SASL binds

[Hans Aschauer]

> Hans Aschauer wrote:
> > SASL binds are still on the TODO list for python-ldap.
>
> Yes.
>
> > A few days ago I started experimenting with this topic, and I
> > succeeded in doing SASL binds from python. However, my
> > sasl_bind_s() method for the ldap class is at the moment only a
> > proof of concept and has many shortcomings (works only with the
> > gssapi-method or methods which do not require user interaction,
>
> GSS-API means Kerberos?

Yes (In fact, not necessarily. Kerberos is however most widly used in 
gssapi things).

> Which LDAP server are you using?

OpenLDAP 2.? (the one shipped with SuSE 7.3), and the Heimdal Kerberos 
distribution (also SuSE 7.3).

> What's your motivation for doing SASL binds?

The fun of doing it. Seriously: AFAIK SASL is supposed to be _the_ 
authentication method for LDAPv3 binds. For example, it can provide you 
whith single-sign-on, and the like.

> > links to a "private" openldap lib (liblutil.a),
>
> For what reason?

This is just because I was to lazy (I mean: I didn't have time) to 
implement my own callbacks, which are required by SASL. So I took a 
look at the source of openldap's ldapadd program, and did the same 
thing as this program does. As I said, it's only a proof of concept. Of 
course, this should change.

> Note that unlike python-ldap 1.x which wrapped LDAP C APIs of
> different vendors python-ldap 2.x is closely tied to OpenLDAP 2.x
> libs. Therefore it's no problem to use everything which is shipped
> with recent OpenLDAP 2.0.23+ nowadays.

The above mentioned lib ships only with the source of openldap, since 
it is only used for and statically linked to the openldap tools. 
However, what this library provides is only useful for programs which 
are called from the command line (passwords are read from stdin, etc.). 
So there needs something to be done which is more general...

>  > does not implement interaction callbacks, to name only a
>  > few).
>
> Hmm, implementing callbacks is a messy thing anyway. If we can make
> most things without it I'd be glad to follow your approach.

Agree. However, SASL is a very general approach to 
authentication/authorization, and the programmer can never know, what 
information will be required by the auth-method used (the method might 
be choosen at run-time, for example). SASL thus sends some 
user-interaction requests (along with a plain english text which can be 
used for prompting the user) to callback functions, which gather the 
required information. This information can be something like a username 
and a password, but it could also be "Please insert your smartcard!"... 

Of course, one could think of a cleaner way of doing this on a higher 
level (override a method in a class derived from ldapobject, for 
example?).

> > However, I am not really an experienced C programmer,
>
> Welcome to the club...
>
> > and I think I
> > would need some help with several topics (memory management, how to
> > do callbacks to user-supplied python functions from C, and so on).
>
> Hmm, unfortunately experienced C programmers seem to be rare on this
> list...

Probably because the concepts behind C and python are mutually 
exclusive :-)

> Best bet is that you send your patches to the list and we'll see...

Ok, I don't have them here at the moment, but I can send them today in 
the evening (MEZ).

Hans

-- 
Hans.Aschauer at Physik.uni-muenchen.de