$Id$ opensync-plugin-ldap: 0.39: - Upgraded to openldap-2.4.x - Ported the whole plugin from libopensync-0.22 to libopensync-0.3x. This involves: -- cmake, -- sinks, -- new format of config file, -- use of style sheets for conversion, -- sourcing out the conversion routines into a separate format plugin -- and dozens of other API changes. - Several issues with the TLS/SSL based encryption of the LDAP session are fixed now. - Authentication towards the LDAP server involves several possibilities: -- Simple authentication -- SASL/DIGEST-MD5 with the password being stored externally in the sasldb works. -- SASL/CRAM-MD5 with the password being stored externally in the sasldb works, as well. -- SASL/LOGIN with the password being stored externally in the sasldb, works, as well, provided that the session is encrypted. -- SASL/PLAIN with the password being stored externally in the sasldb, works, as well, provided that the session is encrypted. -- SASL/PLAIN using saslauthd which calls pam while the LDAP session is encrypted, does NOT work. Pass-through methods would work only, if the PLAIN mechanism was used, anyway. And the PLAIN mechanism in turn is regarded as trust-worthy mechanism only, if the LDAP session is encrypted... -- SASL/GSSAPI carrying Kerberos V5 works, even though right now there are no special/separate configuration options regarding the "realm" (TODO). Prerequisite is, as always with Kerberos V5, that a ticket-granting ticket has been obtained prior to running osynctool (e.g. "kinit -V ldap_user"). -- SASL/EXTERNAL works, as well, provided that the LDAP session is encrypted. This method does not use any password, at all. The authentication is checked by taking the distinguished name from the SSL/TLS certificate of the client and mapping this SSL/TLS DN to an LDAP DN. This LDAP DN is treated as the authentication DN. The mapping can be configured in slapd.conf (authz-regexp). -- Proxy authorization should work (authenticate as one person, act as a different person). - Some smaller issues, like hangs, error messages etc. have been resolved. - For the time being the objtype "contact" can be mapped either to the LDAP scheme "evolutionPerson" or to the LDAP scheme "inetOrgPerson". This can be configured. - The other objtypes are mapped to general object classes, like "ou:" and "document:", while some LDAP attribute names are abused for storing "name" and "value" pairs. - A test suite has been added. The test suite works only, if run inside of an environment with a running LDAP server (slapd from openldap-2.4.x), and if LDAP utilities like ldapsearch, ldapadd, ldapmodify and ldapdelete, further xsltproc and xmllint are present. 0.22: - The original version of the opensync-plugin-ldap was written by Gergely Santa