From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Leonidas Tsampros Newsgroups: gmane.emacs.devel Subject: Re: [PATCH] ldap.el: use auth-source if passwd is not defined in ldap-host-parameters-list Date: Thu, 10 Mar 2011 23:05:25 +0200 Message-ID: <87tyfak7oq.fsf@bifteki.lan> References: <878vwuvciv.fsf@bifteki.lan> <87ipvyz2md.fsf@lifelogs.com> <87fwr2udu0.fsf@bifteki.lan> <87ipvvxkqx.fsf@lifelogs.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1299791155 16944 80.91.229.12 (10 Mar 2011 21:05:55 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Thu, 10 Mar 2011 21:05:55 +0000 (UTC) Cc: emacs-devel@gnu.org To: Ted Zlatanov Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Mar 10 22:05:51 2011 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Pxn3N-0007WD-6L for ged-emacs-devel@m.gmane.org; Thu, 10 Mar 2011 22:05:49 +0100 Original-Received: from localhost ([127.0.0.1]:47700 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Pxn3L-00077r-VV for ged-emacs-devel@m.gmane.org; Thu, 10 Mar 2011 16:05:48 -0500 Original-Received: from [140.186.70.92] (port=37847 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Pxn3B-00076U-IU for emacs-devel@gnu.org; Thu, 10 Mar 2011 16:05:39 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Pxn38-00028b-Me for emacs-devel@gnu.org; Thu, 10 Mar 2011 16:05:36 -0500 Original-Received: from mail-wy0-f169.google.com ([74.125.82.169]:53337) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Pxn38-000288-9p for emacs-devel@gnu.org; Thu, 10 Mar 2011 16:05:34 -0500 Original-Received: by wyf19 with SMTP id 19so2171196wyf.0 for ; Thu, 10 Mar 2011 13:05:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:from:to:cc:subject:references:date :message-id:user-agent:mime-version:content-type; bh=8eWmKoE8UalYg/7q8sPgkeK8swzEKoF/5osaLHC22+U=; b=wM+kwgcky14KdmNNcSRQiV/vqmnpvgqNUN/frBngwWZd7rN81SwUiImQP1/+jqZaRd eIK268gfzhLHvdAQMT7rKrGInEuxAeDBNBkHXcwNhTn8ipZFGvsehcgvYe4juUj5cxcy 1TTkX0nj0RQfi9JZPEsxXHyE9JyCQsAnHbrjM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:from:to:cc:subject:references:date:message-id:user-agent :mime-version:content-type; b=s/6pDU1pvuAGOvG2YaSHpAcFIlxyDF5U0TwIYTKghr21W8/bxmXZflg8GH43t/6gKP Lkb1QcDhExEMb5zT+mt7xhsvOIq1juzTiS8P8NKxWa7OqOBmBxL0n5ZlCT7T6yYrJFP2 A+FrV5NuANq8gj72hp31SeREzl6dv8mu0IrHY= Original-Received: by 10.216.29.134 with SMTP id i6mr140354wea.11.1299791132724; Thu, 10 Mar 2011 13:05:32 -0800 (PST) Original-Received: from bifteki.lan ([64.211.150.195]) by mx.google.com with ESMTPS id n52sm1786409wer.0.2011.03.10.13.05.29 (version=SSLv3 cipher=OTHER); Thu, 10 Mar 2011 13:05:31 -0800 (PST) Original-Received: from ltsampros-ferrari-one-200 (localhost.localdomain [127.0.0.1]) by bifteki.lan (Postfix) with ESMTP id 831CB64A18A; Thu, 10 Mar 2011 23:05:26 +0200 (EET) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 74.125.82.169 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:137063 Archived-At: Ted Zlatanov writes: > On Sat, 05 Mar 2011 11:16:39 +0200 Leonidas Tsampros > wrote: > > LT> Ted Zlatanov writes: >>> On Fri, 04 Mar 2011 22:47:20 +0200 Leonidas Tsampros >>> wrote: >>> > LT> Attached you can find a small patch to make ldap.el use auth-source if > LT> passwd is not defined in the ldap-host-parameters-list. >>> >>> Cool! I made some changes to it, please let me know what you think: >>> >>> - must pass `auth-source' set to t in the SEARCH-PLIST to activate this >>> functionality (I don't know if you agree) > > LT> Agreed. It's nice not to catch users by surprise. > >>> - search for 'port "ldap"' entries in the netrc file (should we default >>> to no port?) > > LT> This is the only part I disagree a bit. For example, my imap host is the > LT> same with my ldap host, the credentials are the same for both services, > LT> and both imap/ldap use the default ports. (This is a classic case of an > LT> Exchange server I think) > > This makes sense, especially since ldap.el hosts can be in the format > "server:port". I removed the "port ldap" requirement. > >>> - take the password and use it >>> >>> - take "binddn" or "user" tokens for `binddn' >>> >>> - take "base" tokens for `base' > > LT> (Really there is no wrong direction in this. We just don't want to carry > LT> passwords in our configuration files. :) > > Agreed, and that's why I've been working on auth-source.el. > > Try the attached patch. If it works for you I'll push it into the > trunk. Let me know if I need to update any other documentation besides > the docstring. It looks like only Chong Yidong has made significant > changes to ldap.el since 2005 so I'm not CC-ing the original author. > > Thanks > Ted > Hi Ted, sorry for the late reply but here are my findings after applying your patch: 1) authinfo machine ip-address login username password secret-key imap and (setq ldap-host-parameters-alist (quote (("ip-address" base "dc=domain,dc=com" binddn "domain\\username" "auth-source "yes")))) Logging in to both the LDAP and the IMAP server works as expected (on the assumption that they are the same hosts, and this is my personal setup, so I'm pretty happy. 2) authinfo machine ip-address login username password secret-key imap authinfo machine ip-address binddn domain\username password secret-key port ldap and (setq ldap-host-parameters-alist (quote (("ip-address" base "dc=domain,dc=com" auth-source "yes")))) The above is the more general case of having a separate LDAP server. This case doesn't work, since auth-source-search returns the first entry and so (plist-get asfound :binddin) returns nothing. In order to work around this case, I thought of the following: 3) authinfo machine ip-address login username password secret-key imap authinfo machine ip-address:389 binddn domain\username password secret-key and (setq ldap-host-parameters-alist (quote (("ip-address:389" base "dc=domain,dc=com" auth-source "yes")))) which should work as expected but I think it breaks eudc-ldap. The module seems trying to match only the 'ip-address' part of the ldap-host-parameters-alist entry and as such a check to see if a base dn is defined fails. However I want to double check this again. Anyway, since we have the auth-source switch to enable this explicitly, I think you can commit this pretty safely and then figure out how to move with case 2) and 3), as I don't think that it breaks any functionality. I will try to give it a shot too, in case I come up with a plan. Thanks for the patch and the effort, and please correct me if I have misunderstood the user scenarios that we would like to support wrt to ldap configuration. Best Regards, Leonidas Tsampros