[OpenSER-Devel] [ openser-Patches-1707996 ] LDAP auth module

SourceForge.net noreply at sourceforge.net
Mon Jul 16 11:32:12 CEST 2007


Patches item #1707996, was opened at 2007-04-26 14:34
Message generated for change (Comment added) made by miconda
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1707996&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver devel
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Alexei Volkov (av_kot)
Assigned to: Daniel-Constantin Mierla (miconda)
Summary: LDAP auth module

Initial Comment:
After couple days googling over the web i found that ldap authentication to openser is available via radius module.
As for me as a relatively new user to openser it is rather difficult to build full chain ldap+radius+openser to make complete authorization and accounting. For example, in my  case just a simple authentication against ldap database is needed , and unfortunately i do not found any  usable code to patch openser to directly authenticate user in LDAP.
Spending some time more I have developed auth_ldap module for openser. If it can be usable for the community i would like to open and share it to openser project.

Some features of my auth_ldap module can be represented by following openser.cfg lines.

loadmodule "auth.so"
loadmodule "auth_ldap.so"
loadmodule "uac.so"

....
modparam("auth_ldap", "ldap_server", "ldap://localhost")
modparam("auth_ldap", "ldap_bind_dn", "cn=admin,dc=domain")
modparam("auth_ldap", "ldap_bind_passwd", "secret")
modparam("auth_ldap", "ldap_base_dn", "ou=Users,dc=domain")
modparam("auth_ldap", "ldap_search_filter", "(&(OpenSerAccount=%s)(OpenSerEnabled=TRUE))")
modparam("auth_ldap", "ldap_passwd_attr", "OpenSerPassword")
modparam("auth_ldap", "ldap_debug_encoding", "koi8-r")
modparam("auth_ldap", "ldap_avp_attrs", "cn,OpenSerGroup")
modparam("auth_ldap", "ldap_avp_prefix", "ldap_")
....
route{
...
                      if (!ldap_www_authorize("domain")) { # authorization and  account avp creatied here
                               www_challenge("domain", "1");
                               exit;
                       };
....
uac_replace_from("$avp(s:ldap_cn)","");
...
append_hf("P-hint-openser-account-group: $avp(s:ldap_OpenSerGroup)\r\n");
...
} 

----------------------------------------------------------------------

>Comment By: Daniel-Constantin Mierla (miconda)
Date: 2007-07-16 12:32

Message:
Logged In: YES 
user_id=1246013
Originator: NO

Can you check if the functionality provided by this module can be achieved
by the recently added features of AUTH module together with LDAP module?
AUTH has now the ability to take the username and password form a
pseudo-variable, while LDAP can fetch values from a LDAP database.

If auth_ldap module provides additional functionalities, please list them.

----------------------------------------------------------------------

Comment By: Daniel-Constantin Mierla (miconda)
Date: 2007-07-04 19:26

Message:
Logged In: YES 
user_id=1246013
Originator: NO

File Added: auth_ldap-dcm.tgz

----------------------------------------------------------------------

Comment By: Daniel-Constantin Mierla (miconda)
Date: 2007-07-04 19:25

Message:
Logged In: YES 
user_id=1246013
Originator: NO

I reviewed the latest version you sent. But you haven't conformed with my
previous suggestions -- there are still assign or conditional statements
between variables declaration. Please double check again, I fixed some, but
some still there.

In addition, you use standard malloc functions, while openser uses its own
memory manager. You have to use pkg_malloc() and pkg_free() instead of
malloc/free.

Then, strsep() function seems not to be very portable. Should be easier to
implement one, it is just for parsing and tokenizing a parameter (or,
strtok is more portable).

In the readme, you say there is no external library required to compile
the module. At least the ldap client library is, and during the linking I
get:
/usr/bin/ld: cannot find -liconv
collect2: ld returned 1 exit status
make: *** [auth_ldap.so] Error 1

So I assume there are more dependencies. iconv() functions seems to be
only POSIX.1 2001, do you know other replacements?

Do you the tarball I upload, it has a nice indentation of the source code,
fixes to work with openser devel (you have to keep it working with devel
version) and the license in each file.

I see that sometime you use snprintf() just to concatenate 2 strings, that
is not very performant, use strcat/strncat or strcopy/strncopy.

In many cases you do not check the return code of the functions, to see if
there was an error (e.g., call of iconv()). Please do so.

Hope this is all for now :-)


----------------------------------------------------------------------

Comment By: Daniel-Constantin Mierla (miconda)
Date: 2007-07-03 11:14

Message:
Logged In: YES 
user_id=1246013
Originator: NO

It is in my todo, traveling to Cluecon delayed a bit the things.

----------------------------------------------------------------------

Comment By: Alexei Volkov (av_kot)
Date: 2007-07-02 21:38

Message:
Logged In: YES 
user_id=1779106
Originator: YES

Are there plans to view my last sources and evaluate are they ready to
place in development source tree?

----------------------------------------------------------------------

Comment By: Alexei Volkov (av_kot)
Date: 2007-06-23 18:17

Message:
Logged In: YES 
user_id=1779106
Originator: YES

File Added: auth_ldap.tgz

----------------------------------------------------------------------

Comment By: Daniel-Constantin Mierla (miconda)
Date: 2007-06-19 16:58

Message:
Logged In: YES 
user_id=1246013
Originator: NO

Sorry for taking so long ... lot of traveling. Here are my comments:
- you have to write documentation in SGML format which shall be placed in
subdirectory 'doc' of your module -- see other modules for examples (xlog
or textops are good start)
- from the sgml files you have to generate the text version as README and
place it in module directory (see 'make modules-readme')
- you have to use standard C compliant functions asprintf() used in
gen_ha1() is not C or POSIX (it is GNU extension -- see man asprintf)
- you have to indent the code to become easier to understand :-) --
default is to use tab of 4 white spaces and move to new line after 80
chars
- you have to use C compliant syntax, that means you cannot have
statements in between declaration of varibales. You have to declare
variables first and then start operating with them.

Recommendations:
- name the main file of the module as module_name.c (e.g., auth_ldap.c
instead of authldap_mod.c). This is not mandatory by in latest time is the
preferred mode

All above will ensure that the module will compile on all systems
supported now by OpenSER.

Thanks!

----------------------------------------------------------------------

Comment By: Alexei Volkov (av_kot)
Date: 2007-05-10 07:22

Message:
Logged In: YES 
user_id=1779106
Originator: YES

Now time i am already use this module in my production environment and
consider to use it in future, so i will maintain  the module.

----------------------------------------------------------------------

Comment By: Daniel-Constantin Mierla (miconda)
Date: 2007-05-09 18:08

Message:
Logged In: YES 
user_id=1246013
Originator: NO

I will review the module and comment the updates you may have to do before
accepting to SVN.

I need to know if you are willing to maintain the module for at least one
year. Otherwise we have find another volunteer to maintain it.

I am considering adding some features already (after committing to SVN),
for fail over and attribute loading with no authentication -- but no time
line now.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1707996&group_id=139143



More information about the Devel mailing list