eDirectory/NMAS SASL

From MicroFocusInternationalWiki
Jump to: navigation, search

Information about NMAS SASL architecture

Some facts

  • NMAS does not have a SASL profile
  • There are two ways of logging into eDirectory using NMAS:
    • NMAS Login
    • NMAS SASL Login
  • NMAS implements its own SASL and provides NMAS_SASL API for clients to call (NMAS_SASL)
  • NMAS allows both clients calling generic SASL API (GEN_SASL) and clients calling NMAS_SASL API

Overview of NMAS_SASL

  • NMAS consists of LCM and LSM, where:
	LCM: Login Client Method (a .so file in the client side, 
            to which binaries can make API calls)
		Eg: lcmcpwdlin.so in the case of sample login method
	LSM: Login Server Method (a .so file on the server side 
            which is loaded by NDS daemon whenever at the time of authentication)
		Eg: lsmcpwdlin.so in the case of sample login method
  • LCM and LSM call MAF functions to exchange challenges and responses
  • MAF functions are present in header file:

  • LCM shared object is compiled with include path for maf.h in the makefile

Code Flow

    • NOTE: This is taken from the sample login method:
  • saslbind client binary calls ldap_init and gets ldap object:

	if (( ld = ldap_init(host, port)) == NULL)
      		printf ( "\nError in ldap_init\n");
      		return( 1 );

	$nm /mnt/dirtech/ccm_wa/idc_n4u/edir_sdk~rosalind-SP7_beta1/
             | grep -i ldap_init
	0001add8 T ldap_init

  • saslbind client binary calls NMAS_SASL API NMAS_ClientLoginEx

from libnmasclnt.so and passes the ldap object as input

   	rc = NMAS_ClientLoginEx( &loginInfo,            // login information
        	NMAS_LOGIN_INFO_UTF8,  // UTF8 Info structure used
                nmas_sasl_transport,   // sasl callback transport function
                &transportArg,         // transport function argument
                NULL,                  // optional - 
                                       // atEnd function callback, 
                                       //called at end of sasl processing
                NULL,                  // optional - atEnd function arg
                options                // options 

	$nm ../../nmas_client_sdk/linux/bin/libnmasclnt.so | grep ClientLoginEx
	00006248 T NMAS_ClientLoginEx

  • NMAS_ClientLoginEx is provided with address of

nmas_sasl_transport which is a wrapper around SASL callback function ldap_sasl_bind_s

  • NMAS_ClientLoginEx calls nmas_sasl_transport which calls ldap_sasl_bind_s

function supplying it with data generated using MAF functions (nmas_sasl_transport callback function is called multiple times till authentication is completed)

  • ldap_sasl_bind_s function is present in:


  • NMAS_ClientLoginEx reads the LCM shared object

(and does MAF reads and writes as described there) on the ldap transport object ld using the callback function nmas_sasl_transport which is a wrapper around ldap_sasl_bind_s (as mentioned in the comment in the sample_login_method reproduceed below):

 * LDAP Transport callback function:
 * This routine is called by the NMAS Client to transport NMAS packets
 * between the eDirectory NMAS Service and the NMAS Client.  
 * Each NMAS packet is transmitted using the ldap_sasl_bind routine.  The NMAS 
 * Service in eDirectory registers the "NMAS_LOGIN" SASL mechanism and 
 * receives the SASL data packets.  
 * The number request/reply packets is defined by the NMAS Method (LCM/LSM) 
 * which is invoked.  

Hence the following flow:

client -> NMAS_Client_loginEx -> MAF Functions in lcmcpwdlin.so -> 
nmas_sasl_transport -> ldap_sasl_bind_s for sending to server

  • Notice that saslbind binary is __linked__ to

libnmasclnt.so and libldapsdk.so.0, whereas lcmcpwdlin.so is not