saslauthd-port

command

v0.1.12 Latest Latest Go to latest Published: Mar 27, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/couchbase/cbauth

Links

Open Source Insights

README ¶

= Purpose and developer setup of saslauthd-port
Aliaksey Kandratsenka <alk@tut.by>

== What it's for

This little program is bridging Couchbase Server `ns_server` component
and saslauthd program from cyrus-sasl package. The purpose of that is
providing ldap (as well as pam and other kinds of) authentication for
couchbase server.

== How does it work

It works by speaking to local saslauthd deamon over unix domain
socket. This is a bit undocumented and internal, private API of
cyrus-sasl. It can be argued that doing it via libsasl2 would be
better way. But it does look like saslauthd protocol is reasonably
stable in practice. And most importantly dealing with libsasl2 from
golang is not as easy as dealing with saslauthd directly.

saslauthd-port program is designed to receive auth requests from
`ns_server` via revrpc facility.

== Setting up simplified dev environment for testing

If you're ok with stubbing auth, then take a look at fake-saslauthd.rb
in this directory. It'll simulate saslauthd. Username is "alk" (well,
any name will work except for usernames starting with but not equal to
"alk") and password is "AsdQwe!23".

== Setting up local LDAP server

=== Via adelton/freeipa-server docker image

* `# docker run --dns 127.0.0.1 --name freeipa-server-container -ti -h ipa.example.test -e PASSWORD=SomePassword123 adelton/freeipa-server`

* when it completes do ifconfig inside container and update /etc/hosts
to point ipa.example.test to that container. I.e. it could be 172.17.0.2

* go to https://ipa.example.test (it will autoredirect to
ipa.example.test anyways).

* login as admin with password SomePassword123 (configured at first step)

* create user or two in intuitive UI. In my case that's user "alk"
with password "AsdQwe!23"

* configure local saslauthd by:

** enabling it. On my debian box that's editing
/etc/defaults/saslauthd and changing START=yes MECHANISMS="ldap".
Then start it via initscript or systemctl (e.g. `#
/etc/init.d/saslauthd start`).

** configuring it. Create /etc/saslauthd.conf and put the following:

ldap_servers: ldap://ipa.example.test/
ldap_search_base: cn=users,cn=accounts,dc=example,dc=test

** testing it. If everything is right, then the following should say "OK". E.g:

# testsaslauthd -u alk -p 'AsdQwe!23'
0: OK "Success."

Upside of IPA is very nice UI plus built-in Kerberos.

One downside of this approach that I found is that container may have
hard time booting after it was stopped. If you need somebody to blame,
the would be either systemd or lack of docker's support for systemd,
whichever is more appropriate for your "political orientation". For
that reason, I'll describe second way of setting up ldap auth via
docker.

== Via turnkeylinux/openldap-13 docker image

This image is a bit more basic. It gives you openldap with fancy web
UI. But no kerberos and no built-in groups.

* `# docker run -i -t turnkeylinux/openldap-13.0`

* follow instructions on
https://registry.hub.docker.com/u/turnkeylinux/openldap-13.0/ on how
to recover "random root password" and do first time setup (it
requires ssh-ing into container). This will guide you through basic
configuration of container such us defining root password, ldap
admin password and ldap base (in my case it was ipa.example.test to
match ipa case above).

* note that I had some issue after install that ldaps process was
running with stale config. I fixed it by killing it manually
(`/etc/init.d/ldaps stop` did not work). And then starting it back
via initscript.

* then follow instructions on
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-a-basic-ldap-server-on-an-ubuntu-12-04-vps#AddOrganizationalUnits,Groups,andUsers
to create basic structure of user groups and one or two user
accounts.

* in the end I got something like: http://i.imgur.com/LsOw6Yw.png

image::http://i.imgur.com/LsOw6Yw.png[]

* configure local saslauthd by:

** enabling it. On my debian box that's editing
/etc/defaults/saslauthd and changing START=yes
MECHANISMS="ldap". Then start it via initscript or systemctl.

** configuring it. Create /etc/saslauthd.conf and put the following (replacing ip address accordingly):

ldap_servers: ldap://172.17.0.3/
ldap_search_base: ou=users,dc=ipa,dc=example,dc=test

** testing it. If everything is right, then the following should say "OK". E.g:

# testsaslauthd -u alk -p 'AsdQwe!23'
0: OK "Success."

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

saslauthd-port.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL