Provide SASL-option support, primarily for authzid

[GoogleCodeExporter]

The attached patches for ruby-ldap and ruby-activeldap provide for passing
SASL authzid options, useful when GSSAPI is being used.

Example usage:
irb> require "active_ldap"
=> true
irb> ActiveLdap::Base.setup_connection(:host => 'ldap-test', :port => 636,
:method => :ssl :base => 'dc=test', :bind_dn =>
"uid=twopir,ou=accounts,dc=test", :allow_anonymous => false, :try_sasl =>
true, :sasl_options => {:authzid => "dn:cn=Manager,dc=test"}, :sasl_quiet
=> false)
=> nil
irb> class Account < ActiveLdap::Base ; ldap_mapping ; end
SASL/GSSAPI authentication started
SASL username: dn:cn=Manager,dc=test
SASL SSF: 56
SASL data security layer installed.
=> Account(objectClass:<top>, must:<objectClass: OID>, may:<>)
irb> k = Account.find("uid=demo");
irb* k.gecos
=> "Demo Account"
irb> k.gecos = "Testing gssapi-authenticated writes"
=> "Testing gssapi-authenticated writes"
irb> k.save
=> true

Original issue reported on code.google.com by two...@nmt.edu on 5 Mar 2010 at 11:01

Attachments:

• ruby-activeldap.patch
• ruby-ldap.patch

[GoogleCodeExporter]

Original comment by kou...@gmail.com on 6 Mar 2010 at 7:39

[GoogleCodeExporter]

Hi Anthony,

Thank you for patch, I got your email, and I will apply it in git as soon as 
possible.

Original comment by Alexey.Chebotar@gmail.com on 6 Mar 2010 at 1:44

• Changed state: Accepted

[GoogleCodeExporter]

Whoops. Here's a corrected patch for activeldap.

Original comment by two...@nmt.edu on 10 Mar 2010 at 9:24

Attachments:

• ruby-activeldap.patch

[GoogleCodeExporter]

Hi kou, I'm released ruby-ldap v0.9.11.

Please accept ruby-activeldap.patch.

Original comment by Alexey.Chebotar@gmail.com on 15 Mar 2010 at 7:41

[GoogleCodeExporter]

Umm...
I don't like "authcid" and "authzid" names...
"authc_id" and "authz_id" are more Rubyish names.

Original comment by kou...@gmail.com on 21 Mar 2010 at 12:10

[GoogleCodeExporter]

Ok, I will change names of sasl options as soon as possible.

Original comment by Alexey.Chebotar@gmail.com on 21 Mar 2010 at 3:05

[GoogleCodeExporter]

But authzid and authcid are the actual SASL options. Why obfuscate them 
regardless of
this "rubyish" names idea. Its just more confusing. 

Original comment by Jason.Pr...@gmail.com on 19 Apr 2010 at 5:10

[GoogleCodeExporter]

It's OpenLDAP's option name not general SASL option name. (Both of authzid and
authcid are not in RFC 2222.)

ActiveLdap is more generic layer rather than OpenLDAP. ActiveLdap abstracts LDAP
backends, Ruby/LDAP, net-ldap and JNDI. ActiveLdap should use more generic name
rather than implementation specific name.

Original comment by kou...@gmail.com on 20 Apr 2010 at 1:09

[GoogleCodeExporter]

 correct its not in the SASL RFC, its LDAP Authentication RFC2829
(http://tools.ietf.org/html/rfc2829). Not everything needs rubyistic naming. If 
they
are just options why not just leave them alone to pass to subsequent layers 
as-is no?
 And it not just openldap, other ldap implementations (which are not based on
openldap, such as OpenDS and Sun DSEE) support the same options. from Perl its
authzid, in jndi its authzid not authz_id no? I am just on the quest for a good
working ruby ldap solution that properly supports and works fine with stock 
solaris10
and RHEL5 ldap implementations.  :) I have it in perl, java, cmdline, python, 
all I
need it ruby to complete the circle ;)

Original comment by Jason.Pr...@gmail.com on 20 Apr 2010 at 5:28

[GoogleCodeExporter]

I'm agree with Jason.

P.S.: RFC 2829 Obsoleted by RFC 4513 (http://tools.ietf.org/html/rfc4513)

Original comment by Alexey.Chebotar@gmail.com on 21 Apr 2010 at 9:38

[GoogleCodeExporter]

OK. We'll use authzid.

Original comment by kou...@gmail.com on 21 Apr 2010 at 11:54

[GoogleCodeExporter]

:sasl_options has been supported in trunk.
Thanks.

Original comment by kou...@gmail.com on 25 Apr 2010 at 9:53

• Changed state: Fixed