Bind with raw credencials, but not calculate from clear text automatically
YangKeao opened this issue · comments
The bind
function call in OpenLDAP C API is like the following manpage:
int ldap_sasl_bind(LDAP *ld, const char *dn, const char *mechanism,
struct berval *cred, LDAPControl *sctrls[],
LDAPControl *cctrls[], int *msgidp);
int ldap_sasl_bind_s(LDAP *ld, const char *dn, const char *mechanism,
struct berval *cred, LDAPControl *sctrls[],
LDAPControl *cctrls[], struct berval **servercredp);
The cred
is calculated manually (like the DigestMD5BindRequest
in this repo), or calculated by calling functions like sasl_client_step
or sasl_client_start
. Could this package expose similar API to make it possible for users to bind with a given cred, but don't need to calculate it automatically? I didn't find similar functions in this package. The DigestMD5BindRequest
helps the user to encodes the MD5 message automatically, with the clear text user/password as input.
This is especially useful for the client/server applications which want to adopt the LDAP authentication mechanism, and don't want the users to transfer their password in clear text through network. For example, the MySQL LDAP implementation:
- The mysql-client uses the
sasl_client_start
andsasl_client_step
to create an encrypted (or hashed)cred
, and pass it to the MySQL server. - The MySQL server encodes the
cred
into ber format and sends it to LDAP server (e.g. the implementation of ldap in percona server ) - The authentication may have multiple steps, so the client and server continues similar process several times. Until they get LDAP_SUCCESS or SASL_OK.
This API is also helpful to unify SASL process of many different mechanisms, like DigestMD5Bind
and SCRAM-xxx
...
I'd like to work on this issue and submit PR for it, but I'm not sure how to design a good API for similar interface in golang. Do you have any suggestion on the function interface?
I think this may be a useful feature, and I'd like to see some community engagement in designing the right API for this.