My not so uninteresting notes

To content | To menu | To search

Saturday 26 November 2011

Doing GSSAPI in PERL without libauthen-sasl-cyrus-perl

Hability to do GSSAPI for SASL in PERL is great it allow script connections to services (IMAP, LDAP, ...) that require a password without storing the password in clear text.

But current version of libauthen-sasl-cyrus-perl in Debian Squeeze is broken at least partially:

perl: ../../../src/util/support/threads.c :351 : krb5int_key_register:  L'assertion « destructors_set[keynum] == 0 » a échoué</code>

It seems to be the case for some others.

While waiting for the bug to be fixed, there is a solution use the non-cyrus GSSAPI module for SASL, it depends on the PERL implementation of gssapi. By chance it's debian repository so it's rather easy to get them:

sudo apt-get install libgssapi-perl libauthen-sasl-perl

And then in the perl program, insists on using the "pure" PERL of the SASL library:

use Authen::SASL qw(Perl);

Et voilà that's all !

Friday 8 July 2011

SSO for dokuwiki

I tend to prefer dokuwiki over other Wiki tools. One thing that is neat with dokuwiki is that you can use Active Directory as a backend for user storage and user rights. If you don't want to multiply the number of database where your users are and where their right are affected I think that's a must !

But one big minus is that there is no way to use any kind of SSO technics like NTLMSSP auth or Kerberos. That's too bad because I guess people get tired of having to type and retype their password everywhere (and it leads to weaker password to my mind as they know they'll have to type it 10,20 ... 100 times a day).

In order to be able to support SSO the following patch is needed and the use of mod_auth_kerberos.

The patch enable SASL bind in AdLDAP (the library used by dokuwiki for doing Active Directory lookup), as most SASL implementation know how to use Kerberos (well GSSAPI). This implementation know also how to request additional tickets (if delegation is authorized) so that additional connexion can be done without asking the user to (re)enter its password.

I also created a ticket in AdLDAP's request tracker so that hopefully this patch will become mainstream.