EDirectory/NMAS SASL
From CoolSolutionsWiki
(Difference between revisions)
Schandrahas (Talk | contribs) (Created page with "= Information about NMAS SASL architecture = == Some facts == 1. NMAS does not have a SASL profile 2. There are two ways of logging into eDirectory using NMAS: a. NMAS Log...") |
Schandrahas (Talk | contribs) |
||
| Line 15: | Line 15: | ||
1. Consists of LCM and LSM, where: | 1. Consists of LCM and LSM, where: | ||
<pre> | <pre> | ||
| − | LCM: Login Client Method (a .so file in the client side, to which binaries can make API calls) | + | LCM: Login Client Method (a .so file in the client side, |
| + | to which binaries can make API calls) | ||
Eg: lcmcpwdlin.so in the case of sample login method | Eg: lcmcpwdlin.so in the case of sample login method | ||
| − | LSM: Login Server Method (a .so file on the server side which is loaded by NDS daemon whenever at the time of authentication) | + | LSM: Login Server Method (a .so file on the server side |
| + | which is loaded by NDS daemon whenever at the time of authentication) | ||
Eg: lsmcpwdlin.so in the case of sample login method | Eg: lsmcpwdlin.so in the case of sample login method | ||
</pre> | </pre> | ||
| Line 25: | Line 27: | ||
<pre> | <pre> | ||
| − | /mnt/dirtech/ccm_wa/idc_nmas/nmas_methods_external#auth#1~idc_nmas#2.8.2.3/nmas_methods_external/nmas_ndk_deliver/nmas_client_sdk/sdkinc/legacy/maf.h | + | /mnt/dirtech/ccm_wa/idc_nmas/ |
| + | nmas_methods_external#auth#1~idc_nmas#2.8.2.3/ | ||
| + | nmas_methods_external/nmas_ndk_deliver/nmas_client_sdk/ | ||
| + | sdkinc/legacy/maf.h | ||
</pre> | </pre> | ||
| Line 45: | Line 50: | ||
} | } | ||
| − | $nm /mnt/dirtech/ccm_wa/idc_n4u/edir_sdk~rosalind-SP7_beta1/edir_sdk/components/cldap_sdk/lib/Linux/i386/debug/libldapsdk.so | grep -i ldap_init | + | $nm /mnt/dirtech/ccm_wa/idc_n4u/edir_sdk~rosalind-SP7_beta1/ |
| + | edir_sdk/components/cldap_sdk/lib/Linux/i386/debug/libldapsdk.so | ||
| + | | grep -i ldap_init | ||
0001add8 T ldap_init | 0001add8 T ldap_init | ||
| − | 2. saslbind client binary calls NMAS_SASL API NMAS_ClientLoginEx from and passes the ldap object as input | + | 2. saslbind client binary calls NMAS_SASL API NMAS_ClientLoginEx |
| + | from and passes the ldap object as input | ||
rc = NMAS_ClientLoginEx( &loginInfo, // login information | rc = NMAS_ClientLoginEx( &loginInfo, // login information | ||
| Line 54: | Line 62: | ||
nmas_sasl_transport, // sasl callback transport function | nmas_sasl_transport, // sasl callback transport function | ||
&transportArg, // transport function argument | &transportArg, // transport function argument | ||
| − | NULL, // optional - atEnd function callback, called at end of sasl processing | + | NULL, // optional - |
| + | // atEnd function callback, | ||
| + | //called at end of sasl processing | ||
NULL, // optional - atEnd function arg | NULL, // optional - atEnd function arg | ||
options // options | options // options | ||
| Line 62: | Line 72: | ||
00006248 T NMAS_ClientLoginEx | 00006248 T NMAS_ClientLoginEx | ||
| − | 3. NMAS_ClientLoginEx is provided with address of nmas_sasl_transport which is a wrapper around SASL callback function ldap_sasl_bind_s | + | 3. NMAS_ClientLoginEx is provided with address of |
| − | 4. NMAS_ClientLoginEx calls nmas_sasl_transport which calls ldap_sasl_bind_s function supplying it with data generated using MAF functions (nmas_sasl_transport callback function is called multiple times till authentication is completed) | + | nmas_sasl_transport which is a wrapper |
| + | around SASL callback function ldap_sasl_bind_s | ||
| + | 4. NMAS_ClientLoginEx calls nmas_sasl_transport which calls ldap_sasl_bind_s | ||
| + | function supplying it with data generated using MAF functions | ||
| + | (nmas_sasl_transport callback function is called multiple times | ||
| + | till authentication is completed) | ||
5. ldap_sasl_bind_s function is present in: | 5. ldap_sasl_bind_s function is present in: | ||
/opt/novell/eDirectory/lib/libldapsdk.so.0 | /opt/novell/eDirectory/lib/libldapsdk.so.0 | ||
| − | 6. NMAS_ClientLoginEx reads the LCM shared object (and does MAF reads and writes as described there) on the ldap transport object ld using the callback function nmas_sasl_transport which is a wrapper around ldap_sasl_bind_s (as mentioned in the comment in the sample_login_method reproduceed below): | + | 6. NMAS_ClientLoginEx reads the LCM shared object |
| + | (and does MAF reads and writes as described there) on the ldap transport | ||
| + | object ld using the callback function nmas_sasl_transport which is a | ||
| + | wrapper around ldap_sasl_bind_s (as mentioned in the comment in the | ||
| + | sample_login_method reproduceed below): | ||
/****************************************************************************** | /****************************************************************************** | ||
| Line 84: | Line 103: | ||
Hence the following flow: | Hence the following flow: | ||
| − | client -> NMAS_Client_loginEx -> MAF Functions in lcmcpwdlin.so -> nmas_sasl_transport -> ldap_sasl_bind_s for sending to server | + | client -> NMAS_Client_loginEx -> MAF Functions in lcmcpwdlin.so -> |
| + | nmas_sasl_transport -> ldap_sasl_bind_s for sending to server | ||
| − | 7. Notice that saslbind binary is __linked__ to libnmasclnt.so and libldapsdk.so.0, whereas lcmcpwdlin.so is not | + | 7. Notice that saslbind binary is __linked__ to |
| + | libnmasclnt.so and libldapsdk.so.0, whereas lcmcpwdlin.so is not | ||
</pre> | </pre> | ||
Revision as of 10:25, 25 May 2012
Contents |
Information about NMAS SASL architecture
Some facts
1. NMAS does not have a SASL profile 2. There are two ways of logging into eDirectory using NMAS: a. NMAS Login b. NMAS SASL Login 3. NMAS implements its own SASL and provides NMAS_SASL API for clients to call (NMAS_SASL) 4. NMAS allows both clients calling generic SASL API (GEN_SASL) and clients calling NMAS_SASL API
Architecture of NMAS_SASL
1. Consists of LCM and LSM, where:
LCM: Login Client Method (a .so file in the client side,
to which binaries can make API calls)
Eg: lcmcpwdlin.so in the case of sample login method
LSM: Login Server Method (a .so file on the server side
which is loaded by NDS daemon whenever at the time of authentication)
Eg: lsmcpwdlin.so in the case of sample login method
2. LCM and LSM call MAF functions to exchange challenges and responses 3. MAF functions are present in header file:
/mnt/dirtech/ccm_wa/idc_nmas/
nmas_methods_external#auth#1~idc_nmas#2.8.2.3/
nmas_methods_external/nmas_ndk_deliver/nmas_client_sdk/
sdkinc/legacy/maf.h
4. LCM shared object is compiled with include path for maf.h in the makefile
Flow
NOTE: This is taken from the sample login method:
1. saslbind client binary calls ldap_init and gets ldap object:
if (( ld = ldap_init(host, port)) == NULL)
{
printf ( "\nError in ldap_init\n");
return( 1 );
}
$nm /mnt/dirtech/ccm_wa/idc_n4u/edir_sdk~rosalind-SP7_beta1/
edir_sdk/components/cldap_sdk/lib/Linux/i386/debug/libldapsdk.so
| grep -i ldap_init
0001add8 T ldap_init
2. saslbind client binary calls NMAS_SASL API NMAS_ClientLoginEx
from and passes the ldap object as input
rc = NMAS_ClientLoginEx( &loginInfo, // login information
NMAS_LOGIN_INFO_UTF8, // UTF8 Info structure used
nmas_sasl_transport, // sasl callback transport function
&transportArg, // transport function argument
NULL, // optional -
// atEnd function callback,
//called at end of sasl processing
NULL, // optional - atEnd function arg
options // options
);
$nm ../../nmas_client_sdk/linux/bin/libnmasclnt.so | grep ClientLoginEx
00006248 T NMAS_ClientLoginEx
3. NMAS_ClientLoginEx is provided with address of
nmas_sasl_transport which is a wrapper
around SASL callback function ldap_sasl_bind_s
4. NMAS_ClientLoginEx calls nmas_sasl_transport which calls ldap_sasl_bind_s
function supplying it with data generated using MAF functions
(nmas_sasl_transport callback function is called multiple times
till authentication is completed)
5. ldap_sasl_bind_s function is present in:
/opt/novell/eDirectory/lib/libldapsdk.so.0
6. NMAS_ClientLoginEx reads the LCM shared object
(and does MAF reads and writes as described there) on the ldap transport
object ld using the callback function nmas_sasl_transport which is a
wrapper around ldap_sasl_bind_s (as mentioned in the comment in the
sample_login_method reproduceed below):
/******************************************************************************
* LDAP Transport callback function:
*
* This routine is called by the NMAS Client to transport NMAS packets
* between the eDirectory NMAS Service and the NMAS Client.
*
* Each NMAS packet is transmitted using the ldap_sasl_bind routine. The NMAS
* Service in eDirectory registers the "NMAS_LOGIN" SASL mechanism and
* receives the SASL data packets.
*
* The number request/reply packets is defined by the NMAS Method (LCM/LSM)
* which is invoked.
Hence the following flow:
client -> NMAS_Client_loginEx -> MAF Functions in lcmcpwdlin.so ->
nmas_sasl_transport -> ldap_sasl_bind_s for sending to server
7. Notice that saslbind binary is __linked__ to
libnmasclnt.so and libldapsdk.so.0, whereas lcmcpwdlin.so is not
