[packages/cyrus-sasl.git] / cyrus-sasl-mysql-ldap.patch

diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/acconfig.h cyrus-sasl-1.5.27/acconfig.h
--- cyrus-sasl-1.5.27.orig/acconfig.h	Tue Apr 24 17:02:28 2001
+++ cyrus-sasl-1.5.27/acconfig.h	Tue Apr 24 17:02:53 2001
@@ -86,6 +86,12 @@
 /* do we have PAM for plaintext password checking? */
 #undef HAVE_PAM
 
+/* do we have MySQL for plaintext password checking? */
+#undef HAVE_MYSQL
+
+/* do we have LDAP for plaintext password checking? */
+#undef HAVE_LDAP
+
 /* what flavor of GSSAPI are we using? */
 #undef HAVE_GSS_C_NT_HOSTBASED_SERVICE
 
diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/configure.in cyrus-sasl-1.5.27/configure.in
--- cyrus-sasl-1.5.27.orig/configure.in	Tue Apr 24 17:02:28 2001
+++ cyrus-sasl-1.5.27/configure.in	Tue Apr 24 17:41:49 2001
@@ -147,13 +147,16 @@
 dnl named.  arg.
   berkeley)
 	AC_CHECK_HEADER(db.h,
-			AC_CHECK_LIB(db-3, db_create, SASL_DB_LIB="-ldb-3";
-			   dblib="berkeley",
-			AC_CHECK_LIB(db, db_create, SASL_DB_LIB="-ldb";
-			   dblib="berkeley",
-			AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb"; 
-			   dblib="berkeley",
-                        dblib="no"))),
+			for dbname in db-3.1 db-3 db3.1 db3 db
+			  do
+			    AC_CHECK_LIB($dbname, db_create, SASL_DB_LIB="-l$dbname";
+			    dblib="berkeley"; break, dblib="no")
+			  done
+			if test "$dblib" = "no"; then
+			  AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb"; 
+			  dblib="berkeley"; dbname=db,
+                          dblib="no")
+			fi,
 			dblib="no")
 	;;
   gdbm)
@@ -173,13 +176,16 @@
   auto_detect)
         dnl How about berkeley db?
 	AC_CHECK_HEADER(db.h,
-			AC_CHECK_LIB(db-3, db_create, SASL_DB_LIB="-ldb-3";
-			   dblib="berkeley",
-			AC_CHECK_LIB(db, db_create, SASL_DB_LIB="-ldb";
-			   dblib="berkeley",
-			AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb"; 
-			   dblib="berkeley",
-                        dblib="no"))),
+                        for dbname in db-3.1 db-3 db3.1 db3 db
+                          do
+                            AC_CHECK_LIB($dbname, db_create, SASL_DB_LIB="-l$dbname";
+                            dblib="berkeley"; break, dblib="no")
+                          done
+                        if test "$dblib" = "no"; then
+                          AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb";
+                          dblib="berkeley"; dbname=db,
+                          dblib="no")
+			fi,
 			dblib="no")
 	if test "$dblib" = no; then
 	  dnl How about ndbm?
@@ -322,6 +328,88 @@
 fi
 AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
 
+dnl MySQL
+AC_ARG_WITH(mysql,  [ --with-mysql=PATH        enable authentication from MySQL database [no] ],
+  with_mysql=$withval,
+  with_mysql=no)
+
+mysql_found=""  
+if test -z "$with_mysql"; then
+  for mysqlloc in lib/mysql lib ; do
+	for mysqlprefix in ${prefix} /usr/local /usr ; do
+		if test -f ${prefix}/${mysqlloc}/libmysqlclient.a; then
+      		with_mysql="${prefix}"
+			mysql_found="yes"
+      		break
+		fi
+	done
+	if test "$mysql_found"; then
+		break
+	fi
+  done
+fi
+
+LIB_MYSQL=""
+case "$with_mysql" in
+    no) true;;
+    ""|yes) AC_CHECK_LIB(mysqlclient, mysql_select_db,
+		AC_DEFINE(HAVE_MYSQL)
+		LIB_MYSQL="-lmysqlclient",
+		with_mysql=no);;
+    *)	if test -d ${with_mysql}/include/mysql; then
+	  CPPFLAGS="$CPPFLAGS -I${with_mysql}/include/mysql"
+	else
+	  CPPFLAGS="$CPPFLAGS -I${with_mysql}/include"
+	fi
+	if test -d ${with_mysql}/lib/mysql; then
+	  LDFLAGS="$LDFLAGS -L${with_mysql}/lib/mysql"
+	fi
+	AC_DEFINE(HAVE_MYSQL)
+	LIB_MYSQL="-lmysqlclient";;
+esac
+AC_SUBST(LIB_MYSQL)
+
+dnl LDAP
+AC_ARG_WITH(ldap, [  --with-ldap=PATH         enable authentication from LDAP [no] ],
+  with_ldap=$withval,
+  with_ldap=no)
+
+ldap_found=""  
+if test -z "$with_ldap"; then
+  for ldaploc in lib/ldap lib;  do
+  	for ldapprefix in ${prefix} /usr/local /usr; do
+		if test -f ${ldapprefix}/${ldaploc}/libldap.a -o -f ${ldapprefix}/${ldaploc}/libldap.so; then
+      		with_ldap="${ldapprefix}"
+			ldap_found="yes"
+      		break
+    	fi
+	done
+	if test "$ldap_found"; then
+		break
+	fi
+  done
+fi
+
+LIB_LDAP=""
+case "$with_ldap" in
+    no) true;;
+    ""|yes) AC_CHECK_LIB(ldap, ldap_open,
+                AC_DEFINE(HAVE_LDAP)
+		LIB_LDAP="-lldap -llber",
+                with_ldap=no);;
+    *)  if test -d ${with_ldap}/include/ldap; then
+          CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include/ldap"
+        else
+          CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
+        fi
+	if test -d ${with_ldap}/lib/ldap; then
+	  LDFLAGS="$LDFLAGS -L${with_ldap}/lib/ldap"
+	fi
+        AC_DEFINE(HAVE_LDAP)
+        LIB_LDAP="-lldap -llber";;
+esac
+AC_SUBST(LIB_LDAP)
+
 dnl CRAM-MD5
 AC_ARG_ENABLE(cram, [  --enable-cram           enable CRAM-MD5 authentication [yes] ],
   cram=$enableval,
@@ -445,11 +533,15 @@
   fi
 
   if test "$with_des" != no; then
+    case "$host_os" in
+	freebsd*)
+	    COM_ERR="-lcom_err"
+	    ;;
+    esac
     AC_CHECK_HEADER(krb.h,
-      AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
-	AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err",
-                     AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err),
-        -ldes),
+      AC_CHECK_LIB(krb, krb_mk_priv,:,
+		   AC_WARN(No Kerberos V4 found); krb4=no,
+		   -ldes $COM_ERR),
       AC_WARN(No Kerberos V4 found); krb4=no)
   else
     AC_WARN(No DES library found for Kerberos V4 support)
diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/doc/sysadmin.html cyrus-sasl-1.5.27/doc/sysadmin.html
--- cyrus-sasl-1.5.27.orig/doc/sysadmin.html	Sat Feb 17 06:06:33 2001
+++ cyrus-sasl-1.5.27/doc/sysadmin.html	Tue Apr 24 17:02:53 2001
@@ -171,6 +171,43 @@
 <dt><i>pwcheck</i><dd> checks passwords with the use of a seperate,
   helper daemon. <b>needs to be documented.</b><p>
 
+<dt><i>mysql</i><dd> A MySQL database can be used for plaintext
+  password checking by setting "pwcheck_method" to "mysql".<p>
+
+  <p>The following SASL options are used for MySQL Authentication:<p>
+
+  <dl>
+    <dd>mysql_user: &lt;user&gt;</dd>
+    <dd>mysql_passwd: &lt;cleartext pw&gt;</dd>
+    <dd>mysql_host: &lt;host&gt;</dd>
+    <dd>mysql_database: &lt;database&gt;</dd>
+    <dd>mysql_table: &lt;table&gt;</dd>
+    <dd>mysql_uidcol: &lt;username col&gt;</dd>
+    <dd>mysql_pwdcol: &lt;password col&gt;</dd>
+  </dl>
+
+  <p>MySQL pwcheck_method created by <a href="mailto:dmz@dmzs.com">David Matthew Zendzian</a>
+  the original patch may be found at <a href="http://www.dmzs.com/~dmz/projects/cyrus/">http://www.dmzs.com/~dmz/projects/cyrus/</a>.<p>
+
+<dt><i>ldap</i><dd> A LDAP server can be used for plaintext password
+  checking by setting "pwcheck_method" to "ldap".<p>
+
+  <p>The following SASL options are used for LDAP Authentication:<p>
+
+  <dl>
+    <dd>ldap_server: &lt;LDAP Server [localhost]&gt;
+    <dd>ldap_basedn: &lt;LDAP base dn&gt;
+    <dd>ldap_uidattr: &lt;LDAP uid attribute [uid]&gt;
+    <dd>ldap_port: &lt;LDAP port [389]&gt;
+  </dl>
+
+  <p>It is a requirement that "ldap_basedn" be set to the appropriate
+  value for your site<br>
+  (ex. ldap_basedn: o=surf, c=UK)<p>
+
+  <p>LDAP pwcheck_method created by <a href="mailto:simon@surf.org.uk">Simon@surf.org.uk</a>
+  the original patch may be found at <a href="http://www.surf.org.uk/">http://www.surf.org.uk/</a>.<p>
+
 <dt><i>write your own</i><dd> Last, but not least, the most flexible
   method of authentication for PLAIN is to write your own.  If you do
   so, any application that calls the "<tt>sasl_checkpass()</tt>"
diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/lib/Makefile.am cyrus-sasl-1.5.27/lib/Makefile.am
--- cyrus-sasl-1.5.27.orig/lib/Makefile.am	Sat Mar 10 06:56:41 2001
+++ cyrus-sasl-1.5.27/lib/Makefile.am	Tue Apr 24 17:06:04 2001
@@ -53,5 +53,5 @@
 EXTRA_libsasl_la_SOURCES = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c db_testw32.c
 libsasl_la_LDFLAGS = -version-info $(sasl_version)
 libsasl_la_DEPENDENCIES = $(SASL_DB_BACKEND) @LTLIBOBJS@
-libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(LIB_SOCKET)
+libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(LIB_SOCKET) $(LIB_LDAP) $(LIB_MYSQL)
 # PLAIN_LIBS are linked in for sasl_checkpass
diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/lib/checkpw.c cyrus-sasl-1.5.27/lib/checkpw.c
--- cyrus-sasl-1.5.27.orig/lib/checkpw.c	Sat Feb 17 06:06:48 2001
+++ cyrus-sasl-1.5.27/lib/checkpw.c	Tue Apr 24 17:09:32 2001
@@ -51,11 +51,11 @@
 #include <assert.h>
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
-#endif
+#endif /* HAVE_UNISTD_H */
 
 #ifdef HAVE_KRB
 #include <krb.h>
-#endif
+#endif /* HAVE_KRB */
 
 #include <stdlib.h>
 
@@ -96,10 +96,19 @@
 # include <sys/un.h>
 # ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-# endif
+# endif /* HAVE_UNISTD_H */
 
 extern int errno;
-#endif
+#endif /* HAVE_PWCHECK || HAVE_SASLAUTHD */
+
+#ifdef HAVE_MYSQL
+#include <mysql.h>
+#endif /* HAVE_MYSQL */
+
+#ifdef HAVE_LDAP
+#include <lber.h>
+#include <ldap.h>
+#endif /* HAVE_LDAP */
 
 #ifdef HAVE_KRB
 
@@ -171,7 +180,11 @@
     memcpy (&temp_key, "kerberos", 8);
     des_fixup_key_parity (&temp_key);
     des_key_sched (&temp_key, schedule);
+#ifdef __FreeBSD__
+    des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec);
+#else
     des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec);
+#endif
 
     memcpy (&temp_key, &ivec, sizeof temp_key);
     des_fixup_key_parity (&temp_key);
@@ -211,10 +224,17 @@
     return (str);
 }
 
+#ifdef __FreeBSD__
+static int use_key(const char *user __attribute__((unused)),
+		   char *instance __attribute__((unused)),
+		   const char *realm __attribute__((unused)),
+		   const void *key, des_cblock *returned_key)
+#else
 static int use_key(char *user __attribute__((unused)), 
 		   char *instance __attribute__((unused)), 
 		   char *realm __attribute__((unused)), 
 		   void *key, des_cblock *returned_key)
+#endif
 {
     memcpy (returned_key, key, sizeof(des_cblock));
     return 0;
@@ -1015,7 +1035,7 @@
 
 
 /* pwcheck daemon-authenticated login */
-static int pwcheck_verify_password(sasl_conn_t *conn,
+static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)),
 				   const char *userid, 
 				   const char *passwd,
 				   const char *service __attribute__((unused)),
@@ -1030,8 +1050,10 @@
     static char response[1024];
     int start, n;
     char pwpath[1024];
+#if 0 /* Not used */
     sasl_getopt_t *getopt;
     void *context;
+#endif
 
     if (reply) { *reply = NULL; }
 
@@ -1183,6 +1205,225 @@
 
 #endif
 
+#ifdef HAVE_MYSQL
+/* DMZ mysql auth 12/29/1999
+ * Updated to 1.5.24 by SWH 09/12/2000
+ * changed to malloc qbuf Simon Loader 10/21/2000
+ */
+#ifdef USE_CRYPT_PASSWORD
+#define QUERY_STRING    "select %s from %s where %s = '%s' and %s = password('%s')"
+#else
+#define QUERY_STRING    "select %s from %s where %s = '%s' and %s = '%s'"
+#endif
+
+static int mysql_verify_password(sasl_conn_t *conn,
+				const char *userid,
+				const char *password,
+				const char *service __attribute__((unused)),
+				const char *user_realm __attribute__((unused)),
+				const char **reply)
+{
+   unsigned int numrows;
+   MYSQL mysql,*sock;
+   MYSQL_RES *result;
+   char *qbuf;
+   char *db_user="",
+        *db_passwd="",
+        *db_host="",
+        *db_uidcol="",
+        *db_pwcol="",
+        *db_database="",
+        *db_table="";
+   sasl_getopt_t *getopt;
+   void *context;
+ 
+   if (!userid || !password) {
+       return SASL_BADPARAM;
+   }
+   if (reply) { *reply = NULL; }
+ 
+   /* check to see if the user configured a mysqluser/passwd/host/etc */
+   if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
+       getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL);
+       if (!db_user) db_user = "";
+       getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL);
+       if (!db_passwd) db_passwd = "";
+       getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL);
+       if (!db_host) db_host = "";
+       getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL);
+       if (!db_database) db_database = "";
+       getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL);
+       if (!db_table) db_table = "";
+       getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL);
+       if (!db_uidcol) db_uidcol = "";
+       getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL);
+       if (!db_pwcol) db_pwcol = "";
+    }
+
+    if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd)))
+    {
+      if (reply) { *reply = "cannot connect to MySQL server"; }
+      return SASL_FAIL;
+    }
+
+    if (mysql_select_db(sock,db_database) < 0)
+    {
+      mysql_close(sock);
+      if (reply) { *reply = "cannot select MySQL database"; }
+      return SASL_FAIL;
+    }
+    /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */
+    if ( (qbuf = (char *)malloc(strlen(QUERY_STRING)+strlen(db_uidcol)
+				+strlen(db_table)+strlen(db_uidcol)
+				+strlen(userid)+strlen(db_pwcol)
+				+strlen(password)+1)) == NULL ) {
+      if (reply) {
+	*reply = "cannot malloc memory for sql query";
+      }
+      return SASL_FAIL;
+    }
+    sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password);
+    if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock)))
+    {
+      free(qbuf);
+      mysql_close(sock);
+      return SASL_FAIL;
+    }
+
+    if (result) //There were some rows found
+    {
+           if ((numrows = mysql_affected_rows(&mysql)) != 1)
+           {
+                   mysql_free_result(result);
+                   mysql_close(sock);
+		   if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
+		   free(qbuf);
+                   return SASL_BADAUTH;
+           } else {
+	     free(qbuf);
+	     mysql_free_result(result);
+	     mysql_close(sock);
+	     return SASL_OK;
+	   }
+    }
+    free(qbuf);
+    mysql_free_result(result);
+    mysql_close(sock);
+    return SASL_BADAUTH;
+}
+#endif /* HAVE_MYSQL */
+
+#ifdef HAVE_LDAP
+/* simon@surf.org.uk LDAP auth 07/11/2000
+ * Updated to 1.5.24 by SWH 09/12/2000
+ * changed to use malloc and simplify the auth by Simon@surf.org.uk 10/21/2000
+ */
+
+#define LDAP_SERVER	"localhost"
+#define LDAP_BASEDN	"o=JOFA, c=UK"
+#define LDAP_UIDATTR	"uid"
+
+#ifndef TRUE
+# define TRUE          1
+# define FALSE         0
+#endif
+
+static int ldap_isdigits(char *value)
+{
+    char *ptr;
+    int num = TRUE;
+
+    for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) {
+       if (!isdigit(*ptr))
+           num = FALSE;
+    }
+
+    return num;
+}
+
+static int ldap_verify_password(sasl_conn_t *conn,
+				const char *userid,
+				const char *password,
+				const char *service __attribute__((unused)),
+				const char *user_realm __attribute__((unused)),
+				const char **reply)
+{
+
+    LDAP *ld;
+    char *dn,
+	 *ldap_server="",
+	 *ldap_basedn="",
+	 *ldap_uidattr="",
+	 *port_num="";
+    int ldap_port = LDAP_PORT;
+    sasl_getopt_t *getopt;
+    void *context;
+
+    /* If the password is NULL, reject the login...
+     * Otherwise the bind will succed as a reference bind. Not good...
+     */
+    if (strcmp(password,"") == 0 || strcmp(userid,"") == 0) {
+      return SASL_BADPARAM;
+    }
+
+    if (reply) { *reply = NULL; }
+    
+    /* check to see if the user configured a mysqluser/passwd/host/etc */
+    if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
+      getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL);
+      if (!ldap_server) ldap_server = LDAP_SERVER;
+      getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL);
+      if (!ldap_basedn) {
+	if (reply) { *reply = "ldap_basedn not defined"; }
+	return SASL_BADPARAM;
+      }
+      getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL);
+      if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR;
+      getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL);
+      if (!port_num) {
+	ldap_port = LDAP_PORT;
+      } else if (!ldap_isdigits(port_num)) {
+	if (reply) { *reply = "ldap_port - invalid value"; }
+	return SASL_BADPARAM;
+      } else {
+	ldap_port = atoi(port_num);
+      }
+    }
+
+    /* Open the LDAP connection. */
+    if ((ld = ldap_open(ldap_server, ldap_port)) == NULL) {
+      if (reply) { *reply = "cannot connect to LDAP server"; }
+      return SASL_FAIL;
+    }
+
+    if ( (dn = 
+	  (char *)malloc(strlen(ldap_uidattr)+strlen(userid)+strlen(ldap_basedn)+3)) == NULL ) {
+      if (reply) { 
+	*reply = "cannnot allocate memory for ldap dn";
+      }
+      return SASL_FAIL;
+    }
+    /* Generate a dn that we will try and login with */
+    sprintf(dn,"%s=%s,%s", ldap_uidattr,userid,ldap_basedn);
+    
+    /* 
+     * Just try and bind with the dn we have been given
+     * In most cases the basedn is correct. 
+     * If this is not so I have a version or that too
+     * Simon@surf.org.uk
+     */
+    if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS) {
+      free(dn);
+      ldap_unbind(ld);
+      return SASL_BADAUTH;
+    }
+    free(dn);
+    ldap_unbind(ld);
+    return SASL_OK;
+}
+
+#endif /* HAVE_LDAP */
+
 struct sasl_verify_password_s _sasl_verify_password[] = {
     { "sasldb", &sasldb_verify_password },
 #ifdef HAVE_KRB
@@ -1205,6 +1446,12 @@
 #endif
 #ifdef HAVE_PWCHECK
     { "pwcheck", &pwcheck_verify_password },
+#endif
+#ifdef HAVE_MYSQL
+    { "mysql", &mysql_verify_password },
+#endif
+#ifdef HAVE_LDAP
+    { "ldap", &ldap_verify_password },
 #endif
 #ifdef HAVE_SASLAUTHD
     { "saslauthd", &saslauthd_verify_password },
diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/plugins/kerberos4.c cyrus-sasl-1.5.27/plugins/kerberos4.c
--- cyrus-sasl-1.5.27.orig/plugins/kerberos4.c	Sat Mar 10 06:56:46 2001
+++ cyrus-sasl-1.5.27/plugins/kerberos4.c	Tue Apr 24 17:02:53 2001
@@ -698,8 +698,13 @@
 
     /* decrypt; verify checksum */
 
+#ifdef __FreeBSD__
+    des_pcbc_encrypt((const unsigned char *)in,
+		     (unsigned char *)in,
+#else
     des_pcbc_encrypt((des_cblock *)in,
 		     (des_cblock *)in,
+#endif
 		     clientinlen,
 		     text->init_keysched,
 		     &text->session,
Commit	Line	Data
61256dc4 AF	1	diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/acconfig.h cyrus-sasl-1.5.27/acconfig.h
	2	--- cyrus-sasl-1.5.27.orig/acconfig.h Tue Apr 24 17:02:28 2001
	3	+++ cyrus-sasl-1.5.27/acconfig.h Tue Apr 24 17:02:53 2001
	4	@@ -86,6 +86,12 @@
	5	/* do we have PAM for plaintext password checking? */
	6	#undef HAVE_PAM
	7
	8	+/* do we have MySQL for plaintext password checking? */
	9	+#undef HAVE_MYSQL
	10	+
	11	+/* do we have LDAP for plaintext password checking? */
	12	+#undef HAVE_LDAP
	13	+
	14	/* what flavor of GSSAPI are we using? */
	15	#undef HAVE_GSS_C_NT_HOSTBASED_SERVICE
	16
	17	diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/configure.in cyrus-sasl-1.5.27/configure.in
	18	--- cyrus-sasl-1.5.27.orig/configure.in Tue Apr 24 17:02:28 2001
	19	+++ cyrus-sasl-1.5.27/configure.in Tue Apr 24 17:41:49 2001
	20	@@ -147,13 +147,16 @@
	21	dnl named. arg.
	22	berkeley)
	23	AC_CHECK_HEADER(db.h,
	24	- AC_CHECK_LIB(db-3, db_create, SASL_DB_LIB="-ldb-3";
	25	- dblib="berkeley",
	26	- AC_CHECK_LIB(db, db_create, SASL_DB_LIB="-ldb";
	27	- dblib="berkeley",
	28	- AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb";
	29	- dblib="berkeley",
	30	- dblib="no"))),
	31	+ for dbname in db-3.1 db-3 db3.1 db3 db
	32	+ do
	33	+ AC_CHECK_LIB($dbname, db_create, SASL_DB_LIB="-l$dbname";
	34	+ dblib="berkeley"; break, dblib="no")
	35	+ done
	36	+ if test "$dblib" = "no"; then
	37	+ AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb";
	38	+ dblib="berkeley"; dbname=db,
	39	+ dblib="no")
	40	+ fi,
	41	dblib="no")
	42	;;
	43	gdbm)
	44	@@ -173,13 +176,16 @@
	45	auto_detect)
	46	dnl How about berkeley db?
	47	AC_CHECK_HEADER(db.h,
	48	- AC_CHECK_LIB(db-3, db_create, SASL_DB_LIB="-ldb-3";
	49	- dblib="berkeley",
	50	- AC_CHECK_LIB(db, db_create, SASL_DB_LIB="-ldb";
	51	- dblib="berkeley",
	52	- AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb";
	53	- dblib="berkeley",
	54	- dblib="no"))),
	55	+ for dbname in db-3.1 db-3 db3.1 db3 db
	56	+ do
	57	+ AC_CHECK_LIB($dbname, db_create, SASL_DB_LIB="-l$dbname";
	58	+ dblib="berkeley"; break, dblib="no")
	59	+ done
	60	+ if test "$dblib" = "no"; then
	61	+ AC_CHECK_LIB(db, db_open, SASL_DB_LIB="-ldb";
	62	+ dblib="berkeley"; dbname=db,
	63	+ dblib="no")
	64	+ fi,
65	dblib="no")
66	if test "$dblib" = no; then
67	dnl How about ndbm?
68	@@ -322,6 +328,88 @@
69	fi
70	AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
71
72	+dnl MySQL
73	+AC_ARG_WITH(mysql, [ --with-mysql=PATH enable authentication from MySQL database [no] ],
74	+ with_mysql=$withval,
75	+ with_mysql=no)
76	+
77	+mysql_found=""
78	+if test -z "$with_mysql"; then
79	+ for mysqlloc in lib/mysql lib ; do
80	+ for mysqlprefix in ${prefix} /usr/local /usr ; do
81	+ if test -f ${prefix}/${mysqlloc}/libmysqlclient.a; then
82	+ with_mysql="${prefix}"
83	+ mysql_found="yes"
84	+ break
85	+ fi
86	+ done
87	+ if test "$mysql_found"; then
88	+ break
89	+ fi
90	+ done
91	+fi
92	+
93	+LIB_MYSQL=""
94	+case "$with_mysql" in
95	+ no) true;;
96	+ ""\|yes) AC_CHECK_LIB(mysqlclient, mysql_select_db,
97	+ AC_DEFINE(HAVE_MYSQL)
98	+ LIB_MYSQL="-lmysqlclient",
99	+ with_mysql=no);;
100	+ *) if test -d ${with_mysql}/include/mysql; then
101	+ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include/mysql"
102	+ else
103	+ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include"
104	+ fi
105	+ if test -d ${with_mysql}/lib/mysql; then
106	+ LDFLAGS="$LDFLAGS -L${with_mysql}/lib/mysql"
107	+ fi
108	+ AC_DEFINE(HAVE_MYSQL)
109	+ LIB_MYSQL="-lmysqlclient";;
110	+esac
111	+AC_SUBST(LIB_MYSQL)
112	+
113	+dnl LDAP
114	+AC_ARG_WITH(ldap, [ --with-ldap=PATH enable authentication from LDAP [no] ],
115	+ with_ldap=$withval,
116	+ with_ldap=no)
117	+
118	+ldap_found=""
119	+if test -z "$with_ldap"; then
120	+ for ldaploc in lib/ldap lib; do
121	+ for ldapprefix in ${prefix} /usr/local /usr; do
122	+ if test -f ${ldapprefix}/${ldaploc}/libldap.a -o -f ${ldapprefix}/${ldaploc}/libldap.so; then
123	+ with_ldap="${ldapprefix}"
124	+ ldap_found="yes"
125	+ break
126	+ fi
127	+ done
128	+ if test "$ldap_found"; then
129	+ break
130	+ fi
131	+ done
132	+fi
133	+
134	+LIB_LDAP=""
135	+case "$with_ldap" in
136	+ no) true;;
137	+ ""\|yes) AC_CHECK_LIB(ldap, ldap_open,
138	+ AC_DEFINE(HAVE_LDAP)
139	+ LIB_LDAP="-lldap -llber",
140	+ with_ldap=no);;
141	+ *) if test -d ${with_ldap}/include/ldap; then
142	+ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include/ldap"
143	+ else
144	+ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
145	+ fi
146	+ if test -d ${with_ldap}/lib/ldap; then
147	+ LDFLAGS="$LDFLAGS -L${with_ldap}/lib/ldap"
148	+ fi
149	+ AC_DEFINE(HAVE_LDAP)
150	+ LIB_LDAP="-lldap -llber";;
151	+esac
152	+AC_SUBST(LIB_LDAP)
153	+
154	dnl CRAM-MD5
155	AC_ARG_ENABLE(cram, [ --enable-cram enable CRAM-MD5 authentication [yes] ],
156	cram=$enableval,
157	@@ -445,11 +533,15 @@
158	fi
159
160	if test "$with_des" != no; then
161	+ case "$host_os" in
162	+ freebsd*)
163	+ COM_ERR="-lcom_err"
164	+ ;;
165	+ esac
166	AC_CHECK_HEADER(krb.h,
167	- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
168	- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err",
169	- AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err),
170	- -ldes),
171	+ AC_CHECK_LIB(krb, krb_mk_priv,:,
172	+ AC_WARN(No Kerberos V4 found); krb4=no,
173	+ -ldes $COM_ERR),
174	AC_WARN(No Kerberos V4 found); krb4=no)
175	else
176	AC_WARN(No DES library found for Kerberos V4 support)
177	diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/doc/sysadmin.html cyrus-sasl-1.5.27/doc/sysadmin.html
178	--- cyrus-sasl-1.5.27.orig/doc/sysadmin.html Sat Feb 17 06:06:33 2001
179	+++ cyrus-sasl-1.5.27/doc/sysadmin.html Tue Apr 24 17:02:53 2001
180	@@ -171,6 +171,43 @@
181	<dt><i>pwcheck</i><dd> checks passwords with the use of a seperate,
182	helper daemon. <b>needs to be documented.</b><p>
183
184	+<dt><i>mysql</i><dd> A MySQL database can be used for plaintext
185	+ password checking by setting "pwcheck_method" to "mysql".<p>
186	+
187	+ <p>The following SASL options are used for MySQL Authentication:<p>
188	+
189	+ <dl>
190	+ <dd>mysql_user: <user></dd>
191	+ <dd>mysql_passwd: <cleartext pw></dd>
192	+ <dd>mysql_host: <host></dd>
193	+ <dd>mysql_database: <database></dd>
194	+ <dd>mysql_table: <table></dd>
195	+ <dd>mysql_uidcol: <username col></dd>
196	+ <dd>mysql_pwdcol: <password col></dd>
197	+ </dl>
198	+
199	+ <p>MySQL pwcheck_method created by <a href="mailto:dmz@dmzs.com">David Matthew Zendzian</a>
200	+ the original patch may be found at <a href="http://www.dmzs.com/~dmz/projects/cyrus/">http://www.dmzs.com/~dmz/projects/cyrus/</a>.<p>
201	+
202	+<dt><i>ldap</i><dd> A LDAP server can be used for plaintext password
203	+ checking by setting "pwcheck_method" to "ldap".<p>
204	+
205	+ <p>The following SASL options are used for LDAP Authentication:<p>
206	+
207	+ <dl>
208	+ <dd>ldap_server: <LDAP Server [localhost]>
209	+ <dd>ldap_basedn: <LDAP base dn>
210	+ <dd>ldap_uidattr: <LDAP uid attribute [uid]>
211	+ <dd>ldap_port: <LDAP port [389]>
212	+ </dl>
213	+
214	+ <p>It is a requirement that "ldap_basedn" be set to the appropriate
215	+ value for your site<br>
216	+ (ex. ldap_basedn: o=surf, c=UK)<p>
217	+
218	+ <p>LDAP pwcheck_method created by <a href="mailto:simon@surf.org.uk">Simon@surf.org.uk</a>
219	+ the original patch may be found at <a href="http://www.surf.org.uk/">http://www.surf.org.uk/</a>.<p>
220	+
221	<dt><i>write your own</i><dd> Last, but not least, the most flexible
222	method of authentication for PLAIN is to write your own. If you do
223	so, any application that calls the "<tt>sasl_checkpass()</tt>"
224	diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/lib/Makefile.am cyrus-sasl-1.5.27/lib/Makefile.am
225	--- cyrus-sasl-1.5.27.orig/lib/Makefile.am Sat Mar 10 06:56:41 2001
226	+++ cyrus-sasl-1.5.27/lib/Makefile.am Tue Apr 24 17:06:04 2001
227	@@ -53,5 +53,5 @@
228	EXTRA_libsasl_la_SOURCES = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c db_testw32.c
229	libsasl_la_LDFLAGS = -version-info $(sasl_version)
230	libsasl_la_DEPENDENCIES = $(SASL_DB_BACKEND) @LTLIBOBJS@
231	-libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(LIB_SOCKET)
232	+libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(LIB_SOCKET) $(LIB_LDAP) $(LIB_MYSQL)
233	# PLAIN_LIBS are linked in for sasl_checkpass
234	diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/lib/checkpw.c cyrus-sasl-1.5.27/lib/checkpw.c
235	--- cyrus-sasl-1.5.27.orig/lib/checkpw.c Sat Feb 17 06:06:48 2001
236	+++ cyrus-sasl-1.5.27/lib/checkpw.c Tue Apr 24 17:09:32 2001
237	@@ -51,11 +51,11 @@
238	#include <assert.h>
239	#ifdef HAVE_UNISTD_H
240	#include <unistd.h>
241	-#endif
242	+#endif /* HAVE_UNISTD_H */
243
244	#ifdef HAVE_KRB
245	#include <krb.h>
246	-#endif
247	+#endif /* HAVE_KRB */
248
249	#include <stdlib.h>
250
251	@@ -96,10 +96,19 @@
252	# include <sys/un.h>
253	# ifdef HAVE_UNISTD_H
254	# include <unistd.h>
255	-# endif
256	+# endif /* HAVE_UNISTD_H */
257
258	extern int errno;
259	-#endif
260	+#endif /* HAVE_PWCHECK \|\| HAVE_SASLAUTHD */
261	+
262	+#ifdef HAVE_MYSQL
263	+#include <mysql.h>
264	+#endif /* HAVE_MYSQL */
265	+
266	+#ifdef HAVE_LDAP
267	+#include <lber.h>
268	+#include <ldap.h>
269	+#endif /* HAVE_LDAP */
270
271	#ifdef HAVE_KRB
272
273	@@ -171,7 +180,11 @@
274	memcpy (&temp_key, "kerberos", 8);
275	des_fixup_key_parity (&temp_key);
276	des_key_sched (&temp_key, schedule);
277	+#ifdef __FreeBSD__
278	+ des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec);
279	+#else
280	des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec);
281	+#endif
282
283	memcpy (&temp_key, &ivec, sizeof temp_key);
284	des_fixup_key_parity (&temp_key);
285	@@ -211,10 +224,17 @@
286	return (str);
287	}
288
289	+#ifdef __FreeBSD__
290	+static int use_key(const char *user __attribute__((unused)),
291	+ char *instance __attribute__((unused)),
292	+ const char *realm __attribute__((unused)),
293	+ const void key, des_cblock returned_key)
294	+#else
295	static int use_key(char *user __attribute__((unused)),
296	char *instance __attribute__((unused)),
297	char *realm __attribute__((unused)),
298	void key, des_cblock returned_key)
299	+#endif
300	{
301	memcpy (returned_key, key, sizeof(des_cblock));
302	return 0;
303	@@ -1015,7 +1035,7 @@
304
305
306	/* pwcheck daemon-authenticated login */
307	-static int pwcheck_verify_password(sasl_conn_t *conn,
308	+static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)),
309	const char *userid,
310	const char *passwd,
311	const char *service __attribute__((unused)),
312	@@ -1030,8 +1050,10 @@
313	static char response[1024];
314	int start, n;
315	char pwpath[1024];
316	+#if 0 /* Not used */
317	sasl_getopt_t *getopt;
318	void *context;
319	+#endif
320
321	if (reply) { *reply = NULL; }
322
323	@@ -1183,6 +1205,225 @@
324
325	#endif
326
327	+#ifdef HAVE_MYSQL
328	+/* DMZ mysql auth 12/29/1999
329	+ * Updated to 1.5.24 by SWH 09/12/2000
330	+ * changed to malloc qbuf Simon Loader 10/21/2000
331	+ */
332	+#ifdef USE_CRYPT_PASSWORD
333	+#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')"
334	+#else
335	+#define QUERY_STRING "select %s from %s where %s = '%s' and %s = '%s'"
336	+#endif
337	+
338	+static int mysql_verify_password(sasl_conn_t *conn,
339	+ const char *userid,
340	+ const char *password,
341	+ const char *service __attribute__((unused)),
342	+ const char *user_realm __attribute__((unused)),
343	+ const char **reply)
344	+{
345	+ unsigned int numrows;
346	+ MYSQL mysql,*sock;
347	+ MYSQL_RES *result;
348	+ char *qbuf;
349	+ char *db_user="",
350	+ *db_passwd="",
351	+ *db_host="",
352	+ *db_uidcol="",
353	+ *db_pwcol="",
354	+ *db_database="",
355	+ *db_table="";
356	+ sasl_getopt_t *getopt;
357	+ void *context;
358	+
359	+ if (!userid \|\| !password) {
360	+ return SASL_BADPARAM;
361	+ }
362	+ if (reply) { *reply = NULL; }
363	+
364	+ /* check to see if the user configured a mysqluser/passwd/host/etc */
365	+ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
366	+ getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL);
367	+ if (!db_user) db_user = "";
368	+ getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL);
369	+ if (!db_passwd) db_passwd = "";
370	+ getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL);
371	+ if (!db_host) db_host = "";
372	+ getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL);
373	+ if (!db_database) db_database = "";
374	+ getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL);
375	+ if (!db_table) db_table = "";
376	+ getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL);
377	+ if (!db_uidcol) db_uidcol = "";
378	+ getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL);
379	+ if (!db_pwcol) db_pwcol = "";
380	+ }
381	+
382	+ if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd)))
383	+ {
384	+ if (reply) { *reply = "cannot connect to MySQL server"; }
385	+ return SASL_FAIL;
386	+ }
387	+
388	+ if (mysql_select_db(sock,db_database) < 0)
389	+ {
390	+ mysql_close(sock);
391	+ if (reply) { *reply = "cannot select MySQL database"; }
392	+ return SASL_FAIL;
393	+ }
394	+ /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */
395	+ if ( (qbuf = (char *)malloc(strlen(QUERY_STRING)+strlen(db_uidcol)
396	+ +strlen(db_table)+strlen(db_uidcol)
397	+ +strlen(userid)+strlen(db_pwcol)
398	+ +strlen(password)+1)) == NULL ) {
399	+ if (reply) {
400	+ *reply = "cannot malloc memory for sql query";
401	+ }
402	+ return SASL_FAIL;
403	+ }
404	+ sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password);
405	+ if (mysql_query(sock,qbuf) < 0 \|\| !(result=mysql_store_result(sock)))
406	+ {
407	+ free(qbuf);
408	+ mysql_close(sock);
409	+ return SASL_FAIL;
410	+ }
411	+
412	+ if (result) //There were some rows found
413	+ {
414	+ if ((numrows = mysql_affected_rows(&mysql)) != 1)
415	+ {
416	+ mysql_free_result(result);
417	+ mysql_close(sock);
418	+ if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
419	+ free(qbuf);
420	+ return SASL_BADAUTH;
421	+ } else {
422	+ free(qbuf);
423	+ mysql_free_result(result);
424	+ mysql_close(sock);
425	+ return SASL_OK;
426	+ }
427	+ }
428	+ free(qbuf);
429	+ mysql_free_result(result);
430	+ mysql_close(sock);
431	+ return SASL_BADAUTH;
432	+}
433	+#endif /* HAVE_MYSQL */
434	+
435	+#ifdef HAVE_LDAP
436	+/* simon@surf.org.uk LDAP auth 07/11/2000
437	+ * Updated to 1.5.24 by SWH 09/12/2000
438	+ * changed to use malloc and simplify the auth by Simon@surf.org.uk 10/21/2000
439	+ */
440	+
441	+#define LDAP_SERVER "localhost"
442	+#define LDAP_BASEDN "o=JOFA, c=UK"
443	+#define LDAP_UIDATTR "uid"
444	+
445	+#ifndef TRUE
446	+# define TRUE 1
447	+# define FALSE 0
448	+#endif
449	+
450	+static int ldap_isdigits(char *value)
451	+{
452	+ char *ptr;
453	+ int num = TRUE;
454	+
455	+ for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) {
456	+ if (!isdigit(*ptr))
457	+ num = FALSE;
458	+ }
459	+
460	+ return num;
461	+}
462	+
463	+static int ldap_verify_password(sasl_conn_t *conn,
464	+ const char *userid,
465	+ const char *password,
466	+ const char *service __attribute__((unused)),
467	+ const char *user_realm __attribute__((unused)),
468	+ const char **reply)
469	+{
470	+
471	+ LDAP *ld;
472	+ char *dn,
473	+ *ldap_server="",
474	+ *ldap_basedn="",
475	+ *ldap_uidattr="",
476	+ *port_num="";
477	+ int ldap_port = LDAP_PORT;
478	+ sasl_getopt_t *getopt;
479	+ void *context;
480	+
481	+ /* If the password is NULL, reject the login...
482	+ * Otherwise the bind will succed as a reference bind. Not good...
483	+ */
484	+ if (strcmp(password,"") == 0 \|\| strcmp(userid,"") == 0) {
485	+ return SASL_BADPARAM;
486	+ }
487	+
488	+ if (reply) { *reply = NULL; }
489	+
490	+ /* check to see if the user configured a mysqluser/passwd/host/etc */
491	+ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
492	+ getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL);
493	+ if (!ldap_server) ldap_server = LDAP_SERVER;
494	+ getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL);
495	+ if (!ldap_basedn) {
496	+ if (reply) { *reply = "ldap_basedn not defined"; }
497	+ return SASL_BADPARAM;
498	+ }
499	+ getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL);
500	+ if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR;
501	+ getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL);
502	+ if (!port_num) {
503	+ ldap_port = LDAP_PORT;
504	+ } else if (!ldap_isdigits(port_num)) {
505	+ if (reply) { *reply = "ldap_port - invalid value"; }
506	+ return SASL_BADPARAM;
507	+ } else {
508	+ ldap_port = atoi(port_num);
509	+ }
510	+ }
511	+
512	+ /* Open the LDAP connection. */
513	+ if ((ld = ldap_open(ldap_server, ldap_port)) == NULL) {
514	+ if (reply) { *reply = "cannot connect to LDAP server"; }
515	+ return SASL_FAIL;
516	+ }
517	+
518	+ if ( (dn =
519	+ (char *)malloc(strlen(ldap_uidattr)+strlen(userid)+strlen(ldap_basedn)+3)) == NULL ) {
520	+ if (reply) {
521	+ *reply = "cannnot allocate memory for ldap dn";
522	+ }
523	+ return SASL_FAIL;
524	+ }
525	+ /* Generate a dn that we will try and login with */
526	+ sprintf(dn,"%s=%s,%s", ldap_uidattr,userid,ldap_basedn);
527	+
528	+ /*
529	+ * Just try and bind with the dn we have been given
530	+ * In most cases the basedn is correct.
531	+ * If this is not so I have a version or that too
532	+ * Simon@surf.org.uk
533	+ */
534	+ if (ldap_simple_bind_s(ld,dn,password) != LDAP_SUCCESS) {
535	+ free(dn);
536	+ ldap_unbind(ld);
537	+ return SASL_BADAUTH;
538	+ }
539	+ free(dn);
540	+ ldap_unbind(ld);
541	+ return SASL_OK;
542	+}
543	+
544	+#endif /* HAVE_LDAP */
545	+
546	struct sasl_verify_password_s _sasl_verify_password[] = {
547	{ "sasldb", &sasldb_verify_password },
548	#ifdef HAVE_KRB
549	@@ -1205,6 +1446,12 @@
550	#endif
551	#ifdef HAVE_PWCHECK
552	{ "pwcheck", &pwcheck_verify_password },
553	+#endif
554	+#ifdef HAVE_MYSQL
555	+ { "mysql", &mysql_verify_password },
556	+#endif
557	+#ifdef HAVE_LDAP
558	+ { "ldap", &ldap_verify_password },
559	#endif
560	#ifdef HAVE_SASLAUTHD
561	{ "saslauthd", &saslauthd_verify_password },
562	diff -ruN --exclude *.orig cyrus-sasl-1.5.27.orig/plugins/kerberos4.c cyrus-sasl-1.5.27/plugins/kerberos4.c
563	--- cyrus-sasl-1.5.27.orig/plugins/kerberos4.c Sat Mar 10 06:56:46 2001
564	+++ cyrus-sasl-1.5.27/plugins/kerberos4.c Tue Apr 24 17:02:53 2001
565	@@ -698,8 +698,13 @@
566
567	/* decrypt; verify checksum */
568
569	+#ifdef __FreeBSD__
570	+ des_pcbc_encrypt((const unsigned char *)in,
571	+ (unsigned char *)in,
572	+#else
573	des_pcbc_encrypt((des_cblock *)in,
574	(des_cblock *)in,
575	+#endif
576	clientinlen,
577	text->init_keysched,
578	&text->session,