[CDRIVER-783] Add support for SASL plugins Created: 07/Aug/15  Updated: 03/May/17  Resolved: 20/Nov/15

Status: Closed
Project: C Driver
Component/s: auth
Affects Version/s: None
Fix Version/s: TBD

Type: New Feature Priority: Major - P3
Reporter: Kevin Liew Assignee: A. Jesse Jiryu Davis
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to CDRIVER-592 Deprecate mongoc_init_ctor/dtor Closed
is related to CDRIVER-1233 Crash after Kerberos plugin cleanup r... Closed
is related to CDRIVER-299 Native GSSAPI on windows Closed
is related to CDRIVER-791 Support SSPI on Windows Closed
Epic Link: Native SASL

 Description   

As of Cyrus-SASL 2.1.18, SASL_PATH cannot be used to set the plugin directory.



 Comments   
Comment by A. Jesse Jiryu Davis [ 20/Nov/15 ]

Great, thanks for letting us know!

Comment by Kevin Liew [ 20/Nov/15 ]

Hi Jesse, sasl_set_path works. Thanks

Comment by A. Jesse Jiryu Davis [ 03/Sep/15 ]

Note: using sasl_set_path, if the driver is compiled with GCC, will require additionally that the driver is compiled something like:

make MONGOC_NO_AUTOMATIC_GLOBALS=1

... to prevent mongoc_init from being called before main. This is yet another argument for doing CDRIVER-592 as soon as possible, in the C Driver 2.0.

Comment by A. Jesse Jiryu Davis [ 02/Sep/15 ]

Hi Kevin, I believe the default SASL plugin path for Cyrus SASL is C:\CMU\bin\sasl2 on Windows. (And it's /usr/lib/sasl2 on Unix.)

I think Cyrus SASL might provide the hook you need, without anything special from the C Driver. Can you include "sasl/sasl.h" in your code and call something like:

sasl_set_path (SASL_PATH_TYPE_PLUGIN, "C:\mypath");

Call it before mongoc_init ().

http://fossies.org/dox/cyrus-sasl-2.1.26/lib_2common_8c_source.html#l00205

Comment by Kevin Liew [ 18/Aug/15 ]

Is the default SASL plugin path known? There is no documentation regarding

Comment by Hannes Magnusson [ 11/Aug/15 ]

OK, so you really do want to get the SASL_CB_GETPATH callback?
I would have to look into if that has any side effects.
Like, what would happen if you executed a mongodb query to find which path you are supposed to use....
Maybe we can just document that as a programming error.

Comment by Kevin Liew [ 11/Aug/15 ]

We will distribute one compiled driver to our users who choose between MIT Kerberos or Windows Active Directory by setting a registry variable. Our use case requires a function that can be called during run-time to set the sasl plugin path before initializing the sasl client.

Comment by Hannes Magnusson [ 11/Aug/15 ]

Ah OK.
You want to be able to provide alternative directory for cyrus-sasl to search for the GSSAPI plugin.

Currently you can compile the driver, with GSSAPI support, as long the plugin is installed in the expected "default path".

I don't think we would want to expose the actual SASL_CB_GETPATH callback, but instead we could provide a configure setting, --with-sasl-plugins-dir, which you could provide and point to the path we would provide to SASL_CB_GETPATH?

Considering this is isn't a blocker (you can compile it properly) I don't believe we will be able to implement this before 1.2.

Comment by Kevin Liew [ 07/Aug/15 ]

We want to be able to use a GSSAPI plugin for either Windows Active Directory, or MIT Kerberos depending on the user's configuration. Cyrus-Sasl uses the first plugin it finds in a directory, so we need to have the plugins in separate directories. Thus we would like the plugin path to be controllable at runtime.

Comment by Kevin Liew [ 07/Aug/15 ]

The use case is: connecting a Windows client to a UNIX MIT Kerberos server.

Comment by Kevin Liew [ 07/Aug/15 ]

Previously SASL_PATH could be used to set the plugin directory path, but it was removed from the Cyrus-Sasl libraries and cannot be used any longer.

Now the plugin path must be set by the SASL_CB_GETPATH callback before sasl_client_init.

We are asking for a function to set the sasl plugin path because Windows needs a plugin to use GSSAPI.

Comment by Hannes Magnusson [ 07/Aug/15 ]

I'm a littlebit confused over what exactly you are asking for.

The MongoDB C driver doesn't actively allow you, or disallow, setting SASL_PATH, nor do I think we should.
This is dealt with in cyrus-sasl, and you should be running 2.1.26 which does not have this problem.

As for which SASL plugins we support, we only support the mechanisms the MongoDB server supports... You wouldn't gain much if the driver supported more mechanisms without the server doing so too.

Comment by Kevin Liew [ 07/Aug/15 ]

Information on SASL_PATH:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0884

Generated at Wed Feb 07 21:10:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.