Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bind with raw credencials, but not calculate from clear text automatically #429

Open
YangKeao opened this issue Apr 17, 2023 · 1 comment · May be fixed by #430
Open

Bind with raw credencials, but not calculate from clear text automatically #429

YangKeao opened this issue Apr 17, 2023 · 1 comment · May be fixed by #430
Labels
api-change enhancement help wanted

Comments

@YangKeao
Copy link

The bind function call in OpenLDAP C API is like the following manpage:

 int ldap_sasl_bind(LDAP *ld, const char *dn, const char *mechanism,
        struct berval *cred, LDAPControl *sctrls[],
        LDAPControl *cctrls[], int *msgidp);

 int ldap_sasl_bind_s(LDAP *ld, const char *dn, const char *mechanism,
        struct berval *cred, LDAPControl *sctrls[],
        LDAPControl *cctrls[], struct berval **servercredp);

The cred is calculated manually (like the DigestMD5BindRequest in this repo), or calculated by calling functions like sasl_client_step or sasl_client_start. Could this package expose similar API to make it possible for users to bind with a given cred, but don't need to calculate it automatically? I didn't find similar functions in this package. The DigestMD5BindRequest helps the user to encodes the MD5 message automatically, with the clear text user/password as input.

This is especially useful for the client/server applications which want to adopt the LDAP authentication mechanism, and don't want the users to transfer their password in clear text through network. For example, the MySQL LDAP implementation:

  1. The mysql-client uses the sasl_client_start and sasl_client_step to create an encrypted (or hashed) cred, and pass it to the MySQL server.
  2. The MySQL server encodes the cred into ber format and sends it to LDAP server (e.g. the implementation of ldap in percona server )
  3. The authentication may have multiple steps, so the client and server continues similar process several times. Until they get LDAP_SUCCESS or SASL_OK.

This API is also helpful to unify SASL process of many different mechanisms, like DigestMD5Bind and SCRAM-xxx ...

I'd like to work on this issue and submit PR for it, but I'm not sure how to design a good API for similar interface in golang. Do you have any suggestion on the function interface?
@YangKeao YangKeao changed the title Bind with raw credencials, but not calculated in package Bind with raw credencials, but not calculate from clear text automatically Apr 17, 2023
@johnweldon
Copy link
Member

I think this may be a useful feature, and I'd like to see some community engagement in designing the right API for this.

@YangKeao YangKeao linked a pull request Apr 20, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api-change enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add a server-side function to support sasl binding step by step YangKeao/ldap
2 participants
@johnweldon @YangKeao