--- ./include/Makefile.in.orig Sat Mar 24 01:48:13 2001 +++ ./include/Makefile.in Thu Mar 28 12:56:53 2002 @@ -119,6 +119,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -175,7 +177,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best SOURCES = $(makemd5_SOURCES) OBJECTS = $(makemd5_OBJECTS) --- ./lib/Makefile.am.orig Sat Mar 10 05:56:41 2001 +++ ./lib/Makefile.am Thu Mar 28 12:40:16 2002 @@ -53,5 +53,5 @@ EXTRA_libsasl_la_SOURCES = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c db_testw32.c libsasl_la_LDFLAGS = -version-info $(sasl_version) libsasl_la_DEPENDENCIES = $(SASL_DB_BACKEND) @LTLIBOBJS@ -libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(LIB_SOCKET) +libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) ${LIB_LDAP} ${LIB_MYSQL} # PLAIN_LIBS are linked in for sasl_checkpass --- ./lib/Makefile.in.orig Sat Mar 24 01:48:13 2001 +++ ./lib/Makefile.in Thu Mar 28 12:57:25 2002 @@ -119,6 +119,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -156,7 +158,7 @@ EXTRA_libsasl_la_SOURCES = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c db_testw32.c libsasl_la_LDFLAGS = -version-info $(sasl_version) libsasl_la_DEPENDENCIES = $(SASL_DB_BACKEND) @LTLIBOBJS@ -libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) $(GSSAPIBASE_LIBS) $(GSSAPI_LIBS) $(LIB_SOCKET) +libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) ${LIB_LDAP} ${LIB_MYSQL} mkinstalldirs = $(SHELL) $(top_srcdir)/config/mkinstalldirs CONFIG_HEADER = ../config.h CONFIG_CLEAN_FILES = @@ -179,7 +181,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best SOURCES = $(libsasl_la_SOURCES) $(EXTRA_libsasl_la_SOURCES) OBJECTS = $(libsasl_la_OBJECTS) --- ./lib/checkpw.c.orig Sat Feb 17 05:06:48 2001 +++ ./lib/checkpw.c Thu Mar 28 12:47:18 2002 @@ -53,6 +53,18 @@ #include #endif +#ifdef HAVE_MYSQL +#include +#include +#endif /* HAVE_MYSQL */ + +#ifdef HAVE_LDAP +#include +#include +#include +#endif /* HAVE_LDAP */ + + #ifdef HAVE_KRB #include #endif @@ -171,12 +183,20 @@ memcpy (&temp_key, "kerberos", 8); des_fixup_key_parity (&temp_key); des_key_sched (&temp_key, schedule); +#ifdef __FreeBSD__ + des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec); +#else des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec); +#endif memcpy (&temp_key, &ivec, sizeof temp_key); des_fixup_key_parity (&temp_key); des_key_sched (&temp_key, schedule); - des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec); +#ifdef __FreeBSD__ + des_cbc_cksum ((const unsigned char*)password, key, passlen, schedule, &ivec); +#else + des_cbc_cksum ((des_cblock char*)password, key, passlen, schedule, &ivec); +#endif des_fixup_key_parity (key); @@ -211,10 +231,17 @@ return (str); } +#ifdef __FreeBSD__ +static int use_key(const char *user __attribute__((unused)), + char *instance __attribute__((unused)), + const char *realm __attribute__((unused)), + const void *key, des_cblock *returned_key) +#else static int use_key(char *user __attribute__((unused)), char *instance __attribute__((unused)), char *realm __attribute__((unused)), void *key, des_cblock *returned_key) +#endif { memcpy (returned_key, key, sizeof(des_cblock)); return 0; @@ -1015,7 +1042,7 @@ /* pwcheck daemon-authenticated login */ -static int pwcheck_verify_password(sasl_conn_t *conn, +static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)), const char *userid, const char *passwd, const char *service __attribute__((unused)), @@ -1030,8 +1057,10 @@ static char response[1024]; int start, n; char pwpath[1024]; +#if 0 /* Not used */ sasl_getopt_t *getopt; void *context; +#endif if (reply) { *reply = NULL; } @@ -1183,6 +1212,447 @@ #endif +#ifdef HAVE_MYSQL +/* DMZ mysql auth 12/29/1999 + * Updated to 1.5.24 by SWH 09/12/2000 + * changed to malloc qbuf Simon Loader 10/21/2000 + * Oh look the changelog for it all + */ +#ifdef USE_CRYPT_PASSWORD +#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')" +#else +#define QUERY_STRING "select %s from %s where %s = '%s' and %s = '%s'" +#endif + +static int mysql_verify_password(sasl_conn_t *conn, + const char *userid, + const char *password, + const char *service __attribute__((unused)), + const char *user_realm __attribute__((unused)), + const char **reply) +{ + unsigned int numrows; + MYSQL mysql,*sock = NULL; + MYSQL_RES *result; + char *qbuf; + char *cur_host; + char *db_user="", + *db_passwd="", + *db_host="", + *db_uidcol="", + *db_pwcol="", + *db_database="", + *escap_userid="", + *escap_password="", + *db_table=""; + sasl_getopt_t *getopt; + void *context; + + if (!userid || !password) { + return SASL_BADPARAM; + } + if (reply) { *reply = NULL; } + + /* check to see if the user configured a mysqluser/passwd/host/etc */ + if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) { + getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL); + if (!db_user) db_user = ""; + getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL); + if (!db_passwd) db_passwd = ""; + getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL); + if (!db_host) db_host = ""; + getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL); + if (!db_database) db_database = ""; + getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL); + if (!db_table) db_table = ""; + getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL); + if (!db_uidcol) db_uidcol = ""; + getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL); + if (!db_pwcol) db_pwcol = ""; + } + + /* db_host is a list of servers like this + ** server1 , sever2 , server3 etc. + */ + cur_host = db_host; + while ( cur_host != NULL || sock == NULL) { + db_host = strchr(db_host,','); + if ( db_host != NULL ) { + db_host[0] = 0x00; + /* loop till we find some text */ + while (!isalnum(db_host[0]) ) + db_host++; + } + sock = mysql_connect(&mysql,db_host,db_user,db_passwd); + cur_host = db_host; + } + if ( sock == NULL ) { + if (reply) { *reply = "cannot connect to MySQL server"; } + return SASL_FAIL; + } + + if (mysql_select_db(sock,db_database) < 0) { + mysql_close(sock); + if (reply) { *reply = "cannot select MySQL database"; } + return SASL_FAIL; + } + + /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */ + /* first we must escape any strange characters to be inserted into the query string + ** that is userid and password + */ + /* first allocate some memory */ + if ( (escap_userid = (char *)malloc(strlen(userid)*2+1))== NULL || + (escap_password = (char *)malloc(strlen(password)*2+1)) == NULL ) { + if (reply) { + *reply = "Cannot malloc memory for escaped chars"; + } + return SASL_FAIL; + } + /* these should just work */ + mysql_real_escape_string(&mysql,escap_userid,userid,strlen(userid)); + mysql_real_escape_string(&mysql,escap_password,password,strlen(password)); + + if ( (qbuf = (char *)malloc(strlen(QUERY_STRING)+strlen(db_uidcol) + +strlen(db_table)+strlen(db_uidcol) + +strlen(userid)+strlen(db_pwcol) + +strlen(password)+1)) == NULL ) { + if (reply) { + *reply = "cannot malloc memory for sql query"; + } + return SASL_FAIL; + } + sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,escap_userid,db_pwcol,escap_password); + if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock))) + { + free(qbuf); + mysql_close(sock); + return SASL_FAIL; + } + + if (result) //There were some rows found + { + if ((numrows = mysql_affected_rows(&mysql)) != 1) + { + mysql_free_result(result); + mysql_close(sock); + if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; } + free(qbuf); + return SASL_BADAUTH; + } else { + free(qbuf); + mysql_free_result(result); + mysql_close(sock); + return SASL_OK; + } + } + free(qbuf); + mysql_free_result(result); + mysql_close(sock); + return SASL_BADAUTH; +} +#endif /* HAVE_MYSQL */ + +#ifdef HAVE_LDAP +/* simon@surf.org.uk LDAP auth 07/11/2000 + * Updated to 1.5.24 by SWH 09/12/2000 + * changed to use malloc and simplify the auth by Simon@surf.org.uk 10/21/2000 + * Added LDAP_FILTER, LDAP_DN, and LDAP_PASSWD -- 07/18/2001 + * Changed LDAP_DN to LDAP_BIND_DN and LDAP_PASSWD to LDAP_BIND_PW -- 08/08/2001 + * Kevin J. Menard, Jr. + * Added SSL mode and filter mode - simon@surf.org.uk 08/22/2001 + (are these USA dates or English ?) +*/ + + +#define LDAP_SERVER "localhost" +#define LDAP_BASEDN "o=JOFA, c=UK" +#define LDAP_UIDATTR "uid" +#define LDAP_FILTER "" +#define LDAP_BIND_DN NULL +#define LDAP_BIND_PW NULL + + +#ifndef TRUE +# define TRUE 1 +# define FALSE 0 +#endif + +#ifndef LDAP_NO_ATTRS +#define LDAP_NO_ATTRS "1.1" +#endif +static int ldap_isdigits(char *value) +{ + char *ptr; + int num = TRUE; + + for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) { + if (!isdigit(*ptr)) + num = FALSE; + } + + return num; +} + +#ifdef LDAP_VENDOR_VERSION +#define SASL_ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res) \ + ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res) +#define SASL_ldap_memfree(dn) ldap_memfree(dn) +#else +#define SASL_ldap_search_ext_s(ld, base, scope, filter, attrs, attrsonly, serverctrls, clientctrls, timeout, sizelimit, res) \ + ldap_search_st(ld, base, scope, filter, attrs, attrsonly, timeout, res) +#define SASL_ldap_memfree(dn) free(dn) +#endif + +static int ldap_verify_password(sasl_conn_t *conn, + const char *userid, + const char *password, + const char *service __attribute__((unused)), + const char *user_realm __attribute__((unused)), + const char **reply) +{ + + LDAP *ld = NULL; + char *cur_server = NULL; + char *dn, + *filter="", + *ldap_server="", + *ldap_basedn="", + *ldap_uidattr="", + *ldap_filter="", + *ldap_bind_dn="", + *ldap_bind_pw="", + *ldap_filter_mode="", + *port_num="", + *alias_deref=""; + int ldap_deref=LDAP_DEREF_NEVER; + int malloc_size; /* safety net */ + int ldap_filter_flag = 0; + int ldap_port = LDAP_PORT; + sasl_getopt_t *getopt; + void *context; + LDAPMessage *result, *e; + char *attrs[]={LDAP_NO_ATTRS, NULL}; +#ifdef LDAP_OPT_X_TLS + char *ldap_ssl=""; + int ldap_ssl_flag = 0; + int tls_option; +#endif + + + /* If the password is NULL, reject the login... + * Otherwise the bind will succed as a reference bind. Not good... + */ + if (strcmp(password,"") == 0 || strcmp(userid,"") == 0) { + return SASL_BADPARAM; + } + + if (reply) { *reply = NULL; } + + /* check to see if the user configured a ldap stuff */ + if ( _sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) != SASL_OK) { + *reply = "SASL LDAP Method couldnt find getopt callback"; + return(SASL_BADPARAM); + } + + /* basic server infomation */ + getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL); + if (!ldap_server) ldap_server = LDAP_SERVER; + getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL); + if (!ldap_basedn) { + if (reply) { *reply = "ldap_basedn not defined"; } + return SASL_BADPARAM; + } + getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL); + if (!ldap_uidattr) { ldap_uidattr = LDAP_UIDATTR; } + + /* should probabaly do something if in SSL Mode */ + getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL); + if (!port_num) { + ldap_port = LDAP_PORT; + } else if (!ldap_isdigits(port_num)) { + if (reply) { *reply = "ldap_port - invalid value"; } + return SASL_BADPARAM; + } else { + ldap_port = atoi(port_num); + } + /* get filter information (if present) */ + getopt(context, NULL, "ldap_filter", (const char **) &ldap_filter, NULL); + if (!ldap_filter) { ldap_filter = LDAP_FILTER; } + getopt(context, NULL, "ldap_bind_dn", (const char **) &ldap_bind_dn, NULL); + if (!ldap_bind_dn) { ldap_bind_dn = LDAP_BIND_DN; } + getopt(context, NULL, "ldap_bind_pw", (const char **) &ldap_bind_pw, NULL); + if (!ldap_bind_pw) { ldap_bind_pw = LDAP_BIND_PW; } + getopt(context, NULL, "ldap_alias_deref", (const char **) &alias_deref, NULL); + + if (*alias_deref == 'n' || *alias_deref =='N') + { ldap_deref=LDAP_DEREF_NEVER; } + if (*alias_deref == 's' || *alias_deref =='S') + { ldap_deref=LDAP_DEREF_SEARCHING; } + if (*alias_deref == 'f' || *alias_deref =='F') + { ldap_deref=LDAP_DEREF_FINDING; } + if (*alias_deref == 'a' || *alias_deref =='A') + { ldap_deref=LDAP_DEREF_ALWAYS; } + /* test for ssl mode */ + /* this will only work with openldap > v2 + ** (the other ldap stuff I dont know) + */ +#ifdef LDAP_OPT_X_TLS + getopt(context, NULL, "ldap_ssl", (const char **) &ldap_ssl, NULL); + /* this is taken from the auto transition section */ + if (ldap_ssl == NULL ) { ldap_ssl = "n"; } + if (*ldap_ssl == '1' || *ldap_ssl == 'y' || + (*ldap_ssl == 'o' && ldap_ssl[1] == 'n') || *ldap_ssl == 't') { + /* ok switch on ldap ssl mode */ + ldap_ssl_flag = 1; + } +#endif + /* test for filter mode */ + getopt(context, NULL, "ldap_filter_mode", (const char **) &ldap_filter_mode, NULL); + /* this is taken from the auto transition section */ + if (ldap_filter_mode == NULL ) { ldap_filter_mode = "n"; } + if (*ldap_filter_mode == '1' || *ldap_filter_mode == 'y' || + (*ldap_filter_mode == 'o' && ldap_filter_mode[1] == 'n') + || *ldap_filter_mode == 't') { + /* ok switch on ldap ssl mode */ + ldap_filter_flag = 1; + } + + /* Open the LDAP connection. */ + cur_server = ldap_server; + while ( cur_server != NULL && ld == NULL) { + ldap_server = strchr(ldap_server,','); + if ( ldap_server != NULL ) { + ldap_server[0] = 0x00; + /* loop till we find some text */ + while (!isalnum(ldap_server[0]) ) + ldap_server++; + } + ld = ldap_init(cur_server,ldap_port); + cur_server = ldap_server; + } + if (ld == NULL) { + if (reply) { *reply = "cannot connect to LDAP server"; } + return SASL_FAIL; + } + /* setting dereferensing aliases mode */ + if (ldap_set_option(ld, LDAP_OPT_DEREF, (void *) &ldap_deref) != LDAP_OPT_SUCCESS) { + if (reply) { + *reply = "cannot set deref options"; + } + return SASL_FAIL; + } + /* set ssl mode if needed */ +#ifdef LDAP_OPT_X_TLS + if ( ldap_ssl_flag ) { + ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option); + } +#endif + + /* either run the filter or just bind as them ? */ + + /* + * Kevin J. Menard, Jr. . -- 07/18/2001 + * Added search code. First search for the UID and filter, then + * attempt to bind with the search result. + */ + if ( ldap_filter_flag ) { + /* Bind as the user given (or anonymous) */ + if (ldap_simple_bind_s(ld,ldap_bind_dn,ldap_bind_pw) != LDAP_SUCCESS) { + ldap_unbind(ld); + return SASL_BADAUTH; + } + + malloc_size = strlen(ldap_uidattr)+strlen(userid)+strlen(ldap_filter)+8; + /* allocate memory to filter */ + if ( (filter = (char *)malloc(malloc_size)) == NULL ) { + if (reply) { + *reply = "cannot allocate memory for ldap search filter"; + } + ldap_unbind(ld); + return SASL_FAIL; + } + + /* Create the search filter */ + snprintf(filter,malloc_size-1,"(&(%s=%s)%s)", ldap_uidattr, userid, ldap_filter); + + /* Now do the search */ + if (SASL_ldap_search_ext_s(ld, ldap_basedn, LDAP_SCOPE_SUBTREE, filter, + attrs, 0, NULL, NULL, LDAP_NO_LIMIT, 1, &result) != + LDAP_SUCCESS) { + free(filter); + ldap_unbind(ld); + return SASL_BADAUTH; + } + + /* Now get the entry from the search results */ + if ( (e = ldap_first_entry(ld, result)) ==NULL) { + free(filter); + ldap_msgfree(result); + if (reply) { + *reply = "entry not found"; + } + ldap_unbind(ld); + return SASL_FAIL; +// return SASL_BADAUTH; + } + + /* Now extract the dn */ + if ( (dn = ldap_get_dn(ld, e)) == NULL) { + free(filter); + ldap_msgfree(result); + if (reply) { + *reply = "Cannot get DN"; + } + ldap_unbind(ld); + return SASL_FAIL; +// return SASL_BADAUTH; + } + if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) { + e = NULL; + free(filter); + SASL_ldap_memfree(dn); + ldap_msgfree(result); + ldap_unbind(ld); + return SASL_BADAUTH; + } + e = NULL; + free(filter); + SASL_ldap_memfree(dn); + ldap_msgfree(result); + + } else { + malloc_size = strlen(ldap_uidattr)+strlen(userid)+strlen(ldap_basedn)+3; + if ( (dn = (char *)malloc(malloc_size)) == NULL ) { + if (reply) { + *reply = "cannnot allocate memory for ldap dn"; + } + return SASL_FAIL; + } + /* Generate a dn that we will try and login with */ + snprintf(dn,malloc_size,"%s=%s,%s", ldap_uidattr,userid,ldap_basedn); + + /* + * Just try and bind with the dn we have been given + * In most cases the basedn is correct. + * If this is not so I have a version or that too + * Simon@surf.org.uk + */ + if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) { + free(dn); + ldap_unbind(ld); + return SASL_BADAUTH; + } + free(dn); + } + + + ldap_unbind(ld); + return SASL_OK; +} + +#endif /* HAVE_LDAP */ + struct sasl_verify_password_s _sasl_verify_password[] = { { "sasldb", &sasldb_verify_password }, #ifdef HAVE_KRB @@ -1205,6 +1675,12 @@ #endif #ifdef HAVE_PWCHECK { "pwcheck", &pwcheck_verify_password }, +#endif +#ifdef HAVE_MYSQL + { "mysql", &mysql_verify_password }, +#endif +#ifdef HAVE_LDAP + { "ldap", &ldap_verify_password }, #endif #ifdef HAVE_SASLAUTHD { "saslauthd", &saslauthd_verify_password }, --- ./plugins/Makefile.in.orig Sat Mar 24 01:48:13 2001 +++ ./plugins/Makefile.in Thu Mar 28 13:01:27 2002 @@ -123,6 +123,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -237,7 +239,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best SOURCES = $(libplain_la_SOURCES) $(libanonymous_la_SOURCES) $(libkerberos4_la_SOURCES) $(libcrammd5_la_SOURCES) $(libscrammd5_la_SOURCES) $(libgssapiv2_la_SOURCES) $(libdigestmd5_la_SOURCES) $(liblogin_la_SOURCES) $(libsrp_la_SOURCES) OBJECTS = $(libplain_la_OBJECTS) $(libanonymous_la_OBJECTS) $(libkerberos4_la_OBJECTS) $(libcrammd5_la_OBJECTS) $(libscrammd5_la_OBJECTS) $(libgssapiv2_la_OBJECTS) $(libdigestmd5_la_OBJECTS) $(liblogin_la_OBJECTS) $(libsrp_la_OBJECTS) --- ./plugins/kerberos4.c.orig Sat Mar 10 05:56:46 2001 +++ ./plugins/kerberos4.c Thu Mar 28 12:40:17 2002 @@ -698,8 +698,13 @@ /* decrypt; verify checksum */ +#ifdef __FreeBSD__ + des_pcbc_encrypt((const unsigned char *)in, + (unsigned char *)in, +#else des_pcbc_encrypt((des_cblock *)in, (des_cblock *)in, +#endif clientinlen, text->init_keysched, &text->session, @@ -1220,9 +1225,14 @@ len++; } sout[len]=0; +#ifdef __FreeBSD__ + des_pcbc_encrypt((const unsigned char *)sout, + (unsigned char *)sout, +#else des_pcbc_encrypt((des_cblock *)sout, (des_cblock *)sout, +#endif len, text->init_keysched, (des_cblock *)text->session, --- ./utils/Makefile.in.orig Sat Mar 24 01:48:13 2001 +++ ./utils/Makefile.in Thu Mar 28 13:03:28 2002 @@ -119,6 +119,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -211,7 +213,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best SOURCES = $(libsfsasl_la_SOURCES) testsuite.c dbconverter-1.5.9.c saslpasswd.c sasldblistusers.c OBJECTS = $(libsfsasl_la_OBJECTS) testsuite.o dbconverter-1.5.9.o saslpasswd.o sasldblistusers.o --- ./doc/Makefile.in.orig Sat Mar 24 01:48:13 2001 +++ ./doc/Makefile.in Thu Mar 28 13:03:42 2002 @@ -120,6 +120,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -155,7 +157,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best all: all-redirect .SUFFIXES: --- ./doc/sysadmin.html.orig Sat Feb 17 05:06:33 2001 +++ ./doc/sysadmin.html Thu Mar 28 12:40:18 2002 @@ -171,6 +171,66 @@
pwcheck
checks passwords with the use of a seperate, helper daemon. needs to be documented.

+

mysql
A MySQL database can be used for plaintext + password checking by setting "pwcheck_method" to "mysql".

+ +

The following SASL options are used for MySQL Authentication:

+ +

+
mysql_user: <user>
+
mysql_passwd: <cleartext pw>
+
mysql_host: <hosts separated by ,>
+
mysql_database: <database>
+
mysql_table: <table>
+
mysql_uidcol: <username col>
+
mysql_pwdcol: <password col>
+
+ +

MySQL pwcheck_method created by David Matthew Zendzian + the original patch may be found at http://www.dmzs.com/~dmz/projects/cyrus/.

+ +

ldap
A LDAP server can be used for plaintext password + checking by setting "pwcheck_method" to "ldap".

+ +

The following SASL options are used for LDAP Authentication:

+ +

+
ldap_server: <LDAP Servers separated by , [localhost]> +
ldap_basedn: <LDAP base dn> +
ldap_uidattr: <LDAP uid attribute [uid]> +
ldap_port: <LDAP port [389]> +
ldap_ssl: <yes/no/true/fasle> Use ssl (untested) +
ldap_filter_mode: <yes/no/true/fasle> Use the filter below +
ldap_filter: <Additional search filter +[(objectClass=posixAccount)]> +
ldap_bind_dn: <DN to bind with [NULL]> +
ldap_bind_pw: <Password for DN to bind with [NULL]> +
ldap_alias_deref: <n|s|f|a> n is default +
+ +

It is a requirement that "ldap_basedn" be set to the appropriate + value for your site
+ (ex. ldap_basedn: o=surf, c=UK)

+ +

ldap_alias_deref: n = LDAP_DEREF_NEVER
+ s = LDAP_DEREF_SEARCHING
+ f = LDAP_DEREF_FINDING
+ a = LDAP_DEREF_ALWAYS
+ If you dont know what ldap alias is just leave this alone.
+ +

NULL values for ldap_dn and ldap_passwd mean do an anonymous bind +and search.

+ +

LDAP pwcheck_method created by Simon@su +rf.org.uk + the original patch may be found at http://w +ww.surf.org.uk/.

+ +

Search and filter ability for LDAP was added by Kevin J. Menard, Jr..

+

Ldap alias support by mailer@cbsd.donetsk.ua
+ + +

write your own
Last, but not least, the most flexible method of authentication for PLAIN is to write your own. If you do so, any application that calls the "sasl_checkpass()" --- ./man/Makefile.in.orig Sat Mar 24 01:48:14 2001 +++ ./man/Makefile.in Thu Mar 28 13:03:47 2002 @@ -119,6 +119,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -160,7 +162,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best all: all-redirect .SUFFIXES: --- ./pwcheck/Makefile.in.orig Sat Mar 24 01:48:14 2001 +++ ./pwcheck/Makefile.in Thu Mar 28 12:40:19 2002 @@ -99,6 +99,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -153,7 +155,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best SOURCES = $(pwcheck_SOURCES) $(EXTRA_pwcheck_SOURCES) OBJECTS = $(pwcheck_OBJECTS) --- ./sample/Makefile.in.orig Sat Mar 24 01:48:13 2001 +++ ./sample/Makefile.in Thu Mar 28 13:03:53 2002 @@ -119,6 +119,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -192,7 +194,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best SOURCES = $(sample_client_SOURCES) $(sample_server_SOURCES) $(client_SOURCES) $(server_SOURCES) OBJECTS = $(sample_client_OBJECTS) $(sample_server_OBJECTS) $(client_OBJECTS) $(server_OBJECTS) --- ./java/CyrusSasl/Makefile.in.orig Sat Mar 24 01:48:14 2001 +++ ./java/CyrusSasl/Makefile.in Thu Mar 28 12:40:20 2002 @@ -100,6 +100,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -165,7 +167,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best SOURCES = $(libjavasasl_la_SOURCES) OBJECTS = $(libjavasasl_la_OBJECTS) --- ./java/javax/security/auth/callback/Makefile.in.orig Sat Mar 24 01:48:14 2001 +++ ./java/javax/security/auth/callback/Makefile.in Thu Mar 28 12:40:20 2002 @@ -116,6 +116,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -158,7 +160,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best all: all-redirect .SUFFIXES: --- ./java/javax/security/auth/Makefile.in.orig Sat Mar 24 01:48:14 2001 +++ ./java/javax/security/auth/Makefile.in Thu Mar 28 12:40:20 2002 @@ -116,6 +116,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -150,7 +152,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best all: all-redirect .SUFFIXES: --- ./java/javax/security/Makefile.in.orig Sat Mar 24 01:48:14 2001 +++ ./java/javax/security/Makefile.in Thu Mar 28 12:40:21 2002 @@ -116,6 +116,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -150,7 +152,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best all: all-redirect .SUFFIXES: --- ./java/javax/Makefile.in.orig Sat Mar 24 01:48:14 2001 +++ ./java/javax/Makefile.in Thu Mar 28 12:40:21 2002 @@ -116,6 +116,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -150,7 +152,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best all: all-redirect .SUFFIXES: --- ./java/Makefile.in.orig Sat Mar 24 01:48:14 2001 +++ ./java/Makefile.in Thu Mar 28 12:40:21 2002 @@ -100,6 +100,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -135,7 +137,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best all: all-redirect .SUFFIXES: --- ./saslauthd/Makefile.in.orig Sat Mar 24 01:48:14 2001 +++ ./saslauthd/Makefile.in Thu Mar 28 12:40:22 2002 @@ -75,6 +75,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -136,7 +138,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best SOURCES = $(saslauthd_SOURCES) OBJECTS = $(saslauthd_OBJECTS) --- ./Makefile.in.orig Sat Mar 24 01:48:13 2001 +++ ./Makefile.in Thu Mar 28 13:04:13 2002 @@ -119,6 +119,8 @@ LIBTOOL = @LIBTOOL@ LIB_CRYPT = @LIB_CRYPT@ LIB_DES = @LIB_DES@ +LIB_LDAP = @LIB_LDAP@ +LIB_MYSQL = @LIB_MYSQL@ LIB_PAM = @LIB_PAM@ LIB_SIA = @LIB_SIA@ LIB_SOCKET = @LIB_SOCKET@ @@ -165,7 +167,7 @@ DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) -TAR = gtar +TAR = tar GZIP_ENV = --best DIST_SUBDIRS = include lib plugins utils doc man pwcheck sample java \ saslauthd --- ./acconfig.h.orig Sat Feb 17 05:06:28 2001 +++ ./acconfig.h Thu Mar 28 12:40:22 2002 @@ -83,6 +83,12 @@ /* do we have PAM for plaintext password checking? */ #undef HAVE_PAM +/* do we have MySQL for plaintext password checking? */ +#undef HAVE_MYSQL + +/* do we have LDAP for plaintext password checking? */ +#undef HAVE_LDAP + /* what flavor of GSSAPI are we using? */ #undef HAVE_GSS_C_NT_HOSTBASED_SERVICE --- ./aclocal.m4.orig Sat Mar 24 01:48:12 2001 +++ ./aclocal.m4 Thu Mar 28 12:56:14 2002 @@ -262,12 +262,7 @@ esac # Check for any special flags to pass to ltconfig. -# -# the following will cause an existing older ltconfig to fail, so -# we ignore this at the expense of the cache file... Checking this -# will just take longer ... bummer! -#libtool_flags="--cache-file=$cache_file" -# +libtool_flags="--cache-file=$cache_file" test "$enable_shared" = no && libtool_flags="$libtool_flags --disable-shared" test "$enable_static" = no && libtool_flags="$libtool_flags --disable-static" test "$enable_fast_install" = no && libtool_flags="$libtool_flags --disable-fast-install" @@ -566,35 +561,31 @@ ]) # AC_LIBLTDL_CONVENIENCE[(dir)] - sets LIBLTDL to the link flags for -# the libltdl convenience library and INCLTDL to the include flags for -# the libltdl header and adds --enable-ltdl-convenience to the -# configure arguments. Note that LIBLTDL and INCLTDL are not -# AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called. If DIR is not -# provided, it is assumed to be `libltdl'. LIBLTDL will be prefixed -# with '${top_builddir}/' and INCLTDL will be prefixed with -# '${top_srcdir}/' (note the single quotes!). If your package is not -# flat and you're not using automake, define top_builddir and -# top_srcdir appropriately in the Makefiles. +# the libltdl convenience library, adds --enable-ltdl-convenience to +# the configure arguments. Note that LIBLTDL is not AC_SUBSTed, nor +# is AC_CONFIG_SUBDIRS called. If DIR is not provided, it is assumed +# to be `${top_builddir}/libltdl'. Make sure you start DIR with +# '${top_builddir}/' (note the single quotes!) if your package is not +# flat, and, if you're not using automake, define top_builddir as +# appropriate in the Makefiles. AC_DEFUN(AC_LIBLTDL_CONVENIENCE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl case "$enable_ltdl_convenience" in no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;; "") enable_ltdl_convenience=yes ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;; esac - LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la - INCLTDL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl']) + LIBLTDL=ifelse($#,1,$1,['${top_builddir}/libltdl'])/libltdlc.la + INCLTDL=ifelse($#,1,-I$1,['-I${top_builddir}/libltdl']) ]) # AC_LIBLTDL_INSTALLABLE[(dir)] - sets LIBLTDL to the link flags for -# the libltdl installable library and INCLTDL to the include flags for -# the libltdl header and adds --enable-ltdl-install to the configure -# arguments. Note that LIBLTDL and INCLTDL are not AC_SUBSTed, nor is -# AC_CONFIG_SUBDIRS called. If DIR is not provided and an installed -# libltdl is not found, it is assumed to be `libltdl'. LIBLTDL will -# be prefixed with '${top_builddir}/' and INCLTDL will be prefixed -# with '${top_srcdir}/' (note the single quotes!). If your package is -# not flat and you're not using automake, define top_builddir and -# top_srcdir appropriately in the Makefiles. +# the libltdl installable library, and adds --enable-ltdl-install to +# the configure arguments. Note that LIBLTDL is not AC_SUBSTed, nor +# is AC_CONFIG_SUBDIRS called. If DIR is not provided, it is assumed +# to be `${top_builddir}/libltdl'. Make sure you start DIR with +# '${top_builddir}/' (note the single quotes!) if your package is not +# flat, and, if you're not using automake, define top_builddir as +# appropriate in the Makefiles. # In the future, this macro may have to be called after AC_PROG_LIBTOOL. AC_DEFUN(AC_LIBLTDL_INSTALLABLE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl AC_CHECK_LIB(ltdl, main, @@ -607,8 +598,8 @@ ]) if test x"$enable_ltdl_install" = x"yes"; then ac_configure_args="$ac_configure_args --enable-ltdl-install" - LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la - INCLTDL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl']) + LIBLTDL=ifelse($#,1,$1,['${top_builddir}/libltdl'])/libltdl.la + INCLTDL=ifelse($#,1,-I$1,['-I${top_builddir}/libltdl']) else ac_configure_args="$ac_configure_args --enable-ltdl-install=no" LIBLTDL="-lltdl" --- ./config.h.in.orig Wed Mar 14 04:49:33 2001 +++ ./config.h.in Thu Mar 28 12:40:23 2002 @@ -86,6 +86,12 @@ /* do we have PAM for plaintext password checking? */ #undef HAVE_PAM +/* do we have MySQL for plaintext password checking? */ +#undef HAVE_MYSQL + +/* do we have LDAP for plaintext password checking? */ +#undef HAVE_LDAP + /* what flavor of GSSAPI are we using? */ #undef HAVE_GSS_C_NT_HOSTBASED_SERVICE --- ./configure.in.orig Sat Mar 24 01:47:27 2001 +++ ./configure.in Thu Mar 28 12:40:23 2002 @@ -322,6 +322,94 @@ fi AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no) + +############################################################################ +# Simon Loader tries to do auto conf +dnl MySQL +AC_ARG_WITH(mysql, [ --with-mysql=PATH enable authentication from MySQL database [no] ], + with_mysql=$withval, + with_mysql=no) + +# fine location of library +# prsumesing if one given then correct +if test "${with_mysql}" = "yes"; then + for mysqlloc in lib/mysql lib + do + if test -f ${prefix}/${mysqlloc}/libmysqlclient.a; then + with_mysql="${prefix}" + break + elif test -f /usr/local/${mysqlloc}/libmysqlclient.a; then + with_mysql="/usr/local" + break + elif test -f /usr/${mysqlloc}/libmysqlclient.a; then + with_mysql="/usr" + break + fi + done +fi + +case "$with_mysql" in + no) true;; + *) + if test -d ${with_mysql}/include/mysql; then + CPPFLAGS="${CPPFLAGS} -I${with_mysql}/include/mysql" + LDFLAGS="$LDFLAGS -L${with_mysql}/lib/mysql" + else + CPPFLAGS="${CPPFLAGS} -I${with_mysql}/include" + LDFLAGS="$LDFLAGS -L${with_mysql}/lib" + fi + AC_CHECK_LIB(mysqlclient, mysql_select_db,[ + LIB_MYSQL="-lmysqlclient" + AC_DEFINE(HAVE_MYSQL)], + [AC_ERROR([MYSQL libarary mysqlclient not found])]);; + +esac +AC_SUBST(LIB_MYSQL) + +dnl LDAP +AC_ARG_WITH(ldap, [ --with-ldap=PATH enable authentication from LDAP [no] ], + with_ldap=$withval, + with_ldap=no) + +if test "$with_ldap" = "yes"; then + for ldaploc in lib/ldap lib + do + if test -f ${prefix}/${ldaploc}/libldap.a; then + with_ldap="${prefix}" + break + elif test -f /usr/local/${ldaploc}/libldap.a; then + with_ldap="/usr/local" + break + elif test -f /usr/${ldaploc}/libldap.a; then + with_ldap="/usr" + break + fi + done +fi + +case "$with_ldap" in + no) true;; + *) + if test -d ${with_ldap}/include/ldap; then + CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include/ldap" + LDFLAGS="$LDFLAGS -L${with_ldap}/lib/ldap" + else + CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include" + LDFLAGS="$LDFLAGS -L${with_ldap}/lib" + fi + AC_CHECK_LIB(ldap, ldap_open,[ + LIB_LDAP="-lldap -llber" + AC_DEFINE(HAVE_LDAP)], + [AC_ERROR([LDAP libarary ldap and lber not found])], + [-llber]);; +esac +AC_SUBST(LIB_LDAP) + + +# end of addition +####################################################################### + + dnl CRAM-MD5 AC_ARG_ENABLE(cram, [ --enable-cram enable CRAM-MD5 authentication [yes] ], cram=$enableval,