1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
|
<!-- BEGIN COPYRIGHT BLOCK
This Program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; version 2 of the License.
This Program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this Program; if not, write to the Free Software Foundation, Inc., 59 Temple
Place, Suite 330, Boston, MA 02111-1307 USA.
In addition, as a special exception, Red Hat, Inc. gives You the additional
right to link the code of this Program with code not covered under the GNU
General Public License ("Non-GPL Code") and to distribute linked combinations
including the two, subject to the limitations in this paragraph. Non-GPL Code
permitted under this exception must only link to the code of this Program
through those well defined interfaces identified in the file named EXCEPTION
found in the source code files (the "Approved Interfaces"). The files of
Non-GPL Code may instantiate templates or use macros or inline functions from
the Approved Interfaces without causing the resulting work to be covered by
the GNU General Public License. Only Red Hat, Inc. may make changes or
additions to the list of Approved Interfaces. You must obey the GNU General
Public License in all respects for all of the Program code and other code used
in conjunction with the Program except the Non-GPL Code covered by this
exception. If you modify this file, you may extend this exception to your
version of the file, but you are not obligated to do so. If you do not wish to
provide this exception without modification, you must delete this exception
statement from your version and license this file solely under the GPL without
exception.
Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
Copyright (C) 2005 Red Hat, Inc.
All rights reserved.
END COPYRIGHT BLOCK -->
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Author" CONTENT="Nitin More">
<META NAME="GENERATOR" CONTENT="Mozilla/4.01 [en] (WinNT; U) [Netscape]">
</HEAD>
<BODY>
<CENTER>
<H1>
Change Log for the ldaputil library</H1></CENTER>
<DT>
Author: Nitin More</DT>
<DT>
E-mail: <A HREF="mailto:nitin@netscape.com">nitin@netscape.com</A></DT>
<DT>
Phone: (415) 937-4240</DT>
<CENTER></CENTER>
<CENTER>
<HR WIDTH="100%"></CENTER>
<CENTER></CENTER>
<CENTER><B><FONT SIZE=+1>Changes since Apr 17, 1997</FONT></B></CENTER>
<P>Last Update: Aug 25, 1997
<P>All the new changes have been checked into the server3_tier_branch.
The server3_branch is frozen & contains the version of 'ldaputil' for
the SuiteSpot 3.0 release.
<H2>
Changed:</H2>
Several bug fixes went in since I last modified this file. The important
ones are:
<UL>
<LI>
<A HREF="http://scopus/bugsplat/show_bug.cgi?id=79373">79373</A>: Attributes
listed multiple times in certmap.conf were turining that attribute off
and enabling some other attribute. (For example, if you have "E"
as well as "MAIL" in FilterComps, they cancelled each other).</LI>
<LI>
<A HREF="http://scopus/bugsplat/show_bug.cgi?id=58474">58474</A>: If nested
group checks goes on for 30 recursions, a circular groups error is returned.</LI>
<LI>
<A HREF="http://scopus/bugsplat/show_bug.cgi?id=80004">80004</A>: after
thoroughly testing the certmap utility, several (mostly minor) oddities
were found & fixed.</LI>
</UL>
<H2>
Added:</H2>
<UL>
<LI>
<A HREF="http://scopus/bugsplat/show_bug.cgi?id=79370">79370</A>: Group
membership check is optimized now through the new function <B>ldapu_auth_userdn_groupids</B>.
Use this new function to get the optimization. This function's algorithm
is as follows:</LI>
<BR>The first search uses the following filter (w/o the group names!):
<OL><TT>(| (& (objectclass=groupofuniquenames)</TT>
<BR><TT> (uniquemember=<userDN>))</TT>
<BR><TT> (& (objectclass=groupofnames)(member=<userDN>)))</TT>
<BR> </OL>
This gives us all the groups the user is member of. We ask for only
the "CN" attributes of the returned groups. We check if "CN" of any
of the returned groups is one of the groups we have. If yes, we have
succeeded. If there are no groups returned then we have failed.
Otherwise, we continue with the nested group check. To perform that
check, we need DNs of all the groups the user is member of, which we already
have from the previous search. Now we repeat the search as follows:
<OL><TT>(| (& (objectclass=groupofuniquenames)</TT>
<BR><TT> (| (uniquemember=<grp1DN>)...
(uniquemember=<grpNDN>))</TT>
<BR><TT> (& (objectclass=groupofnames)</TT>
<BR><TT> (| (member=<grp1DN>)... (member=<grpNDN>))</TT></OL>
We check the list of groups returned by this search with the groups in
the ACL and recursively continue until we succeed or no more groups are
returned from the searches.
<P>Advantages of this new function is it checks multiple groups at the
same time. Previously we were performing 2 ldap lookups per group.
Now we achieve this in a single ldap lookup!
<P><B><BLINK>Caution</BLINK></B>: this function allows multiple groups
with the same "CN".
<P>To use this function, you need to provide a list of group names in any
form (e.g comma separated string, a hash table, array of strings, etc.)
and a function to compare the name returned by the ldap lookup with your
group names.</UL>
<CENTER><B><FONT SIZE=+1>Changes since Mar 22, 1997</FONT></B></CENTER>
<P>Last Update: Apr 17, 1997
<P>Now that all beta releases are out for servers using this library, I
could do some incompatible changes to make this library more flexible.
No more incompatible changes are planned (except for possibly one: see
http://scopus/bugsplat/show_bug.cgi?id=58482). <B><BLINK>All 3.0 SuiteSpot
servers supporting client auth need to upgrade to this version.</BLINK></B>
<H2>
Changed:</H2>
<UL>
<LI>
<B>Exchanged certmap.h & ldaputil.h: </B>ldaputil.h had public API
but when the file was installed on the server root, it was called certmap.h.
Since we already had a certmap.h, this was causing lot of confusion. If
you were including "certmap.h", now include "ldaputil.h" and vice versa.</LI>
<LI>
<B>Renamed 'SearchComps' to 'FilterComps'</B>: Shouldn't affect your code
but may affect tests and documentation.</LI>
<LI>
<B>'VerifyCert' must be either "on" or "off"</B>: VerifyCert didn't have
a value. Now it must have a value. If it has a value of "on" then the "verification"
step is on, otherwise it is off.</LI>
<LI>
<B>Important bug fixes</B>: One bug was causing stack corruption &
weird unpredictable results. The other important bug was to map 'E' in
cert to 'MAIL' in LDAP.</LI>
</UL>
<H2>
Added:</H2>
<UL>
<LI>
<B>Settable 'search function'</B>: User defined search function can be
set for cert to ldap mapping.</LI>
<LI>
<B>ldapu_get_cert_ava_val & ldapu_free_cert_ava_val</B>: API functions
to get & free an attribute's value(s) from either the subject DN or
the issuer DN from a cert.</LI>
</UL>
<H2>
Open Bugs:</H2>
<UL>Following bugs may not get fixed by RTM.</UL>
<UL>
<LI>
<A HREF="http://scopus/bugsplat/show_bug.cgi?id=51279">51279</A>: 'uniquemember'
bug</LI>
<LI>
<A HREF="http://scopus/bugsplat/show_bug.cgi?id=58474">58474</A>:
'circular groups' results in infinite loop</LI>
<LI>
<A HREF="http://scopus/bugsplat/show_bug.cgi?id=58478">58478</A>: Don't
allow a space as a valid delimeter for DNComps & FilterComps.</LI>
<LI>
<A HREF="http://scopus/bugsplat/show_bug.cgi?id=58482">58482</A>: Make
the 'search function' configurable.</LI>
<BR>
<HR WIDTH="100%"></UL>
<CENTER>
<H3>
Changes since Mar 18, 1997</H3></CENTER>
<DT>
Last Update: Mar 22, 1997</DT>
<DT>
A query on how to map a verisign certificate prompted these changes.
I was hoping I don't have to do any major changes when I wrote this document
on Mar 18. These are incompatible changes -- please review them before
you upgrade. I have checked in this file in CVS under "ns/netsite/lib/ldaputil/ldapu-changes.html".
I have added all the "XYZ_branch" and "XYZ_point" tags to this file so
that you can easily see this file in your tree. When I make significant
changes to this file/library, I will retag this file for your branch to
make it same as the server3_branch. [Let me know if I shouldn't do it for
your branch].</DT>
<H2>
Changed:</H2>
<UL>
<LI>
<B>ldapu_cert_to_ldap_entry</B>: The major change was to allow for the
mapped DN to be NULL and in that case, start the search from the basedn
of the LDAP server. This required API change so that the basedn can be
passed to the ldapu_cert_to_ldap_entry function. This change was required
for correctly mapping certs from verisign w/o writing plugins. The Verisign
certs can be mapped correctly using the following setting in the <ServerRoot>/userdb/certmap.conf
file:</LI>
<UL><TT><FONT SIZE=+1>certmap verisign <verisign's DN></FONT></TT>
<BR><TT><FONT SIZE=+1>verisign:dncomps</FONT></TT>
<BR><TT><FONT SIZE=+1>verisign:searchcomps cn, e</FONT></TT></UL>
The mapped DN will be NULL so basedn will be used. The filter will
be
<BR>(& (cn="<user's CN>") (mail="<user's mail>")). The
new signature of ldapu_cert_to_ldap_entry is as follows:
<BR> int ldapu_cert_to_ldap_entry(void *cert, LDAP *ld,
const char *basedn, LDAPMessage **res);
<LI>
<B>verify cert functions</B>: A major change in how verify cert functions
work. This is function is now called even when multiple potential
matches are found for the cert. The mapping is successful if the
verify function can reduce the number of matches to exactly one.
For example, if there are multiple "Joe Smith" entries, at most one of
those will have the cert in it's "userCertificate" attr. The verify
function will select that entry. The verify function is called with
"LDAPMessage *res" containing all the potential matches. It should
return a pointer to the matched entry in the new "LDAPMessage **entry"
parameter. The new signature for CertVerifyFn_t is as follows:</LI>
<BR> typedef int (*CertVerifyFn_t)(void *cert, LDAP *ld,
LDAPMessage *res,
<BR>
<P>
LDAPMessage **entry);
<LI>
typedef int (*<B>CertMapInitiFn_t)</B>: Renamed from CertmapInitFn_t.
Now this has two extra parameters to make it easy to use it in a plugin.
Other API functions require "issuerDN" but this function was called with
"LDAPUCertMapInfo_t *certinfo". There was no public API function
to get the issuerDN from "certinfo". The new signature for CertMapInitFn_t
is as follows:</LI>
<BR> typedef int (*CertMapInitFn_t)(void *certmap_info,
const char *issuerName,
<BR>
const char *issuerDN);
<LI>
(ldapauth.h) <B>ldapu_auth_* functions:</B> For multiple matches, these
functions now return LDAPU_ERR_MULTIPLE_MATCHES instead of LDAPU_FAILED.
This change was required to make nested group membership work efficiently
and enable the new functionality of verify cert function.</LI>
</UL>
<DT>
<HR WIDTH="100%"></DT>
<CENTER>
<H3>
Changes since Feb 1, 1997</H3></CENTER>
<DT>
Last Update: Mar 18, 1997</DT>
<DT>
There have been several changes to the netsite/lib/ldaputil recently. If
you use this library, please start using the latest version of ldaputil
on the server3_branch so that all the servers go out with the same API
and behavior. Review the changes before you upgrade. If you don't plan
to upgrade, please let me know.</DT>
<H2>
Renamed:</H2>
Following structures and functions are renamed. But this shouldn't affect
you unless you have written a certmap plugin.
<DD>
<TT><FONT SIZE=+1>struct CertMappingFunction_t ---> CertMapFn_t</FONT></TT></DD>
<DD>
<TT><FONT SIZE=+1>struct CertVerifyFunction_t ---> CertVerifyFn_t</FONT></TT></DD>
<DD>
<TT><FONT SIZE=+1>ldapu_set_cert_mapping_function ---> ldapu_set_cert_mapfn</FONT></TT></DD>
<DD>
<TT><FONT SIZE=+1>ldapu_get_cert_mapping_function ---> ldapu_get_cert_mapfn</FONT></TT></DD>
<DD>
<TT><FONT SIZE=+1>ldapu_set_cert_verify_function ---> ldapu_set_cert_verifyfn</FONT></TT></DD>
<DD>
<TT><FONT SIZE=+1>ldapu_get_cert_verify_function ---> ldapu_get_cert_verifyfn</FONT></TT></DD>
<H2>
Removed: (from .h)</H2>
Removed the following functions from .h files. They are still in the .c
file as static functions. I don't think these should be public. If you
think otherwise, let me know.
<DD>
<TT><FONT SIZE=+1>ldapu_cert_mapping_function_default</FONT></TT></DD>
<DD>
<TT><FONT SIZE=+1>ldapu_cert_verify_function_default</FONT></TT></DD>
<DD>
<TT><FONT SIZE=+1>ldapu_search_cert_dn</FONT></TT></DD>
<DD>
<TT><FONT SIZE=+1>ldapu_subject_dn_to_ldap_dn</FONT></TT></DD>
<H2>
Changed:</H2>
The following changes may affect you. Please review them carefully before
you upgrade to the latest version of ldaputil.
<UL>
<LI>
<TT>ldapu_auth_userdn_groupdn</TT> -- added <TT>const char *base</TT> argument
for group within group membership check</LI>
<LI>
ldap_init and bind calls using <TT>LDAPDatabase_t *ldb</TT> retry once
if the LDAP server is/went down.</LI>
<LI>
<TT>typedef CertVerifyFn_t</TT> has different arguments.</LI>
<LI>
DNs from cert with escaped/quoted characters are correctly handled now.</LI>
<LI>
cert to ldap entry mapping is optimized by not using string comparisons
during thruntime. A bitmask is created when the config file is read, cert
data is mapped to bits and compared against the bitmask.</LI>
<LI>
Only the required attrs are retrieved in most <TT>ldap_search_s </TT>calls
from ldaputil. Some new functions were added to keep older functions the
same.</LI>
<LI>
Fixed a core dump in ldapu_free_LDAPDatabase_t when using the local db.</LI>
<LI>
ldaputil functions for initializing connection to the LDAP server and binding
to the server are thread-safe now. This requires linking to netsite/lib/base.
If you don't use libbase, you can turn off the thread-safe code using a
compile time option.</LI>
</UL>
<H2>
Added:</H2>
<UL>
<LI>
Documentation to functions in ldaputil.h (customer API) - ldaputil.h is
the external public API for customers to write there plugins.</LI>
<LI>
<TT>ldapu_get_cert_der</TT> - returns raw DER encoded cert data</LI>
<LI>
<TT>ldapu_cert_to_user</TT> - Similar to ldapu_cert_to_ldap_entry but only
retrieves the 'uid' and 'userCertificate' attributes from LDAP and also
extracts the user id.</LI>
<LI>
<TT>ldapu_find_uid_attrs</TT> and <TT>ldapu_find_group_attrs</TT> - Similar
to ldapu_find_uid and ldapu_find_group resp., but only retrieves the specified
attributes. Internally used during password verification and group membership
checks.</LI>
<LI>
<TT>ldapu_certinfo_delete, ldapu_certinfo_modify and ldapu_certinfo_save</TT>
- API for the certmap config file GUI tool which is not yet developed.
Any volunteers?</LI>
</UL>
<H2>
<FONT SIZE=+1>TODO/Bugs:</FONT></H2>
<UL>
<LI>
uniquemember attribute is not handled correctly in the group membership
check. If the user's entry has 'x500UniqueIdentifier' attribute populated,
the group could refer to the user entry by the user's dn followed by '#'
and an unique identifier. For example, the group entry could have:</LI>
<DD>
uniquemember: cn=Joe Smith,o=Netscape,c=US#jsmith</DD>
<DT>
where, 'jsmith' is one of the values of the 'x500UniqueIdentifier' attribute
for the Joe Smith entry.</DT>
<DT>
</DT>
</UL>
</BODY>
</HTML>
|
