[Fedora-directory-devel] Please review: Bug 469261 - Support server-to-server SASL - part 2

[Rich Megginson]

https://bugzilla.redhat.com/show_bug.cgi?id=469261
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 2
Reviewed by: ???
Files: see diff
Branch: HEAD
Fix Description: This part focuses on chaining backend - allowing the 
mux server to use SASL to connect to the farm server, and allowing SASL 
authentication to chain.  I had to add two new config parameters for 
chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth.  If present, 
this must be one of the supported mechanisms (EXTERNAL, GSSAPI, 
DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to 
slapi_ldap_bind, and correct the replication code to pass in a NULL for 
the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to 
the sasl user id.  This search could not be chained due to the way it 
was coded.  So I added a new chainable component called cn=sasl and 
changed the sasl internal search code to use this component ID.  This 
allows the sasl code to work with a chained backend.  In order to use 
chaining with sasl, this component must be set in the chaining 
configuration nsActiveChainingComponents.  I also discovered that 
password policy must be configured too, in order for the sasl code to 
determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - 
kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
https://bugzilla.redhat.com/attachment.cgi?id=322613&action=diff