matter, since we will
+ +    not read the attributes and values, only the DN */
+ + 
+ +     attrs[0] = "c";
+ +     attrs[1] = NULL;
+ + 
+ + /* Perform the search... */
+ + 
+ +     if (ldap_search_s(ld,getenv("SASL_LDAP_BASEDN"),LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS)
+ +     {
+ +        ldap_unbind(ld);
+ +        return "Search Failed";
+ +     }
+ + 
+ + /* If the entry count is not equal to one, either the UID was not unique or
+ +    there was no match */
+ + 
+ +     if (ldap_count_entries(ld,result) != 1)
+ +     {
+ +        ldap_msgfree(result);
+ +        ldap_unbind(ld);
+ +        return "UserID Unknown";
+ +     }
+ + 
+ + /* Get the first entry */
+ + 
+ +     if ((entry = ldap_first_entry(ld,result)) == NULL)
+ +     {
+ +        ldap_msgfree(result);
+ +        ldap_unbind(ld);
+ +        return "UserID Unknown";
+ +     }
+ + 
+ + /* Get the DN of the entry */
+ + 
+ +     if ((dn = ldap_get_dn(ld,entry)) == NULL)
+ +     {
+ +        ldap_msgfree(entry);
+ +        ldap_unbind(ld);
+ +        return "DN Not Found";
+ +     }
+ + 
+ + /* Now bind as the DN with the password supplied earlier...
+ +    Successful bind means the password was correct, otherwise the
+ +    password is invalid. */
+ + 
+ + /* FIXME: This does not work with "{encryption-type}password" entries... */
+ + 
+ +     if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS)
+ +     {
+ +        free(dn);
+ +        ldap_msgfree(entry);
+ +        ldap_unbind(ld);
+ +        return "Invalid Login or Password";
+ +     }
+ + 
+ +     free(dn);
+ +     ldap_msgfree(entry);
+ +     ldap_unbind(ld);
+ +     return "OK";
+ + }
diff -rcN cyrus-sasl.orig/patches/patch-ae cyrus-sasl/patches/patch-ae
*** cyrus-sasl.orig/patches/patch-ae	Thu Jan  1 01:00:00 1970
--- cyrus-sasl/patches/patch-ae	Sun Aug 27 16:21:38 2000
***************
*** 0 ****
--- 1,17 ----
+ *** pwcheck/Makefile.am.orig	Thu Apr  6 16:50:24 2000
+ --- pwcheck/Makefile.am	Sat Jul 15 18:33:03 2000
+ ***************
+ *** 25,30 ****
+   sbin_PROGRAMS = pwcheck
+   
+   pwcheck_SOURCES = pwcheck.c
+ ! EXTRA_pwcheck_SOURCES = pwcheck_getpwnam.c pwcheck_getspnam.c
+   pwcheck_DEPENDECIES = pwcheck_@PWCHECKMETH@.lo
+   pwcheck_LDADD = pwcheck_@PWCHECKMETH@.lo @LIB_CRYPT@ @LIB_SOCKET@
+ --- 25,30 ----
+   sbin_PROGRAMS = pwcheck
+   
+   pwcheck_SOURCES = pwcheck.c
+ ! EXTRA_pwcheck_SOURCES = pwcheck_getpwnam.c pwcheck_getspnam.c pwcheck_ldap.c
+   pwcheck_DEPENDECIES = pwcheck_@PWCHECKMETH@.lo
+   pwcheck_LDADD = pwcheck_@PWCHECKMETH@.lo @LIB_CRYPT@ @LIB_SOCKET@
diff -rcN cyrus-sasl.orig/patches/patch-af cyrus-sasl/patches/patch-af
*** cyrus-sasl.orig/patches/patch-af	Thu Jan  1 01:00:00 1970
--- cyrus-sasl/patches/patch-af	Sun Aug 27 16:21:38 2000
***************
*** 0 ****
--- 1,36 ----
+ *** configure.in.orig	Sat Jul 15 19:21:44 2000
+ --- configure.in	Sat Jul 15 19:23:34 2000
+ ***************
+ *** 275,280 ****
+ --- 275,284 ----
+   fi
+   AC_SUBST(LIB_PAM)
+   
+ + AC_ARG_ENABLE(ldap, [  --enable-ldap           enable ldap authentication [no] ],
+ +   ldap=$enableval,
+ +   ldap=no)
+ + 
+   AC_ARG_WITH(pwcheck,[  --with-pwcheck=DIR      enable use of the pwcheck daemonusing statedir DIR ],
+   	with_pwcheck=$withval,
+   	with_pwcheck=no)
+ ***************
+ *** 284,290 ****
+      fi
+      AC_DEFINE(HAVE_PWCHECK)
+      AC_DEFINE_UNQUOTED(PWCHECKDIR, "$with_pwcheck")
+ !    AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam")
+      AC_SUBST(PWCHECKMETH)
+   fi
+   AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
+ --- 288,298 ----
+      fi
+      AC_DEFINE(HAVE_PWCHECK)
+      AC_DEFINE_UNQUOTED(PWCHECKDIR, "$with_pwcheck")
+ !    if test "$ldap" = yes; then
+ !      PWCHECKMETH=ldap
+ !    else
+ !      AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam")
+ !    fi
+      AC_SUBST(PWCHECKMETH)
+   fi
+   AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
diff -rcN cyrus-sasl.orig/patches/patch-ag cyrus-sasl/patches/patch-ag
*** cyrus-sasl.orig/patches/patch-ag	Thu Jan  1 01:00:00 1970
--- cyrus-sasl/patches/patch-ag	Sun Aug 27 18:02:03 2000
***************
*** 0 ****
--- 1,27 ----
+ *** pwcheck/Makefile.in.orig	Fri Jul 21 04:36:07 2000
+ --- pwcheck/Makefile.in	Sun Aug 27 18:01:44 2000
+ ***************
+ *** 144,151 ****
+   LIBS = @LIBS@
+   pwcheck_OBJECTS =  pwcheck.o
+   pwcheck_DEPENDENCIES =  pwcheck_@PWCHECKMETH@.lo
+ ! pwcheck_LDFLAGS = 
+   CFLAGS = @CFLAGS@
+   COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+   LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+   CCLD = $(CC)
+ --- 144,157 ----
+   LIBS = @LIBS@
+   pwcheck_OBJECTS =  pwcheck.o
+   pwcheck_DEPENDENCIES =  pwcheck_@PWCHECKMETH@.lo
+ ! PWCHECKMETH=@PWCHECKMETH@
+ ! .if ${PWCHECKMETH} == "ldap"
+ ! pwcheck_LDFLAGS = -llber -lldap
+ ! CFLAGS = @CFLAGS@ -I/usr/local/include
+ ! .else
+ ! pwcheck_LDFLAGS =
+   CFLAGS = @CFLAGS@
+ + .endif
+   COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+   LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+   CCLD = $(CC)
diff -rcN cyrus-sasl.orig/pkg/PLIST cyrus-sasl/pkg/PLIST
*** cyrus-sasl.orig/pkg/PLIST	Fri Jun 16 21:46:22 2000
--- cyrus-sasl/pkg/PLIST	Sun Aug 27 16:39:44 2000
***************
*** 1,4 ****
--- 1,5 ----
  @unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped."
+ %%LDAP_SUPPORT%%etc/pwcheck_ldap.conf.sample
  etc/rc.d/pwcheck.sh
  include/sasl/hmac-md5.h
  include/sasl/md5.h
***************
*** 60,66 ****
  @exec mkdir pwcheck
  @exec chown cyrus:cyrus pwcheck
  @exec chmod go= pwcheck
! @comment This file gets create by the pwcheck program
! @unexec rm -f pwcheck/pwcheck
  @dirrm pwcheck
  @cwd %%PREFIX%%
--- 61,67 ----
  @exec mkdir pwcheck
  @exec chown cyrus:cyrus pwcheck
  @exec chmod go= pwcheck
! @comment This file gets created by the pwcheck program
! @unexec rm -f /var/pwcheck/pwcheck
  @dirrm pwcheck
  @cwd %%PREFIX%%


>Release-Note:
>Audit-Trail:

From: "Scot W. Hetzel" <hetzels@westbend.net>
To: "Jimmy Olgeni" <olgeni@uli.it>,
	<FreeBSD-gnats-submit@FreeBSD.ORG>
Cc:  
Subject: Re: ports/20887: [PATCH] LDAP support and fixes for cyrus-sasl
Date: Sun, 27 Aug 2000 15:21:20 -0500

 From: "Jimmy Olgeni" <olgeni@uli.it>
 >
 > LDAP authentication is handled by a new file:
 >
 >         pwcheck_ldap.c (version 1.01)
 >         Author: Clayton Donley <donley@cig.mot.com>
 >         http://www.wwa.com/~donley/
 >
 
 >
 > Changed files:
 >
 >         Makefile (LDAP support: WITH_LDAP macro and pwcheck_ldap.conf.sample)
 >
 >         files/pwcheck.sh (load and evaluate pwcheck_ldap.conf)
 >
 >         patches/patch-ab (configure.in changes for Kerberos)
 >
 >         pkg/PLIST (add pwcheck_ldap.conf.sample, @unexec and @comment fixes)
 >
 > New files:
 >
 >         pwcheck_ldap.conf.sample (sample pwcheck LDAP configuration)
 >
 >         patches/patch-ac (pwcheck_ldap.c)
 >
 >         patches/patch-ae (LDAP support: listed pwcheck_ldap.c in
 >                           EXTRA_pwcheck_SOURCES)
 >
 >         patches/patch-af (configure.in: add --enable-ldap option)
 >
 >         patches/patch-ag (LDAP support in Makefile.in)
 >
 Just a few changes that needs to be made before this gets committed:
 
 pkg/PLIST should contain the following for the install/deinstall of pwcheck_ldap.conf:
 
 %%LDAP_SUPPORT%%@unexec if cmp -s %D/etc/pwcheck_ldap.conf %D/etc/pwcheck_ldap.conf.sample; then rm -f %D/etc/pwcheck_ldap.conf; fi
 %%LDAP_SUPPORT%%etc/pwcheck_ldap.conf.sample
 %%LDAP_SUPPORT%%@exec [ ! -f %B/pwcheck_ldap.conf ] && cp %B/%f %B/pwcheck_ldap.conf
 
 Also, the ports Makefile (post-install) should check for the existence of pwcheck_ldap.conf and install it, if it doesn't exist.
 
 patch-ab & patch-af (configure.in) need to be combined (one patch per file rule).
 
 patch-ae (pwcheck/Makefile.am) not needed unless you run automake to rebuild pwcheck/Makefile.in (port only uses autoconf).
 
 patch-ag (pwcheck/Makefile.in) should be renamed to patch-ae (previous patch in attic)
 
 NOTE: patch-aa to patch-af (all in CVS attic except patch-ab) were used previously by the SASL port, they should only be re-used if
 patching the same file.
 
 patch-ac should be extracted and pwcheck_ldap.c placed in files.  It can then be installed via the ports Makefile into the
 ${WRKSRC}/pwcheck directory (post-[extract|patch]).
 
 Missing BUILD/RUN dependency on LDAP port when USE_LDAP is specified.
 
 The port also needs pkg/MESSAGE[.ldap] added with the following contents:
 
     PREFIX/etc/cyrusdb.db now needs to be created
     before applications that depend on SASL are used.
 
     su cyrus
     PREFIX/sbin/saslpasswd -c userid
 
     You will also need to start the pwcheck daemon:
 
     PREFIX/etc/rc.d/pwcheck.sh start
 
 NOTE: MESSAGE.ldap has the same contents as above, but advising them to edit PREFIX/etc/pwcheck_ldap.conf before starting
 pwcheck.sh.
 
 PKGMESSAGE will need to be set to MESSAGE.ldap in the ports Makefile:
 
     .if defined(WITH_LDAP)
     PKGMESSAGE=    ${PKGDIR}/MESSAGE.ldap
     :
     .endif
 
 Then add to post-install:
 
     @${CAT} ${PKGMESSAGE}
 
 Scot
 
 
 

From: Jimmy Olgeni <olgeni@uli.it>
To: freebsd-gnats-submit@FreeBSD.org, olgeni@uli.it
Cc:  
Subject: Re: ports/20887: [PATCH] LDAP support and fixes for cyrus-sasl
Date: Mon, 28 Aug 2000 00:08:00 +0200

 I'm going to make these corrections and resubmit the patch tomorrow.
 
 Thanks for the advice!
 

From: Jimmy Olgeni <olgeni@uli.it>
To: freebsd-gnats-submit@FreeBSD.org, olgeni@uli.it
Cc:  
Subject: Re: ports/20887: [PATCH] LDAP support and fixes for cyrus-sasl
Date: Tue, 29 Aug 2000 00:42:58 +0200

 New patch version.
 
 Changes:
 
 file pkg/PLIST:
 
      if WITH_LDAP is defined, add conditional install/deinstall of
      ${PREFIX}/etc/pwcheck_ldap.conf
 
      remove /var/pwcheck without giving an error message if the
      directory does not exist (if pwcheck.sh has not ever been run).
 
 file Makefile:
 
      target post-install:
 
          if WITH_LDAP is defined: in ${PREFIX}/etc, check if
          pwcheck_ldap.conf does not exist. If so, copy
          pwcheck_ldap.conf.sample over pwcheck_ldap.conf.
 
          added @${CAT} ${PKGMESSAGE}
 
      target post-extract:
 
          move files/pwcheck_ldap.c to the right place in the
          source. If WITH_LDAP is not used, it won't be compiled.
 
      LIB_DEPENDS should handle all required dependencies (openldap)
 
      added a conditional PKGMESSAGE to point to the right MESSAGE file
      if WITH_LDAP is enabled.
 
      NOTE: the -DWITH_LDAP is required with "make package" too.
 
 file patch-ab:
 
      combined with patch-af
 
 file patch-ac:
 
      removed (see patch-ba)
 
 file patch-af:
 
      removed
 
 file patch-ae (was: patch-ag):
 
      conditional support for LDAP in Makefile.in
 
 file patch-ba:
 
      patches to customize files/pwcheck_ldap.c
 
 file files/pwcheck_ldap.c
 
      the original file has been included, and the port specific
      changes were stored in patch-ba. It should be easier to track
      changes in the original file.
 
 file pkg/MESSAGE:
 
      changed: suggests to run saslpasswd to add users
 
 file pkg/MESSAGE.ldap:
 
      new file, suggests to edit PREFIX/etc/pwcheck_ldap.conf.
 
 
 
 
 diff -rcN cyrus-sasl.orig/Makefile cyrus-sasl/Makefile
 *** cyrus-sasl.orig/Makefile	Sat Aug 12 22:47:01 2000
 --- cyrus-sasl/Makefile	Tue Aug 29 00:16:54 2000
 ***************
 *** 15,20 ****
 --- 15,22 ----
   
   MAINTAINER=	hetzels@westbend.net
   
 + LIB_DEPENDS=	ldap.1:${PORTSDIR}/net/openldap
 + 
   USE_OPENSSL=	RSA
   
   INSTALLS_SHLIB=	yes
 ***************
 *** 34,39 ****
 --- 36,42 ----
   
   USE_AUTOCONF=	YES
   USE_LIBTOOL=	YES
 + 
   CONFIGURE_ARGS=	--sysconfdir=${PREFIX}/etc \
   		--with-plugindir=${PREFIX}/lib/sasl \
   		--with-dbpath=${PREFIX}/etc/sasldb \
 ***************
 *** 43,48 ****
 --- 46,58 ----
   		--with-pwcheck=/var/pwcheck \
   		--with-rc4=openssl
   
 + .if defined(WITH_LDAP)
 + PKGMESSAGE=	${PKGDIR}/MESSAGE.ldap
 + CONFIGURE_ARGS+=	--enable-ldap
 + .else
 + LDAP_SUPPORT=	"@comment "
 + .endif
 + 
   # JavaSASL is currently Broken
   #JAVADIR=        jdk1.1.8
   #JAVALIBDIR=     ${PREFIX}/${JAVADIR}/lib/i386/green_threads/
 ***************
 *** 91,104 ****
   PLIST_SUB=	PREFIX=${PREFIX} \
   		GSSAPI=${GSSAPI} \
   		EBONES=${EBONES} \
 ! 		NOPORTDOCS=${NODOCS}
   
   # Create Cyrus user and group
   pre-install:
   	@${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL
   
   post-install:
 ! 	@${SED}  -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
   		> ${PREFIX}/etc/rc.d/pwcheck.sh
   	@${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh
   	${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck
 --- 101,124 ----
   PLIST_SUB=	PREFIX=${PREFIX} \
   		GSSAPI=${GSSAPI} \
   		EBONES=${EBONES} \
 ! 		NOPORTDOCS=${NODOCS} \
 ! 		LDAP_SUPPORT=${LDAP_SUPPORT}
 ! 
 ! post-extract:
 ! 	${CP} ${FILESDIR}/pwcheck_ldap.c ${WRKSRC}/pwcheck
   
   # Create Cyrus user and group
   pre-install:
   	@${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL
   
   post-install:
 ! 	${INSTALL} ${COPY} -m600 -o root -g wheel
 ${FILESDIR}/pwcheck_ldap.conf.sample ${PREFIX}/etc
 ! .if defined(WITH_LDAP)
 ! 	if [ ! -e ${PREFIX}/etc/pwcheck_ldap.conf ]; then \
 ! 		${CP} ${PREFIX}/etc/pwcheck_ldap.conf.sample
 ${PREFIX}/etc/pwcheck_ldap.conf ; \
 ! 	fi
 ! .endif
 ! 	@${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
   		> ${PREFIX}/etc/rc.d/pwcheck.sh
   	@${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh
   	${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck
 ***************
 *** 114,119 ****
 --- 134,140 ----
   	@${INSTALL_DATA} ${WRKSRC}/doc/${file}.html
 ${PREFIX}/share/doc/SASL/html
   .endfor
   .endif
 + 	@${CAT} ${PKGMESSAGE}
   
   .if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc)
   post-clean:
 diff -rcN cyrus-sasl.orig/files/pwcheck.sh cyrus-sasl/files/pwcheck.sh
 *** cyrus-sasl.orig/files/pwcheck.sh	Mon Jan 24 06:22:15 2000
 --- cyrus-sasl/files/pwcheck.sh	Sun Aug 27 16:21:38 2000
 ***************
 *** 5,10 ****
 --- 5,17 ----
   
   PREFIX=%%PREFIX%%
   
 + if [ -r ${PREFIX}/etc/pwcheck_ldap.conf ]; then
 + 	. ${PREFIX}/etc/pwcheck_ldap.conf
 + 	export SASL_LDAP_SERVER
 + 	export SASL_LDAP_BASEDN
 + 	export SASL_LDAP_UIDATTR
 + fi
 + 
   case "$1" in
   
   start)
 diff -rcN cyrus-sasl.orig/files/pwcheck_ldap.c
 cyrus-sasl/files/pwcheck_ldap.c
 *** cyrus-sasl.orig/files/pwcheck_ldap.c	Thu Jan  1 01:00:00 1970
 --- cyrus-sasl/files/pwcheck_ldap.c	Mon Aug 28 20:38:30 2000
 ***************
 *** 0 ****
 --- 1,129 ----
 + /* pwcheck_ldap.c -- check passwords using LDAP
 +  *
 +  * Author: Clayton Donley <donley@cig.mot.com>
 +  *         http://www.wwa.com/~donley/
 +  * Version: 1.01
 +  *
 +  * Note: This works by finding a DN that matches an entered UID and
 +  * binding to the LDAP server using this UID.  This uses clear-text
 +  * passwords.  A better approach with servers that support SSL and
 +  * new LDAPv3 servers that support SASL bind methods like CRAM-MD5
 +  * and TSL.
 +  *
 +  * This version should work with both University of Michigan and
 Netscape
 +  * LDAP libraries.  It also gets rid of the requirement for
 userPassword
 +  * attribute readability.
 +  *
 +  */
 + 
 + #include <stdio.h>
 + #include <lber.h>
 + #include <ldap.h>
 + 
 + /* Set These to your Local Environment */
 + 
 + #define MY_LDAP_SERVER	"localhost"
 + #define MY_LDAP_BASEDN	"o=JOFA, c=UK"
 + #define MY_LDAP_UIDATTR	"uid"
 + 
 + char *pwcheck(userid, password)
 + char *userid;
 + char *password;
 + {
 +     LDAP *ld;
 +     LDAPMessage *result;
 +     LDAPMessage *entry;
 +     char *attrs[2];
 +     char filter[200]; 
 +     char *dn;
 +     int ldbind_res;
 +     char **vals;
 + 
 + /* If the password is NULL, reject the login...Otherwise the bind will
 +    succeed as a reference bind.  Not good... */
 + 
 +     if (strcmp(password,"") == 0)
 +     {
 +        return "Null Password";
 +     }
 + 
 + /* Open the LDAP connection.  Change the second argument if your LDAP
 +    server is not on port 389. */
 + 
 +     if ((ld = ldap_open(MY_LDAP_SERVER,LDAP_PORT)) == NULL)
 +     {
 +        return "Init Failed";
 +     }
 + 
 + /* Bind anonymously so that you can find the DN of the appropriate
 user. */
 + 
 +     if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS)
 +     {
 +         ldap_unbind(ld);
 +         return "Bind Failed";
 +     }
 + 
 + /* Generate a filter that will return the entry with a matching UID */
 + 
 +     sprintf(filter,"(%s=%s)",MY_LDAP_UIDATTR,userid);
 + 
 + /* Just return country...This doesn't actually matter, since we will
 +    not read the attributes and values, only the DN */
 + 
 +     attrs[0] = "c";
 +     attrs[1] = NULL;
 + 
 + /* Perform the search... */
 + 
 +     if
 (ldap_search_s(ld,MY_LDAP_BASEDN,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result)
 != LDAP_SUCCESS)
 +     {
 +        ldap_unbind(ld);
 +        return "Search Failed";
 +     }
 + 
 + /* If the entry count is not equal to one, either the UID was not
 unique or
 +    there was no match */
 + 
 +     if (ldap_count_entries(ld,result) != 1)
 +     {
 + 	ldap_msgfree(result);
 +        ldap_unbind(ld);
 +        return "UserID Unknown";
 +     }
 + 
 + /* Get the first entry */
 + 
 +     if ((entry = ldap_first_entry(ld,result)) == NULL)
 +     {
 + 	ldap_msgfree(result);
 +        ldap_unbind(ld);
 +        return "UserID Unknown";
 +     }
 + 
 + /* Get the DN of the entry */
 + 
 +     if ((dn = ldap_get_dn(ld,entry)) == NULL)
 +     {
 + 	ldap_msgfree(entry);
 +        ldap_unbind(ld);
 +        return "DN Not Found";
 +     }
 + 
 + /* Now bind as the DN with the password supplied earlier...
 +    Successful bind means the password was correct, otherwise the
 +    password is invalid. */
 + 
 +     if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS)
 +     {
 + 	free(dn);
 + 	ldap_msgfree(entry);
 +        ldap_unbind(ld);
 +        return "Invalid Login or Password";
 +     }
 + 
 +     free(dn);
 +     ldap_msgfree(entry);
 +     ldap_unbind(ld);
 +     return "OK";
 + }
 + 
 diff -rcN cyrus-sasl.orig/files/pwcheck_ldap.conf.sample
 cyrus-sasl/files/pwcheck_ldap.conf.sample
 *** cyrus-sasl.orig/files/pwcheck_ldap.conf.sample	Thu Jan  1 01:00:00
 1970
 --- cyrus-sasl/files/pwcheck_ldap.conf.sample	Sun Aug 27 16:21:38 2000
 ***************
 *** 0 ****
 --- 1,3 ----
 + SASL_LDAP_SERVER="localhost"
 + SASL_LDAP_BASEDN="o=organization, c=US"
 + SASL_LDAP_UIDATTR="uid"
 diff -rcN cyrus-sasl.orig/patches/patch-ab cyrus-sasl/patches/patch-ab
 *** cyrus-sasl.orig/patches/patch-ab	Sat Aug 12 22:47:01 2000
 --- cyrus-sasl/patches/patch-ab	Mon Aug 28 21:36:25 2000
 ***************
 *** 1,14 ****
 ! --- configure.in.orig	Thu Aug  3 14:34:08 2000
 ! +++ configure.in	Thu Aug  3 14:39:24 2000
 ! @@ -66,8 +66,9 @@
 !  dnl check for -R, etc. switch
 !  CMU_GUESS_RUNPATH_SWITCH
 !  dnl let's just link against local.  otherwise we never find anything
 useful.
 ! -CPPFLAGS="-I/usr/local/include ${CPPFLAGS}"
 ! -CMU_ADD_LIBPATH("/usr/local/lib")
 ! +CPPFLAGS="-I${OPENSSLINC} -I${OPENSSLINC}/openssl ${CPPFLAGS}"
 ! +CMU_ADD_LIBPATH("${LOCALBASE}/lib")
 ! +CMU_ADD_LIBPATH("${OPENSSLLIB}")
 !  
 !  AM_DISABLE_STATIC
 !  
 --- 1,73 ----
 ! *** configure.in.orig	Mon Aug 28 21:36:06 2000
 ! --- configure.in	Mon Aug 28 21:36:11 2000
 ! ***************
 ! *** 66,73 ****
 !   dnl check for -R, etc. switch
 !   CMU_GUESS_RUNPATH_SWITCH
 !   dnl let's just link against local.  otherwise we never find anything
 useful.
 ! ! CPPFLAGS="-I/usr/local/include ${CPPFLAGS}"
 ! ! CMU_ADD_LIBPATH("/usr/local/lib")
 !   
 !   AM_DISABLE_STATIC
 !   
 ! --- 66,74 ----
 !   dnl check for -R, etc. switch
 !   CMU_GUESS_RUNPATH_SWITCH
 !   dnl let's just link against local.  otherwise we never find anything
 useful.
 ! ! CPPFLAGS="-I${OPENSSLINC} -I${OPENSSLINC}/openssl ${CPPFLAGS}"
 ! ! CMU_ADD_LIBPATH("${LOCALBASE}/lib")
 ! ! CMU_ADD_LIBPATH("${OPENSSLLIB}")
 !   
 !   AM_DISABLE_STATIC
 !   
 ! ***************
 ! *** 296,301 ****
 ! --- 297,306 ----
 !   fi
 !   AC_SUBST(LIB_PAM)
 !   
 ! + AC_ARG_ENABLE(ldap, [  --enable-ldap           enable ldap
 authentication [no] ],
 ! +   ldap=$enableval,
 ! +   ldap=no)
 ! + 
 !   AC_ARG_WITH(pwcheck,[  --with-pwcheck=DIR      enable use of the
 pwcheck daemonusing statedir DIR ],
 !   	with_pwcheck=$withval,
 !   	with_pwcheck=no)
 ! ***************
 ! *** 305,311 ****
 !      fi
 !      AC_DEFINE(HAVE_PWCHECK)
 !      AC_DEFINE_UNQUOTED(PWCHECKDIR, "$with_pwcheck")
 ! !   
 AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam")
 !      AC_SUBST(PWCHECKMETH)
 !   fi
 !   AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
 ! --- 310,320 ----
 !      fi
 !      AC_DEFINE(HAVE_PWCHECK)
 !      AC_DEFINE_UNQUOTED(PWCHECKDIR, "$with_pwcheck")
 ! !    if test "$ldap" = yes; then
 ! !      PWCHECKMETH=ldap
 ! !    else
 ! !     
 AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam")
 ! !    fi
 !      AC_SUBST(PWCHECKMETH)
 !   fi
 !   AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
 ! ***************
 ! *** 436,442 ****
 !     if test "$with_des" != no; then
 !       AC_CHECK_HEADER(krb.h,
 !         AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
 ! ! 	AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err",
 !                        AC_WARN(No Kerberos V4 found); krb4=no, -ldes
 -lcom_err),
 !           -ldes),
 !         AC_WARN(No Kerberos V4 found); krb4=no)
 ! --- 445,451 ----
 !     if test "$with_des" != no; then
 !       AC_CHECK_HEADER(krb.h,
 !         AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
 ! ! 	AC_CHECK_LIB(krb, krb_mk_err, COM_ERR="-lcom_err",
 !                        AC_WARN(No Kerberos V4 found); krb4=no, -ldes
 -lcom_err),
 !           -ldes),
 !         AC_WARN(No Kerberos V4 found); krb4=no)
 diff -rcN cyrus-sasl.orig/patches/patch-ae cyrus-sasl/patches/patch-ae
 *** cyrus-sasl.orig/patches/patch-ae	Thu Jan  1 01:00:00 1970
 --- cyrus-sasl/patches/patch-ae	Sun Aug 27 18:02:03 2000
 ***************
 *** 0 ****
 --- 1,27 ----
 + *** pwcheck/Makefile.in.orig	Fri Jul 21 04:36:07 2000
 + --- pwcheck/Makefile.in	Sun Aug 27 18:01:44 2000
 + ***************
 + *** 144,151 ****
 +   LIBS = @LIBS@
 +   pwcheck_OBJECTS =  pwcheck.o
 +   pwcheck_DEPENDENCIES =  pwcheck_@PWCHECKMETH@.lo
 + ! pwcheck_LDFLAGS = 
 +   CFLAGS = @CFLAGS@
 +   COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS)
 $(AM_CFLAGS) $(CFLAGS)
 +   LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES)
 $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 +   CCLD = $(CC)
 + --- 144,157 ----
 +   LIBS = @LIBS@
 +   pwcheck_OBJECTS =  pwcheck.o
 +   pwcheck_DEPENDENCIES =  pwcheck_@PWCHECKMETH@.lo
 + ! PWCHECKMETH=@PWCHECKMETH@
 + ! .if ${PWCHECKMETH} == "ldap"
 + ! pwcheck_LDFLAGS = -llber -lldap
 + ! CFLAGS = @CFLAGS@ -I/usr/local/include
 + ! .else
 + ! pwcheck_LDFLAGS =
 +   CFLAGS = @CFLAGS@
 + + .endif
 +   COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS)
 $(AM_CFLAGS) $(CFLAGS)
 +   LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES)
 $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 +   CCLD = $(CC)
 diff -rcN cyrus-sasl.orig/patches/patch-ba cyrus-sasl/patches/patch-ba
 *** cyrus-sasl.orig/patches/patch-ba	Thu Jan  1 01:00:00 1970
 --- cyrus-sasl/patches/patch-ba	Tue Aug 29 00:40:31 2000
 ***************
 *** 0 ****
 --- 1,119 ----
 + *** pwcheck/pwcheck_ldap.c.orig	Mon Aug 28 20:46:45 2000
 + --- pwcheck/pwcheck_ldap.c	Mon Aug 28 20:48:31 2000
 + ***************
 + *** 14,30 ****
 +    * LDAP libraries.  It also gets rid of the requirement for
 userPassword
 +    * attribute readability.
 +    *
 +    */
 +   
 +   #include <stdio.h>
 +   #include <lber.h>
 +   #include <ldap.h>
 +   
 + ! /* Set These to your Local Environment */
 +   
 + ! #define MY_LDAP_SERVER	"localhost"
 + ! #define MY_LDAP_BASEDN	"o=JOFA, c=UK"
 + ! #define MY_LDAP_UIDATTR	"uid"
 +   
 +   char *pwcheck(userid, password)
 +   char *userid;
 + --- 14,37 ----
 +    * LDAP libraries.  It also gets rid of the requirement for
 userPassword
 +    * attribute readability.
 +    *
 + +  * changed-by: Mon Aug 28 2000 olgeni@uli.it - environment support
 + +  *
 +    */
 +   
 +   #include <stdio.h>
 + + #include <stdlib.h>
 +   #include <lber.h>
 +   #include <ldap.h>
 +   
 + ! /*
 +   
 + ! The old #defines have been removed. This version uses 3 environment
 variables:
 + ! 
 + ! SASL_LDAP_SERVER (ex: "localhost")
 + ! SASL_LDAP_BASEDN (ex: "o=organization, c=US")
 + ! SASL_LDAP_UIDATTR (ex: "uid")
 + ! 
 + ! */
 +   
 +   char *pwcheck(userid, password)
 +   char *userid;
 + ***************
 + *** 36,43 ****
 +       char *attrs[2];
 +       char filter[200]; 
 +       char *dn;
 + -     int ldbind_res;
 + -     char **vals;
 +   
 +   /* If the password is NULL, reject the login...Otherwise the bind
 will
 +      succeed as a reference bind.  Not good... */
 + --- 43,48 ----
 + ***************
 + *** 50,56 ****
 +   /* Open the LDAP connection.  Change the second argument if your
 LDAP
 +      server is not on port 389. */
 +   
 + !     if ((ld = ldap_open(MY_LDAP_SERVER,LDAP_PORT)) == NULL)
 +       {
 +          return "Init Failed";
 +       }
 + --- 55,61 ----
 +   /* Open the LDAP connection.  Change the second argument if your
 LDAP
 +      server is not on port 389. */
 +   
 + !     if ((ld = ldap_open(getenv("SASL_LDAP_SERVER"),LDAP_PORT)) ==
 NULL)
 +       {
 +          return "Init Failed";
 +       }
 + ***************
 + *** 65,71 ****
 +   
 +   /* Generate a filter that will return the entry with a matching UID
 */
 +   
 + !     sprintf(filter,"(%s=%s)",MY_LDAP_UIDATTR,userid);
 +   
 +   /* Just return country...This doesn't actually matter, since we will
 +      not read the attributes and values, only the DN */
 + --- 70,76 ----
 +   
 +   /* Generate a filter that will return the entry with a matching UID
 */
 +   
 + !     sprintf(filter,"(%s=%s)",getenv("SASL_LDAP_UIDATTR"),userid);
 +   
 +   /* Just return country...This doesn't actually matter, since we will
 +      not read the attributes and values, only the DN */
 + ***************
 + *** 75,81 ****
 +   
 +   /* Perform the search... */
 +   
 + !     if
 (ldap_search_s(ld,MY_LDAP_BASEDN,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result)
 != LDAP_SUCCESS)
 +       {
 +          ldap_unbind(ld);
 +          return "Search Failed";
 + --- 80,86 ----
 +   
 +   /* Perform the search... */
 +   
 + !     if
 (ldap_search_s(ld,getenv("SASL_LDAP_BASEDN"),LDAP_SCOPE_SUBTREE,filter,attrs,1,&result)
 != LDAP_SUCCESS)
 +       {
 +          ldap_unbind(ld);
 +          return "Search Failed";
 + ***************
 + *** 112,117 ****
 + --- 117,124 ----
 +   /* Now bind as the DN with the password supplied earlier...
 +      Successful bind means the password was correct, otherwise the
 +      password is invalid. */
 + + 
 + + /* FIXME: This does not work with "{encryption-type}password"
 entries... */
 +   
 +       if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS)
 +       {
 diff -rcN cyrus-sasl.orig/pkg/MESSAGE cyrus-sasl/pkg/MESSAGE
 *** cyrus-sasl.orig/pkg/MESSAGE	Mon Jan 24 06:22:21 2000
 --- cyrus-sasl/pkg/MESSAGE	Tue Aug 29 00:23:04 2000
 ***************
 *** 1,4 ****
 ! Start the pwcheck program to have clients use the SASL libraries
 ! as a non-root user:
   
 ! 	/usr/local/etc/rc.d/pwcheck.sh [start|stop]
 --- 1,9 ----
 ! PREFIX/etc/cyrusdb.db now needs to be created
 ! before applications that depend on SASL are used.
   
 ! 	su cyrus
 ! 	PREFIX/sbin/saslpasswd -c userid
 ! 
 ! You will also need to start the pwcheck daemon:
 ! 
 ! 	PREFIX/etc/rc.d/pwcheck.sh start
 diff -rcN cyrus-sasl.orig/pkg/MESSAGE.ldap cyrus-sasl/pkg/MESSAGE.ldap
 *** cyrus-sasl.orig/pkg/MESSAGE.ldap	Thu Jan  1 01:00:00 1970
 --- cyrus-sasl/pkg/MESSAGE.ldap	Tue Aug 29 00:11:19 2000
 ***************
 *** 0 ****
 --- 1,10 ----
 + PREFIX/etc/pwcheck_ldap.conf needs to be configured
 + to point to a LDAP server.
 + 
 + SASL_LDAP_SERVER: host name of the LDAP server. 
 + SASL_LDAP_BASEDN: root of LDAP tree to perform the search on.
 + SASL_LDAP_UIDATTR: name of the UID field in your tree.
 + 
 + You will also need to start the pwcheck daemon:
 + 
 + 	PREFIX/etc/rc.d/pwcheck.sh start
 diff -rcN cyrus-sasl.orig/pkg/PLIST cyrus-sasl/pkg/PLIST
 *** cyrus-sasl.orig/pkg/PLIST	Fri Jun 16 21:46:22 2000
 --- cyrus-sasl/pkg/PLIST	Mon Aug 28 21:50:37 2000
 ***************
 *** 1,4 ****
 --- 1,7 ----
   @unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped."
 + %%LDAP_SUPPORT%%@unexec if cmp -s %D/etc/pwcheck_ldap.conf
 %D/etc/pwcheck_ldap.conf.sample; then rm -f %D/etc/pwcheck_ldap.conf; fi
 + %%LDAP_SUPPORT%%etc/pwcheck_ldap.conf.sample
 + %%LDAP_SUPPORT%%@exec [ ! -f %B/pwcheck_ldap.conf ] && cp %B/%f
 %B/pwcheck_ldap.conf
   etc/rc.d/pwcheck.sh
   include/sasl/hmac-md5.h
   include/sasl/md5.h
 ***************
 *** 60,66 ****
   @exec mkdir pwcheck
   @exec chown cyrus:cyrus pwcheck
   @exec chmod go= pwcheck
 ! @comment This file gets create by the pwcheck program
 ! @unexec rm -f pwcheck/pwcheck
 ! @dirrm pwcheck
   @cwd %%PREFIX%%
 --- 63,69 ----
   @exec mkdir pwcheck
   @exec chown cyrus:cyrus pwcheck
   @exec chmod go= pwcheck
 ! @comment This file gets created by the pwcheck program
 ! @unexec rm -f /var/pwcheck/pwcheck
 ! @unexec rmdir /var/pwcheck 2>/dev/null || true
   @cwd %%PREFIX%%
 

From: "Scot W. Hetzel" <hetzels@westbend.net>
To: FreeBSD-gnats-submit@FreeBSD.ORG
Cc: Jimmy Olgeni <olgeni@uli.it>
Subject: Re: ports/20887: [PATCH] LDAP support and fixes for cyrus-sasl
Date: Mon, 28 Aug 2000 19:58:51 -0500 (CDT)

 Jimmy, 
 
 Thank you for the taking the time to fix your patches.  I did find one
 problem with LIB_DEPENDSr,it should have been defined within a
 ".if defined(WITH_LDAP) .. .endif".  This way it becomes an optional
 dependance.
 
 I also, changed the patches back to unified diffs instead of context diffs.
 
 Ports commiters:
 
 	Please apply the below patches to the security/cyrus-sasl port.
 
 Thanks,
 
 Scot W. Hetzel
 cyrus-sasl maintainer
 
 diff -ruN cyrus-sasl.orig/Makefile cyrus-sasl/Makefile
 --- cyrus-sasl.orig/Makefile	Sat Aug 19 03:56:57 2000
 +++ cyrus-sasl/Makefile	Mon Aug 28 19:39:22 2000
 @@ -15,6 +15,10 @@
  
  MAINTAINER=	hetzels@westbend.net
  
 +.if defined(WITH_LDAP)
 +LIB_DEPENDS=	ldap.1:${PORTSDIR}/net/openldap
 +.endif
 +
  USE_OPENSSL=	RSA
  
  INSTALLS_SHLIB=	yes
 @@ -34,6 +38,7 @@
  
  USE_AUTOCONF=	YES
  USE_LIBTOOL=	YES
 +
  CONFIGURE_ARGS=	--sysconfdir=${PREFIX}/etc \
  		--with-plugindir=${PREFIX}/lib/sasl \
  		--with-dbpath=${PREFIX}/etc/sasldb \
 @@ -43,6 +48,13 @@
  		--with-pwcheck=/var/pwcheck \
  		--with-rc4=openssl
  
 +.if defined(WITH_LDAP)
 +PKGMESSAGE=	${PKGDIR}/MESSAGE.ldap
 +CONFIGURE_ARGS+=	--enable-ldap
 +.else
 +LDAP_SUPPORT=	"@comment "
 +.endif
 +
  # JavaSASL is currently Broken
  #JAVADIR=        jdk1.1.8
  #JAVALIBDIR=     ${PREFIX}/${JAVADIR}/lib/i386/green_threads/
 @@ -91,14 +103,24 @@
  PLIST_SUB=	PREFIX=${PREFIX} \
  		GSSAPI=${GSSAPI} \
  		EBONES=${EBONES} \
 -		NOPORTDOCS=${NODOCS}
 +		NOPORTDOCS=${NODOCS} \
 +		LDAP_SUPPORT=${LDAP_SUPPORT}
 +
 +post-extract:
 +	${CP} ${FILESDIR}/pwcheck_ldap.c ${WRKSRC}/pwcheck
  
  # Create Cyrus user and group
  pre-install:
  	@${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL
  
  post-install:
 -	@${SED}  -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
 +	${INSTALL} ${COPY} -m600 -o root -g wheel ${FILESDIR}/pwcheck_ldap.conf.sample ${PREFIX}/etc
 +.if defined(WITH_LDAP)
 +	if [ ! -e ${PREFIX}/etc/pwcheck_ldap.conf ]; then \
 +		${CP} ${PREFIX}/etc/pwcheck_ldap.conf.sample ${PREFIX}/etc/pwcheck_ldap.conf ; \
 +	fi
 +.endif
 +	@${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
  		> ${PREFIX}/etc/rc.d/pwcheck.sh
  	@${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh
  	${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck
 @@ -114,6 +136,7 @@
  	@${INSTALL_DATA} ${WRKSRC}/doc/${file}.html ${PREFIX}/share/doc/SASL/html
  .endfor
  .endif
 +	@${CAT} ${PKGMESSAGE}
  
  .if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc)
  post-clean:
 diff -ruN cyrus-sasl.orig/files/pwcheck.sh cyrus-sasl/files/pwcheck.sh
 --- cyrus-sasl.orig/files/pwcheck.sh	Sat Jan 29 03:53:36 2000
 +++ cyrus-sasl/files/pwcheck.sh	Mon Aug 28 19:13:05 2000
 @@ -5,6 +5,13 @@
  
  PREFIX=%%PREFIX%%
  
 +if [ -r ${PREFIX}/etc/pwcheck_ldap.conf ]; then
 +	. ${PREFIX}/etc/pwcheck_ldap.conf
 +	export SASL_LDAP_SERVER
 +	export SASL_LDAP_BASEDN
 +	export SASL_LDAP_UIDATTR
 +fi
 +
  case "$1" in
  
  start)
 diff -ruN cyrus-sasl.orig/files/pwcheck_ldap.c cyrus-sasl/files/pwcheck_ldap.c
 --- cyrus-sasl.orig/files/pwcheck_ldap.c	Wed Dec 31 18:00:00 1969
 +++ cyrus-sasl/files/pwcheck_ldap.c	Mon Aug 28 19:13:05 2000
 @@ -0,0 +1,129 @@
 +/* pwcheck_ldap.c -- check passwords using LDAP
 + *
 + * Author: Clayton Donley <donley@cig.mot.com>
 + *         http://www.wwa.com/~donley/
 + * Version: 1.01
 + *
 + * Note: This works by finding a DN that matches an entered UID and
 + * binding to the LDAP server using this UID.  This uses clear-text
 + * passwords.  A better approach with servers that support SSL and
 + * new LDAPv3 servers that support SASL bind methods like CRAM-MD5
 + * and TSL.
 + *
 + * This version should work with both University of Michigan and Netscape
 + * LDAP libraries.  It also gets rid of the requirement for userPassword
 + * attribute readability.
 + *
 + */
 +
 +#include <stdio.h>
 +#include <lber.h>
 +#include <ldap.h>
 +
 +/* Set These to your Local Environment */
 +
 +#define MY_LDAP_SERVER	"localhost"
 +#define MY_LDAP_BASEDN	"o=JOFA, c=UK"
 +#define MY_LDAP_UIDATTR	"uid"
 +
 +char *pwcheck(userid, password)
 +char *userid;
 +char *password;
 +{
 +    LDAP *ld;
 +    LDAPMessage *result;
 +    LDAPMessage *entry;
 +    char *attrs[2];
 +    char filter[200]; 
 +    char *dn;
 +    int ldbind_res;
 +    char **vals;
 +
 +/* If the password is NULL, reject the login...Otherwise the bind will
 +   succeed as a reference bind.  Not good... */
 +
 +    if (strcmp(password,"") == 0)
 +    {
 +       return "Null Password";
 +    }
 +
 +/* Open the LDAP connection.  Change the second argument if your LDAP
 +   server is not on port 389. */
 +
 +    if ((ld = ldap_open(MY_LDAP_SERVER,LDAP_PORT)) == NULL)
 +    {
 +       return "Init Failed";
 +    }
 +
 +/* Bind anonymously so that you can find the DN of the appropriate user. */
 +
 +    if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS)
 +    {
 +        ldap_unbind(ld);
 +        return "Bind Failed";
 +    }
 +
 +/* Generate a filter that will return the entry with a matching UID */
 +
 +    sprintf(filter,"(%s=%s)",MY_LDAP_UIDATTR,userid);
 +
 +/* Just return country...This doesn't actually matter, since we will
 +   not read the attributes and values, only the DN */
 +
 +    attrs[0] = "c";
 +    attrs[1] = NULL;
 +
 +/* Perform the search... */
 +
 +    if (ldap_search_s(ld,MY_LDAP_BASEDN,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS)
 +    {
 +       ldap_unbind(ld);
 +       return "Search Failed";
 +    }
 +
 +/* If the entry count is not equal to one, either the UID was not unique or
 +   there was no match */
 +
 +    if (ldap_count_entries(ld,result) != 1)
 +    {
 +	ldap_msgfree(result);
 +       ldap_unbind(ld);
 +       return "UserID Unknown";
 +    }
 +
 +/* Get the first entry */
 +
 +    if ((entry = ldap_first_entry(ld,result)) == NULL)
 +    {
 +	ldap_msgfree(result);
 +       ldap_unbind(ld);
 +       return "UserID Unknown";
 +    }
 +
 +/* Get the DN of the entry */
 +
 +    if ((dn = ldap_get_dn(ld,entry)) == NULL)
 +    {
 +	ldap_msgfree(entry);
 +       ldap_unbind(ld);
 +       return "DN Not Found";
 +    }
 +
 +/* Now bind as the DN with the password supplied earlier...
 +   Successful bind means the password was correct, otherwise the
 +   password is invalid. */
 +
 +    if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS)
 +    {
 +	free(dn);
 +	ldap_msgfree(entry);
 +       ldap_unbind(ld);
 +       return "Invalid Login or Password";
 +    }
 +
 +    free(dn);
 +    ldap_msgfree(entry);
 +    ldap_unbind(ld);
 +    return "OK";
 +}
 +
 diff -ruN cyrus-sasl.orig/files/pwcheck_ldap.conf.sample cyrus-sasl/files/pwcheck_ldap.conf.sample
 --- cyrus-sasl.orig/files/pwcheck_ldap.conf.sample	Wed Dec 31 18:00:00 1969
 +++ cyrus-sasl/files/pwcheck_ldap.conf.sample	Mon Aug 28 19:13:05 2000
 @@ -0,0 +1,3 @@
 +SASL_LDAP_SERVER="localhost"
 +SASL_LDAP_BASEDN="o=organization, c=US"
 +SASL_LDAP_UIDATTR="uid"
 diff -ruN cyrus-sasl.orig/patches/new.patch-ab cyrus-sasl/patches/new.patch-ab
 --- cyrus-sasl.orig/patches/new.patch-ab	Mon May 22 10:19:05 2000
 +++ cyrus-sasl/patches/new.patch-ab	Wed Dec 31 18:00:00 1969
 @@ -1,14 +0,0 @@
 ---- configure.in.orig	Mon May  8 12:51:13 2000
 -+++ configure.in	Mon May 22 09:55:01 2000
 -@@ -66,8 +66,9 @@
 - dnl check for -R, etc. switch
 - CMU_GUESS_RUNPATH_SWITCH
 - dnl let's just link against local.  otherwise we never find anything useful.
 --CPPFLAGS="-I/usr/local/include ${CPPFLAGS}"
 --CMU_ADD_LIBPATH("/usr/local/lib")
 -+CPPFLAGS="-I${OPENSSLINC} -I${OPENSSLINC}/openssl ${CPPFLAGS}"
 -+CMU_ADD_LIBPATH("${LOCALBASE}/lib")
 -+CMU_ADD_LIBPATH("${OPENSSLLIB}")
 - 
 - AM_DISABLE_STATIC
 - 
 diff -ruN cyrus-sasl.orig/patches/patch-ab cyrus-sasl/patches/patch-ab
 --- cyrus-sasl.orig/patches/patch-ab	Sat Aug 19 03:56:58 2000
 +++ cyrus-sasl/patches/patch-ab	Mon Aug 28 19:26:14 2000
 @@ -1,5 +1,5 @@
 ---- configure.in.orig	Thu Aug  3 14:34:08 2000
 -+++ configure.in	Thu Aug  3 14:39:24 2000
 +--- configure.in.orig	Thu Jul 20 21:35:01 2000
 ++++ configure.in	Mon Aug 28 19:26:00 2000
  @@ -66,8 +66,9 @@
   dnl check for -R, etc. switch
   CMU_GUESS_RUNPATH_SWITCH
 @@ -12,3 +12,36 @@
   
   AM_DISABLE_STATIC
   
 +@@ -296,6 +297,10 @@
 + fi
 + AC_SUBST(LIB_PAM)
 + 
 ++AC_ARG_ENABLE(ldap, [  --enable-ldap           enable ldap authentication [no] ],
 ++  ldap=$enableval,
 ++  ldap=no)
 ++
 + AC_ARG_WITH(pwcheck,[  --with-pwcheck=DIR      enable use of the pwcheck daemonusing statedir DIR ],
 + 	with_pwcheck=$withval,
 + 	with_pwcheck=no)
 +@@ -305,7 +310,11 @@
 +    fi
 +    AC_DEFINE(HAVE_PWCHECK)
 +    AC_DEFINE_UNQUOTED(PWCHECKDIR, "$with_pwcheck")
 +-   AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam")
 ++   if test "$ldap" = yes; then
 ++      PWCHECKMETH=ldap
 ++   else
 ++     AC_CHECK_FUNC(getspnam,PWCHECKMETH="getspnam",PWCHECKMETH="getpwnam")
 ++   fi
 +    AC_SUBST(PWCHECKMETH)
 + fi
 + AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
 +@@ -436,7 +445,7 @@
 +   if test "$with_des" != no; then
 +     AC_CHECK_HEADER(krb.h,
 +       AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
 +-	AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err",
 ++	AC_CHECK_LIB(krb, krb_mk_err, COM_ERR="-lcom_err",
 +                      AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err),
 +         -ldes),
 +       AC_WARN(No Kerberos V4 found); krb4=no)
 diff -ruN cyrus-sasl.orig/patches/patch-ae cyrus-sasl/patches/patch-ae
 --- cyrus-sasl.orig/patches/patch-ae	Wed Dec 31 18:00:00 1969
 +++ cyrus-sasl/patches/patch-ae	Mon Aug 28 19:34:14 2000
 @@ -0,0 +1,17 @@
 +--- pwcheck/Makefile.in.orig	Thu Jul 20 21:36:07 2000
 ++++ pwcheck/Makefile.in	Mon Aug 28 19:31:59 2000
 +@@ -144,8 +144,13 @@
 + LIBS = @LIBS@
 + pwcheck_OBJECTS =  pwcheck.o
 + pwcheck_DEPENDENCIES =  pwcheck_@PWCHECKMETH@.lo
 +-pwcheck_LDFLAGS = 
 ++.if ${PWCHECKMETH} == "ldap"
 ++pwcheck_LDFLAGS = -llber -lldap
 ++CFLAGS = @CFLAGS@ -I/usr/local/include
 ++.else
 ++pwcheck_LDFLAGS =
 + CFLAGS = @CFLAGS@
 ++.endif
 + COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 + LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 + CCLD = $(CC)
 diff -ruN cyrus-sasl.orig/patches/patch-ba cyrus-sasl/patches/patch-ba
 --- cyrus-sasl.orig/patches/patch-ba	Wed Dec 31 18:00:00 1969
 +++ cyrus-sasl/patches/patch-ba	Mon Aug 28 19:36:37 2000
 @@ -0,0 +1,76 @@
 +--- pwcheck/pwcheck_ldap.c.orig	Mon Aug 28 19:29:52 2000
 ++++ pwcheck/pwcheck_ldap.c	Mon Aug 28 19:29:54 2000
 +@@ -14,17 +14,24 @@
 +  * LDAP libraries.  It also gets rid of the requirement for userPassword
 +  * attribute readability.
 +  *
 ++ * changed-by: Mon Aug 28 2000 olgeni@uli.it - environment support
 ++ *
 +  */
 + 
 + #include <stdio.h>
 ++#include <stdlib.h>
 + #include <lber.h>
 + #include <ldap.h>
 + 
 +-/* Set These to your Local Environment */
 ++/*
 + 
 +-#define MY_LDAP_SERVER	"localhost"
 +-#define MY_LDAP_BASEDN	"o=JOFA, c=UK"
 +-#define MY_LDAP_UIDATTR	"uid"
 ++The old #defines have been removed. This version uses 3 environment variables:
 ++
 ++SASL_LDAP_SERVER (ex: "localhost")
 ++SASL_LDAP_BASEDN (ex: "o=organization, c=US")
 ++SASL_LDAP_UIDATTR (ex: "uid")
 ++
 ++*/
 + 
 + char *pwcheck(userid, password)
 + char *userid;
 +@@ -36,8 +43,6 @@
 +     char *attrs[2];
 +     char filter[200]; 
 +     char *dn;
 +-    int ldbind_res;
 +-    char **vals;
 + 
 + /* If the password is NULL, reject the login...Otherwise the bind will
 +    succeed as a reference bind.  Not good... */
 +@@ -50,7 +55,7 @@
 + /* Open the LDAP connection.  Change the second argument if your LDAP
 +    server is not on port 389. */
 + 
 +-    if ((ld = ldap_open(MY_LDAP_SERVER,LDAP_PORT)) == NULL)
 ++    if ((ld = ldap_open(getenv("SASL_LDAP_SERVER"),LDAP_PORT)) == NULL)
 +     {
 +        return "Init Failed";
 +     }
 +@@ -65,7 +70,7 @@
 + 
 + /* Generate a filter that will return the entry with a matching UID */
 + 
 +-    sprintf(filter,"(%s=%s)",MY_LDAP_UIDATTR,userid);
 ++    sprintf(filter,"(%s=%s)",getenv("SASL_LDAP_UIDATTR"),userid);
 + 
 + /* Just return country...This doesn't actually matter, since we will
 +    not read the attributes and values, only the DN */
 +@@ -75,7 +80,7 @@
 + 
 + /* Perform the search... */
 + 
 +-    if (ldap_search_s(ld,MY_LDAP_BASEDN,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS)
 ++    if (ldap_search_s(ld,getenv("SASL_LDAP_BASEDN"),LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS)
 +     {
 +        ldap_unbind(ld);
 +        return "Search Failed";
 +@@ -112,6 +117,8 @@
 + /* Now bind as the DN with the password supplied earlier...
 +    Successful bind means the password was correct, otherwise the
 +    password is invalid. */
 ++
 ++/* FIXME: This does not work with "{encryption-type}password" entries... */
 + 
 +     if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS)
 +     {
 diff -ruN cyrus-sasl.orig/pkg/MESSAGE cyrus-sasl/pkg/MESSAGE
 --- cyrus-sasl.orig/pkg/MESSAGE	Sun Jan 23 23:22:21 2000
 +++ cyrus-sasl/pkg/MESSAGE	Mon Aug 28 19:14:48 2000
 @@ -1,4 +1,9 @@
 -Start the pwcheck program to have clients use the SASL libraries
 -as a non-root user:
 +PREFIX/etc/cyrusdb.db now needs to be created
 +before applications that depend on SASL are used.
  
 -	/usr/local/etc/rc.d/pwcheck.sh [start|stop]
 +	su cyrus
 +	PREFIX/sbin/saslpasswd -c userid
 +
 +You will also need to start the pwcheck daemon:
 +
 +	PREFIX/etc/rc.d/pwcheck.sh start
 diff -ruN cyrus-sasl.orig/pkg/MESSAGE.ldap cyrus-sasl/pkg/MESSAGE.ldap
 --- cyrus-sasl.orig/pkg/MESSAGE.ldap	Wed Dec 31 18:00:00 1969
 +++ cyrus-sasl/pkg/MESSAGE.ldap	Mon Aug 28 19:15:45 2000
 @@ -0,0 +1,16 @@
 +PREFIX/etc/cyrusdb.db now needs to be created
 +before applications that depend on SASL are used.
 +
 +        su cyrus
 +        PREFIX/sbin/saslpasswd -c userid
 +
 +PREFIX/etc/pwcheck_ldap.conf needs to be configured
 +to point to a LDAP server.
 +
 +	SASL_LDAP_SERVER: host name of the LDAP server. 
 +	SASL_LDAP_BASEDN: root of LDAP tree to perform the search on.
 +	SASL_LDAP_UIDATTR: name of the UID field in your tree.
 +
 +You will also need to start the pwcheck daemon:
 +
 +	PREFIX/etc/rc.d/pwcheck.sh start
 diff -ruN cyrus-sasl.orig/pkg/PLIST cyrus-sasl/pkg/PLIST
 --- cyrus-sasl.orig/pkg/PLIST	Sat Jun 17 03:56:22 2000
 +++ cyrus-sasl/pkg/PLIST	Mon Aug 28 19:13:06 2000
 @@ -1,4 +1,7 @@
  @unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped."
 +%%LDAP_SUPPORT%%@unexec if cmp -s %D/etc/pwcheck_ldap.conf %D/etc/pwcheck_ldap.conf.sample; then rm -f %D/etc/pwcheck_ldap.conf; fi
 +%%LDAP_SUPPORT%%etc/pwcheck_ldap.conf.sample
 +%%LDAP_SUPPORT%%@exec [ ! -f %B/pwcheck_ldap.conf ] && cp %B/%f %B/pwcheck_ldap.conf
  etc/rc.d/pwcheck.sh
  include/sasl/hmac-md5.h
  include/sasl/md5.h
 @@ -60,7 +63,7 @@
  @exec mkdir pwcheck
  @exec chown cyrus:cyrus pwcheck
  @exec chmod go= pwcheck
 -@comment This file gets create by the pwcheck program
 -@unexec rm -f pwcheck/pwcheck
 -@dirrm pwcheck
 +@comment This file gets created by the pwcheck program
 +@unexec rm -f /var/pwcheck/pwcheck
 +@unexec rmdir /var/pwcheck 2>/dev/null || true
  @cwd %%PREFIX%%
 

From: "Scot W. Hetzel" <hetzels@westbend.net>
To: "FreeBSD-GNATS" <FreeBSD-gnats-submit@FreeBSD.ORG>
Cc:  
Subject: Re: ports/20887: [PATCH] LDAP support and fixes for cyrus-sasl
Date: Sat, 16 Sep 2000 00:26:23 -0500

 Please don't apply the patches from this PR to the port, as I have a better implementation for LDAP Authentication.  That I'll be
 submitting tomorrow.
 
 The new implementation will add a pwcheck method for both LDAP & MySQL Authentication.
 
 It patches lib/checkpw.c, instead of creating a LDAP pwcheck daemon.
 
 It uses configuration directives in the application.conf files to configure the LDAP attributes (server, basedn, uidattr, host),
 instead of environment variables.
 
 Scot W. Hetzel
 
 
 
State-Changed-From-To: open->closed 
State-Changed-By: ade 
State-Changed-When: Mon Sep 18 08:55:58 PDT 2000 
State-Changed-Why:  
Closed at the request of the maintainer (see audit trail). 

This is another shining example of why y'all need to at least 
try to talk to maintainers of ports (other than those owned 
by ports@FreeBSD.org -- ie: no-one) before submitting PRs. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20887 
>Unformatted:
