FreeBSD Bugzilla – Attachment 10696 Details for
Bug 21383
Update Cyrus-SASL, Add MySQL & LDAP Authentication
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 27.32 KB, created by
Scot W. Hetzel
on 2000-09-19 03:30:00 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
Scot W. Hetzel
Created:
2000-09-19 03:30:00 UTC
Size:
27.32 KB
patch
obsolete
>diff -ruN cyrus-sasl.orig/Makefile cyrus-sasl/Makefile >--- cyrus-sasl.orig/Makefile Sat Aug 19 03:56:57 2000 >+++ cyrus-sasl/Makefile Mon Sep 18 20:07:41 2000 >@@ -7,6 +7,7 @@ > > PORTNAME= cyrus-sasl > PORTVERSION= 1.5.24 >+PORTREVISION= 1 > CATEGORIES= security > MASTER_SITES= ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ \ > ${MASTER_SITE_LOCAL} \ >@@ -19,8 +20,6 @@ > > INSTALLS_SHLIB= yes > >-.include <bsd.port.pre.mk> >- > Y2K= http://asg.web.cmu.edu/cyrus/imapd/y2k.html > > MAN3= sasl.3 sasl_authorize_t.3 sasl_callbacks.3 sasl_checkpass.3 \ >@@ -32,8 +31,11 @@ > sasl_setprop.3 sasl_usererr.3 > MAN8= sasldblistusers.8 saslpasswd.8 > >-USE_AUTOCONF= YES >+USE_AUTOMAKE= YES > USE_LIBTOOL= YES >+AUTOHEADER= autoheader >+AUTOMAKE= automake --add-missing --include-deps >+ > CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \ > --with-plugindir=${PREFIX}/lib/sasl \ > --with-dbpath=${PREFIX}/etc/sasldb \ >@@ -43,7 +45,12 @@ > --with-pwcheck=/var/pwcheck \ > --with-rc4=openssl > >-# JavaSASL is currently Broken >+SCRIPTS_ENV= WRKDIRPREFIX="${WRKDIRPREFIX}" \ >+ PREFIX="${PREFIX}" \ >+ TOUCH="${TOUCH}" \ >+ MKDIR="${MKDIR}" >+ >+# JavaSASL needs someone to look at to get it to build > #JAVADIR= jdk1.1.8 > #JAVALIBDIR= ${PREFIX}/${JAVADIR}/lib/i386/green_threads/ > >@@ -93,12 +100,18 @@ > EBONES=${EBONES} \ > NOPORTDOCS=${NODOCS} > >+pre-fetch: >+ @${SETENV} ${SCRIPTS_ENV} ${SH} ${SCRIPTDIR}/configure.sasl >+ >+pre-configure: >+ @(cd ${WRKSRC} && ${AUTOHEADER}) >+ > # Create Cyrus user and group > pre-install: > @${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL > > post-install: >- @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \ >+ @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \ > > ${PREFIX}/etc/rc.d/pwcheck.sh > @${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh > ${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck >@@ -110,20 +123,19 @@ > .for file in ${DOC2} > @${INSTALL_DATA} ${WRKSRC}/doc/${file} ${PREFIX}/share/doc/SASL > .endfor >+ @${INSTALL_DATA} ${FILESDIR}/Sendmail.README ${PREFIX}/share/doc > .for file in ${HTDOCS} > @${INSTALL_DATA} ${WRKSRC}/doc/${file}.html ${PREFIX}/share/doc/SASL/html > .endfor > .endif >+ @PKG_PREFIX=${PREFIX} BATCH=${BATCH} ${SH} ${PKGDIR}/INSTALL ${PKGNAME} POST-INSTALL >+ @${CAT} ${PKGMESSAGE} > >-.if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc) > post-clean: > @${RM} -f ${WRKDIRPREFIX}${.CURDIR}/Makefile.inc > >+.if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc) > .include "${WRKDIRPREFIX}${.CURDIR}/Makefile.inc" >-.elif ${PREFIX} != ${LOCALBASE} >-# Save PREFIX so that it can be used during make install >-.BEGIN: >- @echo "PREFIX= ${PREFIX}" > ${WRKDIRPREFIX}${.CURDIR}/Makefile.inc > .endif > >-.include <bsd.port.post.mk> >+.include <bsd.port.mk> >diff -ruN cyrus-sasl.orig/files/Sendmail.README cyrus-sasl/files/Sendmail.README >--- cyrus-sasl.orig/files/Sendmail.README Wed Dec 31 18:00:00 1969 >+++ cyrus-sasl/files/Sendmail.README Sat Sep 16 11:27:37 2000 >@@ -0,0 +1,25 @@ >+How to enable SMTP AUTH with FreeBSD default Sendmail 8.11 >+ >+1. Edit /usr/src/usr.sbin/sendmail/Makefile, and change the line: >+ >+ LDADD= -lutil -lwrap >+into >+ LDADD+= -lutil -lwrap >+ >+ NOTE: This change is in 5.0-CURRENT and will be MFC'd to >+ 4.1-STABLE later. >+ >+2) Add the following to /etc/make.conf: >+ >+# Add SMTP AUTH support to Sendmail >+.if ${.CURDIR} == "/usr/src/usr.sbin/sendmail" >+CFLAGS+=-DSASL -I/usr/local/include/sasl -L/usr/local/lib >+LDADD+=-lsasl >+.endif >+ >+3) Rebuild FreeBSD (make buildworld, ...) >+ >+4) Create /usr/local/lib/sasl/Sendmail.conf with the following. >+ >+ pwcheck_method: pwcheck >+ >diff -ruN cyrus-sasl.orig/files/md5 cyrus-sasl/files/md5 >--- cyrus-sasl.orig/files/md5 Sat Aug 19 03:56:57 2000 >+++ cyrus-sasl/files/md5 Sat Sep 16 11:27:37 2000 >@@ -1 +1 @@ >-MD5 (cyrus-sasl-1.5.24.tar.gz) = aedc0f8b594e2a13503b375ed78f62b7 >+MD5 (cyrus-sasl-1.5.24.tar.gz) = ac3837c071c258b80021325936db2583 >diff -ruN cyrus-sasl.orig/patches/patch-ab cyrus-sasl/patches/patch-ab >--- cyrus-sasl.orig/patches/patch-ab Sat Aug 19 03:56:58 2000 >+++ cyrus-sasl/patches/patch-ab Sat Sep 16 14:01:30 2000 >@@ -1,5 +1,5 @@ >---- configure.in.orig Thu Aug 3 14:34:08 2000 >-+++ configure.in Thu Aug 3 14:39:24 2000 >+--- configure.in.orig Thu Jul 20 21:35:01 2000 >++++ configure.in Sat Sep 16 13:58:02 2000 > @@ -66,8 +66,9 @@ > dnl check for -R, etc. switch > CMU_GUESS_RUNPATH_SWITCH >@@ -12,3 +12,112 @@ > > AM_DISABLE_STATIC > >+@@ -310,6 +311,88 @@ >+ fi >+ AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no) >+ >++dnl MySQL >++AC_ARG_WITH(mysql, [ --with-mysql=PATH enable authentication from MySQL database [no] ], >++ with_mysql=$withval, >++ with_mysql=no) >++ >++if test -z "$with_mysql"; then >++ for mysqlloc in lib/mysql lib >++ do >++ if test -f ${prefix}/${mysqlloc}/libmysqlclient.a; then >++ with_mysql="${prefix}" >++ break >++ elif test -f /usr/local/${mysqlloc}/libmysqlclient.a; then >++ with_mysql="/usr/local" >++ break >++ elif test -f /usr/${mysqlloc}/libmysqlclient.a; then >++ with_mysql="/usr" >++ break >++ fi >++ done >++fi >++ >++LIB_MYSQL="" >++case "$with_mysql" in >++ no) true;; >++ ""|yes) AC_CHECK_LIB(mysqlclient, mysql_select_db, >++ AC_DEFINE(HAVE_MYSQL) >++ LIB_MYSQL="-lmysqlclient", >++ with_mysql=no);; >++ *) if test -d ${with_mysql}/include/mysql; then >++ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include/mysql" >++ else >++ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include" >++ fi >++ if test -d ${with_mysql}/lib/mysql; then >++ LDFLAGS="$LDFLAGS -L${with_mysql}/lib/mysql" >++ fi >++ AC_DEFINE(HAVE_MYSQL) >++ LIB_MYSQL="-lmysqlclient";; >++esac >++AC_SUBST(LIB_MYSQL) >++ >++dnl LDAP >++AC_ARG_WITH(ldap, [ --with-ldap=PATH enable authentication from LDAP [no] ], >++ with_ldap=$withval, >++ with_ldap=no) >++ >++if test -z "$with_ldap"; then >++ for ldaploc in lib/ldap lib >++ do >++ if test -f ${prefix}/${ldaploc}/libldap.a; then >++ with_ldap="${prefix}" >++ break >++ elif test -f /usr/local/${ldaploc}/libldap.a; then >++ with_ldap="/usr/local" >++ break >++ elif test -f /usr/${ldaploc}/libldap.a; then >++ with_ldap="/usr" >++ break >++ fi >++ done >++fi >++ >++LIB_LDAP="" >++case "$with_ldap" in >++ no) true;; >++ ""|yes) AC_CHECK_LIB(ldap, ldap_open, >++ AC_DEFINE(HAVE_LDAP) >++ LIB_LDAP="-lldap -llber", >++ with_ldap=no);; >++ *) if test -d ${with_ldap}/include/ldap; then >++ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include/ldap" >++ else >++ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include" >++ fi >++ if test -d ${with_ldap}/lib/ldap; then >++ LDFLAGS="$LDFLAGS -L${with_ldap}/lib/ldap" >++ fi >++ AC_DEFINE(HAVE_LDAP) >++ LIB_LDAP="-lldap -llber";; >++esac >++AC_SUBST(LIB_LDAP) >++ >+ dnl CRAM-MD5 >+ AC_ARG_ENABLE(cram, [ --enable-cram enable CRAM-MD5 authentication [yes] ], >+ cram=$enableval, >+@@ -434,11 +517,15 @@ >+ fi >+ >+ if test "$with_des" != no; then >++ case "$host_os" in >++ freebsd*) >++ COM_ERR="-lcom_err" >++ ;; >++ esac >+ AC_CHECK_HEADER(krb.h, >+- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="", >+- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err", >+- AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err), >+- -ldes), >++ AC_CHECK_LIB(krb, krb_mk_priv,:, >++ AC_WARN(No Kerberos V4 found); krb4=no, >++ -ldes $COM_ERR), >+ AC_WARN(No Kerberos V4 found); krb4=no) >+ else >+ AC_WARN(No DES library found for Kerberos V4 support) >diff -ruN cyrus-sasl.orig/patches/patch-ag cyrus-sasl/patches/patch-ag >--- cyrus-sasl.orig/patches/patch-ag Wed Dec 31 18:00:00 1969 >+++ cyrus-sasl/patches/patch-ag Sat Sep 16 11:27:56 2000 >@@ -0,0 +1,15 @@ >+--- acconfig.h.orig Wed Jul 5 11:59:25 2000 >++++ acconfig.h Fri Sep 15 20:56:28 2000 >+@@ -84,6 +84,12 @@ >+ /* do we have PAM for plaintext password checking? */ >+ #undef HAVE_PAM >+ >++/* do we have MySQL for plaintext password checking? */ >++#undef HAVE_MYSQL >++ >++/* do we have LDAP for plaintext password checking? */ >++#undef HAVE_LDAP >++ >+ /* what flavor of GSSAPI are we using? */ >+ #undef HAVE_GSS_C_NT_HOSTBASED_SERVICE >+ >diff -ruN cyrus-sasl.orig/patches/patch-ah cyrus-sasl/patches/patch-ah >--- cyrus-sasl.orig/patches/patch-ah Wed Dec 31 18:00:00 1969 >+++ cyrus-sasl/patches/patch-ah Sat Sep 16 11:27:56 2000 >@@ -0,0 +1,9 @@ >+--- lib/Makefile.am.orig Thu Jul 20 21:35:02 2000 >++++ lib/Makefile.am Fri Sep 15 20:56:28 2000 >+@@ -53,5 +53,5 @@ >+ EXTRA_libsasl_la_SOURCES = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c db_testw32.c >+ libsasl_la_LDFLAGS = -version-info $(sasl_version) >+ libsasl_la_DEPENDENCIES = $(SASL_DB_BACKEND) @LTLIBOBJS@ >+-libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) >++libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) ${LIB_LDAP} ${LIB_MYSQL} >+ # PLAIN_LIBS are linked in for sasl_checkpass >diff -ruN cyrus-sasl.orig/patches/patch-ai cyrus-sasl/patches/patch-ai >--- cyrus-sasl.orig/patches/patch-ai Wed Dec 31 18:00:00 1969 >+++ cyrus-sasl/patches/patch-ai Sat Sep 16 21:08:02 2000 >@@ -0,0 +1,357 @@ >+--- lib/checkpw.c.orig Wed Jul 19 20:24:13 2000 >++++ lib/checkpw.c Sat Sep 16 21:07:33 2000 >+@@ -95,10 +95,19 @@ >+ #include <sys/un.h> >+ #ifdef HAVE_UNISTD_H >+ #include <unistd.h> >+-#endif >++#endif /* HAVE_UNISTD_H */ >+ >+ extern int errno; >+-#endif >++#endif /* HAVE_PWCHECK */ >++ >++#ifdef HAVE_MYSQL >++#include <mysql.h> >++#endif /* HAVE_MYSQL */ >++ >++#ifdef HAVE_LDAP >++#include <lber.h> >++#include <ldap.h> >++#endif /* HAVE_LDAP */ >+ >+ #ifdef HAVE_KRB >+ >+@@ -170,12 +179,20 @@ >+ memcpy (&temp_key, "kerberos", 8); >+ des_fixup_key_parity (&temp_key); >+ des_key_sched (&temp_key, schedule); >++#ifdef __FreeBSD__ >++ des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec); >++#else >+ des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec); >++#endif >+ >+ memcpy (&temp_key, &ivec, sizeof temp_key); >+ des_fixup_key_parity (&temp_key); >+ des_key_sched (&temp_key, schedule); >++#ifdef __FreeBSD__ >++ des_cbc_cksum ((const unsigned char *)password, key, passlen, schedule, &ivec); >++#else >+ des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec); >++#endif >+ >+ des_fixup_key_parity (key); >+ >+@@ -210,10 +227,17 @@ >+ return (str); >+ } >+ >++#ifdef __FreeBSD__ >++static int use_key(const char *user __attribute__((unused)), >++ char *instance __attribute__((unused)), >++ const char *realm __attribute__((unused)), >++ const void *key, des_cblock *returned_key) >++#else >+ static int use_key(char *user __attribute__((unused)), >+ char *instance __attribute__((unused)), >+ char *realm __attribute__((unused)), >+ void *key, des_cblock *returned_key) >++#endif >+ { >+ memcpy (returned_key, key, sizeof(des_cblock)); >+ return 0; >+@@ -838,7 +862,7 @@ >+ >+ >+ /* pwcheck daemon-authenticated login */ >+-static int pwcheck_verify_password(sasl_conn_t *conn, >++static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)), >+ const char *userid, >+ const char *passwd, >+ const char *service __attribute__((unused)), >+@@ -853,8 +877,10 @@ >+ static char response[1024]; >+ int start, n; >+ char pwpath[1024]; >++#if 0 /* Not used */ >+ sasl_getopt_t *getopt; >+ void *context; >++#endif >+ >+ if (reply) { *reply = NULL; } >+ >+@@ -902,6 +928,260 @@ >+ >+ #endif >+ >++#ifdef HAVE_MYSQL >++/* DMZ mysql auth 12/29/1999 >++ * Updated to 1.5.24 by SWH 09/12/2000 >++ */ >++#ifdef USE_CRYPT_PASSWORD >++#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')" >++#else >++#define QUERY_STRING "select %s from %s where %s = '%s' and %s = '%s'" >++#endif >++ >++static int mysql_verify_password(sasl_conn_t *conn, >++ const char *userid, >++ const char *password, >++ const char *service __attribute__((unused)), >++ const char *user_realm __attribute__((unused)), >++ const char **reply) >++{ >++ unsigned int numrows; >++ MYSQL mysql,*sock; >++ MYSQL_RES *result; >++ char qbuf[300]; >++ char *db_user="", >++ *db_passwd="", >++ *db_host="", >++ *db_uidcol="", >++ *db_pwcol="", >++ *db_database="", >++ *db_table=""; >++ sasl_getopt_t *getopt; >++ void *context; >++ >++ if (!userid || !password) { >++ return SASL_BADPARAM; >++ } >++ if (reply) { *reply = NULL; } >++ >++ /* check to see if the user configured a mysqluser/passwd/host/etc */ >++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) { >++ getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL); >++ if (!db_user) db_user = ""; >++ getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL); >++ if (!db_passwd) db_passwd = ""; >++ getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL); >++ if (!db_host) db_host = ""; >++ getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL); >++ if (!db_database) db_database = ""; >++ getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL); >++ if (!db_table) db_table = ""; >++ getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL); >++ if (!db_uidcol) db_uidcol = ""; >++ getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL); >++ if (!db_pwcol) db_pwcol = ""; >++ } >++ >++ if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd))) >++ { >++ if (reply) { *reply = "cannot connect to MySQL server"; } >++ return SASL_FAIL; >++ } >++ >++ if (mysql_select_db(sock,db_database) < 0) >++ { >++ mysql_close(sock); >++ if (reply) { *reply = "cannot select MySQL database"; } >++ return SASL_FAIL; >++ } >++ /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */ >++ sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password); >++ if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock))) >++ { >++ mysql_close(sock); >++ return SASL_FAIL; >++ } >++ >++ if (result) //There were some rows found >++ { >++ if ((numrows = mysql_affected_rows(&mysql)) != 1) >++ { >++ mysql_free_result(result); >++ mysql_close(sock); >++ if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; } >++ return SASL_BADAUTH; >++ } else { >++ mysql_free_result(result); >++ mysql_close(sock); >++ return SASL_OK; >++ } >++ } >++ mysql_free_result(result); >++ mysql_close(sock); >++ return SASL_BADAUTH; >++} >++#endif /* HAVE_MYSQL */ >++ >++#ifdef HAVE_LDAP >++/* simon@surf.org.uk LDAP auth 07/11/2000 >++ * Updated to 1.5.24 by SWH 09/12/2000 >++ */ >++ >++#define LDAP_SERVER "localhost" >++#define LDAP_BASEDN "o=JOFA, c=UK" >++#define LDAP_UIDATTR "uid" >++ >++#ifndef TRUE >++# define TRUE 1 >++# define FALSE 0 >++#endif >++ >++static int ldap_isdigits(char *value) >++{ >++ char *ptr; >++ int num = TRUE; >++ >++ for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) { >++ if (!isdigit(*ptr)) >++ num = FALSE; >++ } >++ >++ return num; >++} >++ >++static int ldap_verify_password(sasl_conn_t *conn, >++ const char *userid, >++ const char *password, >++ const char *service __attribute__((unused)), >++ const char *user_realm __attribute__((unused)), >++ const char **reply) >++{ >++ >++ LDAP *ld; >++ LDAPMessage *result; >++ LDAPMessage *entry; >++ char *attrs[2]; >++ char filter[200]; >++ char *dn, >++ *ldap_server="", >++ *ldap_basedn="", >++ *ldap_uidattr="", >++ *port_num=""; >++ int ldap_port = LDAP_PORT; >++ int count; >++ sasl_getopt_t *getopt; >++ void *context; >++ >++ /* If the password is NULL, reject the login... >++ * Otherwise the bind will succed as a reference bind. Not good... >++ */ >++ if (strcmp(password,"") == 0) >++ { >++ return SASL_BADPARAM; >++ } >++ >++ if (reply) { *reply = NULL; } >++ >++ /* check to see if the user configured a mysqluser/passwd/host/etc */ >++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) { >++ getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL); >++ if (!ldap_server) ldap_server = LDAP_SERVER; >++ getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL); >++ if (!ldap_basedn) { >++ if (reply) { *reply = "ldap_basedn not defined"; } >++ return SASL_BADPARAM; >++ } >++ getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL); >++ if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR; >++ getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL); >++ if (!port_num) { >++ ldap_port = LDAP_PORT; >++ } else if (!ldap_isdigits(port_num)) { >++ if (reply) { *reply = "ldap_port - invalid value"; } >++ return SASL_BADPARAM; >++ } else { >++ ldap_port = atoi(port_num); >++ } >++ } >++ >++ /* Open the LDAP connection. */ >++ if ((ld = ldap_open(ldap_server, ldap_port)) == NULL) >++ { >++ if (reply) { *reply = "cannot connect to LDAP server"; } >++ return SASL_FAIL; >++ } >++ >++ /* Bind anonymously so that you can find the DN of the appropriate user. */ >++ if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS) >++ { >++ ldap_unbind(ld); >++ if (reply) { *reply = "cannot bind to LDAP server"; } >++ return SASL_FAIL; >++ } >++ >++ /* Generate a filter that will return the entry with a matching UID */ >++ sprintf(filter,"(%s=%s)", ldap_uidattr,userid); >++ >++ /* Just return country...This doesn't actually matter, since we will >++ * not read the attributes and values, only the DN >++ */ >++ attrs[0] = "c"; >++ attrs[1] = NULL; >++ >++ /* Perform the search... */ >++ if (ldap_search_s(ld,ldap_basedn,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS ) >++ { >++ ldap_unbind(ld); >++ return SASL_BADAUTH; >++ } >++ >++ /* If the entry count is not equal to one, either the UID was not unique or >++ * there was no match >++ */ >++ if ((count = ldap_count_entries(ld,result)) != 1) >++ { >++ ldap_msgfree(result); >++ ldap_unbind(ld); >++ if ((count > 1) && (reply)) { *reply = "Detected duplicate entries for user"; } >++ return SASL_BADAUTH; >++ } >++ >++ /* Get the first entry */ >++ if ((entry = ldap_first_entry(ld,result)) == NULL) >++ { >++ ldap_msgfree(result); >++ ldap_unbind(ld); >++ return SASL_BADAUTH; >++ } >++ >++ /* Get the DN of the entry */ >++ if ((dn = ldap_get_dn(ld,entry)) == NULL) >++ { >++ ldap_msgfree(entry); >++ ldap_unbind(ld); >++ return SASL_BADAUTH; >++ } >++ >++ /* Now bind as the DN with the password supplied earlier... >++ * Successful bind means the password was correct, otherwise the >++ * password is invalid. >++ */ >++ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) >++ { >++ free(dn); >++ ldap_msgfree(entry); >++ ldap_unbind(ld); >++ return SASL_BADAUTH; >++ } >++ >++ free(dn); >++ ldap_msgfree(entry); >++ ldap_unbind(ld); >++ return SASL_OK; >++} >++ >++#endif /* HAVE_LDAP */ >++ >+ struct sasl_verify_password_s _sasl_verify_password[] = { >+ { "sasldb", &sasldb_verify_password }, >+ #ifdef HAVE_KRB >+@@ -921,6 +1201,12 @@ >+ #endif >+ #ifdef HAVE_PWCHECK >+ { "pwcheck", &pwcheck_verify_password }, >++#endif >++#ifdef HAVE_MYSQL >++ { "mysql", &mysql_verify_password }, >++#endif >++#ifdef HAVE_LDAP >++ { "ldap", &ldap_verify_password }, >+ #endif >+ { NULL, NULL } >+ }; >diff -ruN cyrus-sasl.orig/patches/patch-aj cyrus-sasl/patches/patch-aj >--- cyrus-sasl.orig/patches/patch-aj Wed Dec 31 18:00:00 1969 >+++ cyrus-sasl/patches/patch-aj Sat Sep 16 11:27:56 2000 >@@ -0,0 +1,46 @@ >+--- doc/sysadmin.html.orig Wed Jul 12 21:59:51 2000 >++++ doc/sysadmin.html Fri Sep 15 20:56:28 2000 >+@@ -171,6 +171,43 @@ >+ <dt><i>pwcheck</i><dd> checks passwords with the use of a seperate, >+ helper daemon. <b>needs to be documented.</b><p> >+ >++<dt><i>mysql</i><dd> A MySQL database can be used for plaintext >++ password checking by setting "pwcheck_method" to "mysql".<p> >++ >++ <p>The following SASL options are used for MySQL Authentication:<p> >++ >++ <dl> >++ <dd>mysql_user: <user></dd> >++ <dd>mysql_passwd: <cleartext pw></dd> >++ <dd>mysql_host: <host></dd> >++ <dd>mysql_database: <database></dd> >++ <dd>mysql_table: <table></dd> >++ <dd>mysql_uidcol: <username col></dd> >++ <dd>mysql_pwdcol: <password col></dd> >++ </dl> >++ >++ <p>MySQL pwcheck_method created by <a href="mailto:dmz@dmzs.com">David Matthew Zendzian</a> >++ the original patch may be found at <a href="http://www.dmzs.com/~dmz/projects/cyrus/">http://www.dmzs.com/~dmz/projects/cyrus/</a>.<p> >++ >++<dt><i>ldap</i><dd> A LDAP server can be used for plaintext password >++ checking by setting "pwcheck_method" to "ldap".<p> >++ >++ <p>The following SASL options are used for LDAP Authentication:<p> >++ >++ <dl> >++ <dd>ldap_server: <LDAP Server [localhost]> >++ <dd>ldap_basedn: <LDAP base dn> >++ <dd>ldap_uidattr: <LDAP uid attribute [uid]> >++ <dd>ldap_port: <LDAP port [389]> >++ </dl> >++ >++ <p>It is a requirement that "ldap_basedn" be set to the appropriate >++ value for your site<br> >++ (ex. ldap_basedn: o=surf, c=UK)<p> >++ >++ <p>LDAP pwcheck_method created by <a href="mailto:simon@surf.org.uk">Simon@surf.org.uk</a> >++ the original patch may be found at <a href="http://www.surf.org.uk/">http://www.surf.org.uk/</a>.<p> >++ >+ <dt><i>write your own</i><dd> Last, but not least, the most flexible >+ method of authentication for PLAIN is to write your own. If you do >+ so, any application that calls the "<tt>sasl_checkpass()</tt>" >diff -ruN cyrus-sasl.orig/patches/patch-ak cyrus-sasl/patches/patch-ak >--- cyrus-sasl.orig/patches/patch-ak Wed Dec 31 18:00:00 1969 >+++ cyrus-sasl/patches/patch-ak Sat Sep 16 18:50:20 2000 >@@ -0,0 +1,30 @@ >+--- plugins/kerberos4.c.orig Wed Apr 19 11:18:48 2000 >++++ plugins/kerberos4.c Sat Sep 16 18:49:20 2000 >+@@ -696,8 +696,13 @@ >+ >+ /* decrypt; verify checksum */ >+ >++#ifdef __FreeBSD__ >++ des_pcbc_encrypt((const unsigned char *)in, >++ (unsigned char *)in, >++#else >+ des_pcbc_encrypt((des_cblock *)in, >+ (des_cblock *)in, >++#endif >+ clientinlen, >+ text->init_keysched, >+ &text->session, >+@@ -1192,8 +1197,13 @@ >+ } >+ sout[len]=0; >+ >++#ifdef __FreeBSD__ >++ des_pcbc_encrypt((const unsigned char *)sout, >++ (unsigned char *)sout, >++#else >+ des_pcbc_encrypt((des_cblock *)sout, >+ (des_cblock *)sout, >++#endif >+ len, >+ text->init_keysched, >+ (des_cblock *)text->session, >diff -ruN cyrus-sasl.orig/pkg/INSTALL cyrus-sasl/pkg/INSTALL >--- cyrus-sasl.orig/pkg/INSTALL Sun Jan 23 23:22:21 2000 >+++ cyrus-sasl/pkg/INSTALL Mon Sep 18 20:53:06 2000 >@@ -7,11 +7,15 @@ > > #set -vx > >+PKG_BATCH=${BATCH:=NO} >+ >+PKG_PREFIX=${PKG_PREFIX:=/usr/local} >+ > # > # create 'cyrus' user and group before installing > # > >-create() { >+create_user() { > if [ ! -x /usr/sbin/pw ]; then > echo "*** Please add a user and a group named \`cyrus' before installing this package." > exit 69 >@@ -65,9 +69,31 @@ > fi > } > >+create_sasldb() { >+ if [ ! -f ${PGK_PREFIX}/etc/sasldb.db ]; then >+ touch ${PGK_PREFIX}/etc/sasldb.db >+ chown cyrus:mail ${PGK_PREFIX}/etc/sasldb.db >+ chmod 640 ${PGK_PREFIX}/etc/sasldb.db >+ fi >+} >+ >+# This should really be installed by Sendmail >+ >+sendmail_conf() { >+ if [ ! -f ${PKG_PREFIX}/lib/sasl/Sendmail.conf ]; then >+ echo "pwcheck_method: pwcheck" > ${PKG_PREFIX}/lib/sasl/Sendmail.conf >+ fi >+} >+ > case $2 in > PRE-INSTALL) >- create >+ create_user >+ ;; >+ POST-INSTALL) >+ if [ "${PKG_BATCH}" = "NO" ]; then >+ create_sasldb >+ sendmail_conf >+ fi > ;; > > esac >diff -ruN cyrus-sasl.orig/pkg/MESSAGE cyrus-sasl/pkg/MESSAGE >--- cyrus-sasl.orig/pkg/MESSAGE Sun Jan 23 23:22:21 2000 >+++ cyrus-sasl/pkg/MESSAGE Sat Sep 16 11:27:56 2000 >@@ -1,4 +1,15 @@ >-Start the pwcheck program to have clients use the SASL libraries >-as a non-root user: >+PREFIX/etc/cyrusdb.db now needs to be created >+before applications that depend on SASL are used. > >- /usr/local/etc/rc.d/pwcheck.sh [start|stop] >+ su cyrus >+ PREFIX/sbin/saslpasswd -c userid >+ >+You will also need to start the pwcheck daemon: >+ >+ PREFIX/etc/rc.d/pwcheck.sh start >+ >+Read the documentation in PREFIX/share/doc/SASL >+ >+How to enable SMTP AUTH with system Sendmail 8.11 - Sendmail.README >+ >+How to use LDAP or MySQL for passwords - see html/sysadmin.html >diff -ruN cyrus-sasl.orig/pkg/PLIST cyrus-sasl/pkg/PLIST >--- cyrus-sasl.orig/pkg/PLIST Sat Jun 17 03:56:22 2000 >+++ cyrus-sasl/pkg/PLIST Mon Sep 18 20:51:56 2000 >@@ -1,5 +1,7 @@ > @unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped." > etc/rc.d/pwcheck.sh >+@comment remove ../etc/sasldb.db only if it exists and has a zero size. >+@unexec [ -f %D/etc/sasldb.db -a ! -s %D/etc/sasldb.db ] && rm %D/etc/sasldb.db > include/sasl/hmac-md5.h > include/sasl/md5.h > include/sasl/md5global.h >@@ -31,7 +33,10 @@ > lib/sasl/libplain.a > lib/sasl/libplain.so > lib/sasl/libplain.so.1 >-@dirrm lib/sasl >+@comment Sendmail.conf should be installed/uninstalled by Sendmail 8.11. >+@comment We install it here because Sendmail 8.11 is in the base system. >+@unexec echo "pwcheck_method: pwcheck" > %B/Sendmail.conf.tmp >+@unexec if cmp -s %B/Sendmail.conf %B/Sendmail.conf.tmp; then rm -f %B/Sendmail.conf %B/Sendmail.conf.tmp; else rm -f %B/Sendmail.conf.tmp fi > sbin/sasldblistusers > sbin/saslpasswd > sbin/pwcheck >@@ -41,6 +46,7 @@ > %%NOPORTDOCS%%share/doc/SASL/INSTALL > %%NOPORTDOCS%%share/doc/SASL/NEWS > %%NOPORTDOCS%%share/doc/SASL/README >+%%NOPORTDOCS%%share/doc/SASL/Sendmail.README > %%NOPORTDOCS%%share/doc/SASL/TODO > %%NOPORTDOCS%%share/doc/SASL/draft-leach-digest-sasl-05.txt > %%NOPORTDOCS%%share/doc/SASL/draft-newman-auth-scram-03.txt >@@ -55,12 +61,13 @@ > %%NOPORTDOCS%%share/doc/SASL/html/sysadmin.html > %%NOPORTDOCS%%@dirrm share/doc/SASL/html > %%NOPORTDOCS%%@dirrm share/doc/SASL >+@dirrm lib/sasl > @mode u=rwx,go= > @cwd /var > @exec mkdir pwcheck > @exec chown cyrus:cyrus pwcheck > @exec chmod go= pwcheck >-@comment This file gets create by the pwcheck program >-@unexec rm -f pwcheck/pwcheck >+@comment This file gets created by the pwcheck program >+@unexec rm -f /var/pwcheck/pwcheck > @dirrm pwcheck > @cwd %%PREFIX%% >diff -ruN cyrus-sasl.orig/scripts/configure.sasl cyrus-sasl/scripts/configure.sasl >--- cyrus-sasl.orig/scripts/configure.sasl Wed Dec 31 18:00:00 1969 >+++ cyrus-sasl/scripts/configure.sasl Sat Sep 16 13:18:00 2000 >@@ -0,0 +1,59 @@ >+#!/bin/sh >+# $FreeBSD$ >+ >+if [ -f ${WRKDIRPREFIX}${CURDIR}/Makefile.inc ]; then >+ exit >+fi >+ >+if [ "${BATCH}" ]; then >+ exit >+else >+ /usr/bin/dialog --title "Additional pwcheck methods" --clear \ >+ --checklist "\n\ >+Please select desired options:" -1 -1 16 \ >+MySQL "MySQL password Authentication" OFF \ >+OpenLDAP "OpenLDAP password Authentication" OFF \ >+2> /tmp/checklist.tmp.$$ >+ >+ retval=$? >+ >+ if [ -s /tmp/checklist.tmp.$$ ]; then >+ set `cat /tmp/checklist.tmp.$$` >+ fi >+ rm -f /tmp/checklist.tmp.$$ >+ >+ case $retval in >+ 0) if [ -z "$*" ]; then >+ echo "Nothing selected" >+ fi >+ ;; >+ 1) echo "Cancel pressed." >+ exit 1 >+ ;; >+ esac >+fi >+ >+${MKDIR} ${WRKDIRPREFIX}${CURDIR} >+exec > ${WRKDIRPREFIX}${CURDIR}/Makefile.inc >+ >+echo "PREFIX= ${PREFIX}" >+ >+while [ "$1" ]; do >+ case $1 in >+ \"MySQL\") >+ echo "LIB_DEPENDS+= mysqlclient.6:\${PORTSDIR}/databases/mysql322-client" >+ echo "CONFIGURE_ARGS+=--with-mysql=\${PREFIX}" >+ ;; >+ \"OpenLDAP\") >+ echo "LIB_DEPENDS+= ldap.1:\${PORTSDIR}/net/openldap" >+ echo "LIB_DEPENDS+= lber.1:\${PORTSDIR}/net/openldap" >+ echo "CONFIGURE_ARGS+=--with-ldap=\${PREFIX}" >+ ;; >+ *) >+ echo "Invalid option(s): $*" > /dev/stderr >+ rm -f ${WRKDIRPREFIX}${CURDIR}/Makefile.inc >+ exit 1 >+ ;; >+ esac >+ shift >+done
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=10696">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 21383
: 10696