summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorAde Lovett <ade@FreeBSD.org>2000-09-19 02:59:29 +0000
committerAde Lovett <ade@FreeBSD.org>2000-09-19 02:59:29 +0000
commit636d1ebd70fd6825fbd4d30b41abf865213aa9ab (patch)
tree953ae4954ca6298cd0351b443730249166fc8d76 /security
parentUpdate to version 1.0 (diff)
Cyrus-SASL 1.5.24 sources changed on Aug 15th
-- changed a hard coded value to a variable. Kerberos IV detection fails due to double check on krb_mk_priv (with/without com_err), used cached value from first check for krb_mk_priv. Added addtional pwcheck methods (MySQL & LDAP Authentication). PR: 21383 Submitted by: maintainer
Diffstat (limited to 'security')
-rw-r--r--security/cyrus-sasl/Makefile34
-rw-r--r--security/cyrus-sasl/distinfo2
-rw-r--r--security/cyrus-sasl/files/Sendmail.README25
-rw-r--r--security/cyrus-sasl/files/patch-ab113
-rw-r--r--security/cyrus-sasl/files/patch-ag15
-rw-r--r--security/cyrus-sasl/files/patch-ah9
-rw-r--r--security/cyrus-sasl/files/patch-ai357
-rw-r--r--security/cyrus-sasl/files/patch-aj46
-rw-r--r--security/cyrus-sasl/files/patch-ak30
-rw-r--r--security/cyrus-sasl/pkg-install30
-rw-r--r--security/cyrus-sasl/pkg-message17
-rw-r--r--security/cyrus-sasl/pkg-plist13
-rw-r--r--security/cyrus-sasl/scripts/configure.sasl59
-rw-r--r--security/cyrus-sasl2/Makefile34
-rw-r--r--security/cyrus-sasl2/distinfo2
-rw-r--r--security/cyrus-sasl2/files/Sendmail.README25
-rw-r--r--security/cyrus-sasl2/files/patch-ab113
-rw-r--r--security/cyrus-sasl2/files/patch-ag15
-rw-r--r--security/cyrus-sasl2/files/patch-ah9
-rw-r--r--security/cyrus-sasl2/files/patch-ai357
-rw-r--r--security/cyrus-sasl2/files/patch-aj46
-rw-r--r--security/cyrus-sasl2/files/patch-ak30
-rw-r--r--security/cyrus-sasl2/pkg-install30
-rw-r--r--security/cyrus-sasl2/pkg-message17
-rw-r--r--security/cyrus-sasl2/pkg-plist13
-rw-r--r--security/cyrus-sasl2/scripts/configure.sasl59
26 files changed, 1456 insertions, 44 deletions
diff --git a/security/cyrus-sasl/Makefile b/security/cyrus-sasl/Makefile
index f3005bb5f4e9..ae2a1b27b0db 100644
--- a/security/cyrus-sasl/Makefile
+++ b/security/cyrus-sasl/Makefile
@@ -7,6 +7,7 @@
PORTNAME= cyrus-sasl
PORTVERSION= 1.5.24
+PORTREVISION= 1
CATEGORIES= security
MASTER_SITES= ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ \
${MASTER_SITE_LOCAL} \
@@ -19,8 +20,6 @@ USE_OPENSSL= RSA
INSTALLS_SHLIB= yes
-.include <bsd.port.pre.mk>
-
Y2K= http://asg.web.cmu.edu/cyrus/imapd/y2k.html
MAN3= sasl.3 sasl_authorize_t.3 sasl_callbacks.3 sasl_checkpass.3 \
@@ -32,8 +31,11 @@ MAN3= sasl.3 sasl_authorize_t.3 sasl_callbacks.3 sasl_checkpass.3 \
sasl_setprop.3 sasl_usererr.3
MAN8= sasldblistusers.8 saslpasswd.8
-USE_AUTOCONF= YES
+USE_AUTOMAKE= YES
USE_LIBTOOL= YES
+AUTOHEADER= autoheader
+AUTOMAKE= automake --add-missing --include-deps
+
CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \
--with-plugindir=${PREFIX}/lib/sasl \
--with-dbpath=${PREFIX}/etc/sasldb \
@@ -43,7 +45,12 @@ CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \
--with-pwcheck=/var/pwcheck \
--with-rc4=openssl
-# JavaSASL is currently Broken
+SCRIPTS_ENV= WRKDIRPREFIX="${WRKDIRPREFIX}" \
+ PREFIX="${PREFIX}" \
+ TOUCH="${TOUCH}" \
+ MKDIR="${MKDIR}"
+
+# JavaSASL needs someone to look at to get it to build
#JAVADIR= jdk1.1.8
#JAVALIBDIR= ${PREFIX}/${JAVADIR}/lib/i386/green_threads/
@@ -93,12 +100,18 @@ PLIST_SUB= PREFIX=${PREFIX} \
EBONES=${EBONES} \
NOPORTDOCS=${NODOCS}
+pre-fetch:
+ @${SETENV} ${SCRIPTS_ENV} ${SH} ${SCRIPTDIR}/configure.sasl
+
+pre-configure:
+ @(cd ${WRKSRC} && ${AUTOHEADER})
+
# Create Cyrus user and group
pre-install:
@${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL
post-install:
- @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
+ @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
> ${PREFIX}/etc/rc.d/pwcheck.sh
@${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh
${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck
@@ -110,20 +123,19 @@ post-install:
.for file in ${DOC2}
@${INSTALL_DATA} ${WRKSRC}/doc/${file} ${PREFIX}/share/doc/SASL
.endfor
+ @${INSTALL_DATA} ${FILESDIR}/Sendmail.README ${PREFIX}/share/doc
.for file in ${HTDOCS}
@${INSTALL_DATA} ${WRKSRC}/doc/${file}.html ${PREFIX}/share/doc/SASL/html
.endfor
.endif
+ @PKG_PREFIX=${PREFIX} BATCH=${BATCH} ${SH} ${PKGDIR}/INSTALL ${PKGNAME} POST-INSTALL
+ @${CAT} ${PKGMESSAGE}
-.if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc)
post-clean:
@${RM} -f ${WRKDIRPREFIX}${.CURDIR}/Makefile.inc
+.if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc)
.include "${WRKDIRPREFIX}${.CURDIR}/Makefile.inc"
-.elif ${PREFIX} != ${LOCALBASE}
-# Save PREFIX so that it can be used during make install
-.BEGIN:
- @echo "PREFIX= ${PREFIX}" > ${WRKDIRPREFIX}${.CURDIR}/Makefile.inc
.endif
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
diff --git a/security/cyrus-sasl/distinfo b/security/cyrus-sasl/distinfo
index 6981d65ce1b0..c21d945c6267 100644
--- a/security/cyrus-sasl/distinfo
+++ b/security/cyrus-sasl/distinfo
@@ -1 +1 @@
-MD5 (cyrus-sasl-1.5.24.tar.gz) = aedc0f8b594e2a13503b375ed78f62b7
+MD5 (cyrus-sasl-1.5.24.tar.gz) = ac3837c071c258b80021325936db2583
diff --git a/security/cyrus-sasl/files/Sendmail.README b/security/cyrus-sasl/files/Sendmail.README
new file mode 100644
index 000000000000..7063c93e90e8
--- /dev/null
+++ b/security/cyrus-sasl/files/Sendmail.README
@@ -0,0 +1,25 @@
+How to enable SMTP AUTH with FreeBSD default Sendmail 8.11
+
+1. Edit /usr/src/usr.sbin/sendmail/Makefile, and change the line:
+
+ LDADD= -lutil -lwrap
+into
+ LDADD+= -lutil -lwrap
+
+ NOTE: This change is in 5.0-CURRENT and will be MFC'd to
+ 4.1-STABLE later.
+
+2) Add the following to /etc/make.conf:
+
+# Add SMTP AUTH support to Sendmail
+.if ${.CURDIR} == "/usr/src/usr.sbin/sendmail"
+CFLAGS+=-DSASL -I/usr/local/include/sasl -L/usr/local/lib
+LDADD+=-lsasl
+.endif
+
+3) Rebuild FreeBSD (make buildworld, ...)
+
+4) Create /usr/local/lib/sasl/Sendmail.conf with the following.
+
+ pwcheck_method: pwcheck
+
diff --git a/security/cyrus-sasl/files/patch-ab b/security/cyrus-sasl/files/patch-ab
index 797e5ef3a899..1acd48d34144 100644
--- a/security/cyrus-sasl/files/patch-ab
+++ b/security/cyrus-sasl/files/patch-ab
@@ -1,5 +1,5 @@
---- configure.in.orig Thu Aug 3 14:34:08 2000
-+++ configure.in Thu Aug 3 14:39:24 2000
+--- configure.in.orig Thu Jul 20 21:35:01 2000
++++ configure.in Sat Sep 16 13:58:02 2000
@@ -66,8 +66,9 @@
dnl check for -R, etc. switch
CMU_GUESS_RUNPATH_SWITCH
@@ -12,3 +12,112 @@
AM_DISABLE_STATIC
+@@ -310,6 +311,88 @@
+ fi
+ AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
+
++dnl MySQL
++AC_ARG_WITH(mysql, [ --with-mysql=PATH enable authentication from MySQL database [no] ],
++ with_mysql=$withval,
++ with_mysql=no)
++
++if test -z "$with_mysql"; then
++ for mysqlloc in lib/mysql lib
++ do
++ if test -f ${prefix}/${mysqlloc}/libmysqlclient.a; then
++ with_mysql="${prefix}"
++ break
++ elif test -f /usr/local/${mysqlloc}/libmysqlclient.a; then
++ with_mysql="/usr/local"
++ break
++ elif test -f /usr/${mysqlloc}/libmysqlclient.a; then
++ with_mysql="/usr"
++ break
++ fi
++ done
++fi
++
++LIB_MYSQL=""
++case "$with_mysql" in
++ no) true;;
++ ""|yes) AC_CHECK_LIB(mysqlclient, mysql_select_db,
++ AC_DEFINE(HAVE_MYSQL)
++ LIB_MYSQL="-lmysqlclient",
++ with_mysql=no);;
++ *) if test -d ${with_mysql}/include/mysql; then
++ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include/mysql"
++ else
++ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include"
++ fi
++ if test -d ${with_mysql}/lib/mysql; then
++ LDFLAGS="$LDFLAGS -L${with_mysql}/lib/mysql"
++ fi
++ AC_DEFINE(HAVE_MYSQL)
++ LIB_MYSQL="-lmysqlclient";;
++esac
++AC_SUBST(LIB_MYSQL)
++
++dnl LDAP
++AC_ARG_WITH(ldap, [ --with-ldap=PATH enable authentication from LDAP [no] ],
++ with_ldap=$withval,
++ with_ldap=no)
++
++if test -z "$with_ldap"; then
++ for ldaploc in lib/ldap lib
++ do
++ if test -f ${prefix}/${ldaploc}/libldap.a; then
++ with_ldap="${prefix}"
++ break
++ elif test -f /usr/local/${ldaploc}/libldap.a; then
++ with_ldap="/usr/local"
++ break
++ elif test -f /usr/${ldaploc}/libldap.a; then
++ with_ldap="/usr"
++ break
++ fi
++ done
++fi
++
++LIB_LDAP=""
++case "$with_ldap" in
++ no) true;;
++ ""|yes) AC_CHECK_LIB(ldap, ldap_open,
++ AC_DEFINE(HAVE_LDAP)
++ LIB_LDAP="-lldap -llber",
++ with_ldap=no);;
++ *) if test -d ${with_ldap}/include/ldap; then
++ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include/ldap"
++ else
++ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
++ fi
++ if test -d ${with_ldap}/lib/ldap; then
++ LDFLAGS="$LDFLAGS -L${with_ldap}/lib/ldap"
++ fi
++ AC_DEFINE(HAVE_LDAP)
++ LIB_LDAP="-lldap -llber";;
++esac
++AC_SUBST(LIB_LDAP)
++
+ dnl CRAM-MD5
+ AC_ARG_ENABLE(cram, [ --enable-cram enable CRAM-MD5 authentication [yes] ],
+ cram=$enableval,
+@@ -434,11 +517,15 @@
+ fi
+
+ if test "$with_des" != no; then
++ case "$host_os" in
++ freebsd*)
++ COM_ERR="-lcom_err"
++ ;;
++ esac
+ AC_CHECK_HEADER(krb.h,
+- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
+- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err",
+- AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err),
+- -ldes),
++ AC_CHECK_LIB(krb, krb_mk_priv,:,
++ AC_WARN(No Kerberos V4 found); krb4=no,
++ -ldes $COM_ERR),
+ AC_WARN(No Kerberos V4 found); krb4=no)
+ else
+ AC_WARN(No DES library found for Kerberos V4 support)
diff --git a/security/cyrus-sasl/files/patch-ag b/security/cyrus-sasl/files/patch-ag
new file mode 100644
index 000000000000..591a08e66ab5
--- /dev/null
+++ b/security/cyrus-sasl/files/patch-ag
@@ -0,0 +1,15 @@
+--- acconfig.h.orig Wed Jul 5 11:59:25 2000
++++ acconfig.h Fri Sep 15 20:56:28 2000
+@@ -84,6 +84,12 @@
+ /* do we have PAM for plaintext password checking? */
+ #undef HAVE_PAM
+
++/* do we have MySQL for plaintext password checking? */
++#undef HAVE_MYSQL
++
++/* do we have LDAP for plaintext password checking? */
++#undef HAVE_LDAP
++
+ /* what flavor of GSSAPI are we using? */
+ #undef HAVE_GSS_C_NT_HOSTBASED_SERVICE
+
diff --git a/security/cyrus-sasl/files/patch-ah b/security/cyrus-sasl/files/patch-ah
new file mode 100644
index 000000000000..deb47e550737
--- /dev/null
+++ b/security/cyrus-sasl/files/patch-ah
@@ -0,0 +1,9 @@
+--- lib/Makefile.am.orig Thu Jul 20 21:35:02 2000
++++ lib/Makefile.am Fri Sep 15 20:56:28 2000
+@@ -53,5 +53,5 @@
+ EXTRA_libsasl_la_SOURCES = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c db_testw32.c
+ libsasl_la_LDFLAGS = -version-info $(sasl_version)
+ libsasl_la_DEPENDENCIES = $(SASL_DB_BACKEND) @LTLIBOBJS@
+-libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS)
++libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) ${LIB_LDAP} ${LIB_MYSQL}
+ # PLAIN_LIBS are linked in for sasl_checkpass
diff --git a/security/cyrus-sasl/files/patch-ai b/security/cyrus-sasl/files/patch-ai
new file mode 100644
index 000000000000..a630c2ca8d67
--- /dev/null
+++ b/security/cyrus-sasl/files/patch-ai
@@ -0,0 +1,357 @@
+--- lib/checkpw.c.orig Wed Jul 19 20:24:13 2000
++++ lib/checkpw.c Sat Sep 16 21:07:33 2000
+@@ -95,10 +95,19 @@
+ #include <sys/un.h>
+ #ifdef HAVE_UNISTD_H
+ #include <unistd.h>
+-#endif
++#endif /* HAVE_UNISTD_H */
+
+ extern int errno;
+-#endif
++#endif /* HAVE_PWCHECK */
++
++#ifdef HAVE_MYSQL
++#include <mysql.h>
++#endif /* HAVE_MYSQL */
++
++#ifdef HAVE_LDAP
++#include <lber.h>
++#include <ldap.h>
++#endif /* HAVE_LDAP */
+
+ #ifdef HAVE_KRB
+
+@@ -170,12 +179,20 @@
+ memcpy (&temp_key, "kerberos", 8);
+ des_fixup_key_parity (&temp_key);
+ des_key_sched (&temp_key, schedule);
++#ifdef __FreeBSD__
++ des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec);
++#else
+ des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec);
++#endif
+
+ memcpy (&temp_key, &ivec, sizeof temp_key);
+ des_fixup_key_parity (&temp_key);
+ des_key_sched (&temp_key, schedule);
++#ifdef __FreeBSD__
++ des_cbc_cksum ((const unsigned char *)password, key, passlen, schedule, &ivec);
++#else
+ des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec);
++#endif
+
+ des_fixup_key_parity (key);
+
+@@ -210,10 +227,17 @@
+ return (str);
+ }
+
++#ifdef __FreeBSD__
++static int use_key(const char *user __attribute__((unused)),
++ char *instance __attribute__((unused)),
++ const char *realm __attribute__((unused)),
++ const void *key, des_cblock *returned_key)
++#else
+ static int use_key(char *user __attribute__((unused)),
+ char *instance __attribute__((unused)),
+ char *realm __attribute__((unused)),
+ void *key, des_cblock *returned_key)
++#endif
+ {
+ memcpy (returned_key, key, sizeof(des_cblock));
+ return 0;
+@@ -838,7 +862,7 @@
+
+
+ /* pwcheck daemon-authenticated login */
+-static int pwcheck_verify_password(sasl_conn_t *conn,
++static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)),
+ const char *userid,
+ const char *passwd,
+ const char *service __attribute__((unused)),
+@@ -853,8 +877,10 @@
+ static char response[1024];
+ int start, n;
+ char pwpath[1024];
++#if 0 /* Not used */
+ sasl_getopt_t *getopt;
+ void *context;
++#endif
+
+ if (reply) { *reply = NULL; }
+
+@@ -902,6 +928,260 @@
+
+ #endif
+
++#ifdef HAVE_MYSQL
++/* DMZ mysql auth 12/29/1999
++ * Updated to 1.5.24 by SWH 09/12/2000
++ */
++#ifdef USE_CRYPT_PASSWORD
++#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')"
++#else
++#define QUERY_STRING "select %s from %s where %s = '%s' and %s = '%s'"
++#endif
++
++static int mysql_verify_password(sasl_conn_t *conn,
++ const char *userid,
++ const char *password,
++ const char *service __attribute__((unused)),
++ const char *user_realm __attribute__((unused)),
++ const char **reply)
++{
++ unsigned int numrows;
++ MYSQL mysql,*sock;
++ MYSQL_RES *result;
++ char qbuf[300];
++ char *db_user="",
++ *db_passwd="",
++ *db_host="",
++ *db_uidcol="",
++ *db_pwcol="",
++ *db_database="",
++ *db_table="";
++ sasl_getopt_t *getopt;
++ void *context;
++
++ if (!userid || !password) {
++ return SASL_BADPARAM;
++ }
++ if (reply) { *reply = NULL; }
++
++ /* check to see if the user configured a mysqluser/passwd/host/etc */
++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
++ getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL);
++ if (!db_user) db_user = "";
++ getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL);
++ if (!db_passwd) db_passwd = "";
++ getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL);
++ if (!db_host) db_host = "";
++ getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL);
++ if (!db_database) db_database = "";
++ getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL);
++ if (!db_table) db_table = "";
++ getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL);
++ if (!db_uidcol) db_uidcol = "";
++ getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL);
++ if (!db_pwcol) db_pwcol = "";
++ }
++
++ if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd)))
++ {
++ if (reply) { *reply = "cannot connect to MySQL server"; }
++ return SASL_FAIL;
++ }
++
++ if (mysql_select_db(sock,db_database) < 0)
++ {
++ mysql_close(sock);
++ if (reply) { *reply = "cannot select MySQL database"; }
++ return SASL_FAIL;
++ }
++ /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */
++ sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password);
++ if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock)))
++ {
++ mysql_close(sock);
++ return SASL_FAIL;
++ }
++
++ if (result) //There were some rows found
++ {
++ if ((numrows = mysql_affected_rows(&mysql)) != 1)
++ {
++ mysql_free_result(result);
++ mysql_close(sock);
++ if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
++ return SASL_BADAUTH;
++ } else {
++ mysql_free_result(result);
++ mysql_close(sock);
++ return SASL_OK;
++ }
++ }
++ mysql_free_result(result);
++ mysql_close(sock);
++ return SASL_BADAUTH;
++}
++#endif /* HAVE_MYSQL */
++
++#ifdef HAVE_LDAP
++/* simon@surf.org.uk LDAP auth 07/11/2000
++ * Updated to 1.5.24 by SWH 09/12/2000
++ */
++
++#define LDAP_SERVER "localhost"
++#define LDAP_BASEDN "o=JOFA, c=UK"
++#define LDAP_UIDATTR "uid"
++
++#ifndef TRUE
++# define TRUE 1
++# define FALSE 0
++#endif
++
++static int ldap_isdigits(char *value)
++{
++ char *ptr;
++ int num = TRUE;
++
++ for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) {
++ if (!isdigit(*ptr))
++ num = FALSE;
++ }
++
++ return num;
++}
++
++static int ldap_verify_password(sasl_conn_t *conn,
++ const char *userid,
++ const char *password,
++ const char *service __attribute__((unused)),
++ const char *user_realm __attribute__((unused)),
++ const char **reply)
++{
++
++ LDAP *ld;
++ LDAPMessage *result;
++ LDAPMessage *entry;
++ char *attrs[2];
++ char filter[200];
++ char *dn,
++ *ldap_server="",
++ *ldap_basedn="",
++ *ldap_uidattr="",
++ *port_num="";
++ int ldap_port = LDAP_PORT;
++ int count;
++ sasl_getopt_t *getopt;
++ void *context;
++
++ /* If the password is NULL, reject the login...
++ * Otherwise the bind will succed as a reference bind. Not good...
++ */
++ if (strcmp(password,"") == 0)
++ {
++ return SASL_BADPARAM;
++ }
++
++ if (reply) { *reply = NULL; }
++
++ /* check to see if the user configured a mysqluser/passwd/host/etc */
++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
++ getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL);
++ if (!ldap_server) ldap_server = LDAP_SERVER;
++ getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL);
++ if (!ldap_basedn) {
++ if (reply) { *reply = "ldap_basedn not defined"; }
++ return SASL_BADPARAM;
++ }
++ getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL);
++ if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR;
++ getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL);
++ if (!port_num) {
++ ldap_port = LDAP_PORT;
++ } else if (!ldap_isdigits(port_num)) {
++ if (reply) { *reply = "ldap_port - invalid value"; }
++ return SASL_BADPARAM;
++ } else {
++ ldap_port = atoi(port_num);
++ }
++ }
++
++ /* Open the LDAP connection. */
++ if ((ld = ldap_open(ldap_server, ldap_port)) == NULL)
++ {
++ if (reply) { *reply = "cannot connect to LDAP server"; }
++ return SASL_FAIL;
++ }
++
++ /* Bind anonymously so that you can find the DN of the appropriate user. */
++ if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS)
++ {
++ ldap_unbind(ld);
++ if (reply) { *reply = "cannot bind to LDAP server"; }
++ return SASL_FAIL;
++ }
++
++ /* Generate a filter that will return the entry with a matching UID */
++ sprintf(filter,"(%s=%s)", ldap_uidattr,userid);
++
++ /* Just return country...This doesn't actually matter, since we will
++ * not read the attributes and values, only the DN
++ */
++ attrs[0] = "c";
++ attrs[1] = NULL;
++
++ /* Perform the search... */
++ if (ldap_search_s(ld,ldap_basedn,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS )
++ {
++ ldap_unbind(ld);
++ return SASL_BADAUTH;
++ }
++
++ /* If the entry count is not equal to one, either the UID was not unique or
++ * there was no match
++ */
++ if ((count = ldap_count_entries(ld,result)) != 1)
++ {
++ ldap_msgfree(result);
++ ldap_unbind(ld);
++ if ((count > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
++ return SASL_BADAUTH;
++ }
++
++ /* Get the first entry */
++ if ((entry = ldap_first_entry(ld,result)) == NULL)
++ {
++ ldap_msgfree(result);
++ ldap_unbind(ld);
++ return SASL_BADAUTH;
++ }
++
++ /* Get the DN of the entry */
++ if ((dn = ldap_get_dn(ld,entry)) == NULL)
++ {
++ ldap_msgfree(entry);
++ ldap_unbind(ld);
++ return SASL_BADAUTH;
++ }
++
++ /* Now bind as the DN with the password supplied earlier...
++ * Successful bind means the password was correct, otherwise the
++ * password is invalid.
++ */
++ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS)
++ {
++ free(dn);
++ ldap_msgfree(entry);
++ ldap_unbind(ld);
++ return SASL_BADAUTH;
++ }
++
++ free(dn);
++ ldap_msgfree(entry);
++ ldap_unbind(ld);
++ return SASL_OK;
++}
++
++#endif /* HAVE_LDAP */
++
+ struct sasl_verify_password_s _sasl_verify_password[] = {
+ { "sasldb", &sasldb_verify_password },
+ #ifdef HAVE_KRB
+@@ -921,6 +1201,12 @@
+ #endif
+ #ifdef HAVE_PWCHECK
+ { "pwcheck", &pwcheck_verify_password },
++#endif
++#ifdef HAVE_MYSQL
++ { "mysql", &mysql_verify_password },
++#endif
++#ifdef HAVE_LDAP
++ { "ldap", &ldap_verify_password },
+ #endif
+ { NULL, NULL }
+ };
diff --git a/security/cyrus-sasl/files/patch-aj b/security/cyrus-sasl/files/patch-aj
new file mode 100644
index 000000000000..569384a100d4
--- /dev/null
+++ b/security/cyrus-sasl/files/patch-aj
@@ -0,0 +1,46 @@
+--- doc/sysadmin.html.orig Wed Jul 12 21:59:51 2000
++++ doc/sysadmin.html Fri Sep 15 20:56:28 2000
+@@ -171,6 +171,43 @@
+ <dt><i>pwcheck</i><dd> checks passwords with the use of a seperate,
+ helper daemon. <b>needs to be documented.</b><p>
+
++<dt><i>mysql</i><dd> A MySQL database can be used for plaintext
++ password checking by setting "pwcheck_method" to "mysql".<p>
++
++ <p>The following SASL options are used for MySQL Authentication:<p>
++
++ <dl>
++ <dd>mysql_user: &lt;user&gt;</dd>
++ <dd>mysql_passwd: &lt;cleartext pw&gt;</dd>
++ <dd>mysql_host: &lt;host&gt;</dd>
++ <dd>mysql_database: &lt;database&gt;</dd>
++ <dd>mysql_table: &lt;table&gt;</dd>
++ <dd>mysql_uidcol: &lt;username col&gt;</dd>
++ <dd>mysql_pwdcol: &lt;password col&gt;</dd>
++ </dl>
++
++ <p>MySQL pwcheck_method created by <a href="mailto:dmz@dmzs.com">David Matthew Zendzian</a>
++ the original patch may be found at <a href="http://www.dmzs.com/~dmz/projects/cyrus/">http://www.dmzs.com/~dmz/projects/cyrus/</a>.<p>
++
++<dt><i>ldap</i><dd> A LDAP server can be used for plaintext password
++ checking by setting "pwcheck_method" to "ldap".<p>
++
++ <p>The following SASL options are used for LDAP Authentication:<p>
++
++ <dl>
++ <dd>ldap_server: &lt;LDAP Server [localhost]&gt;
++ <dd>ldap_basedn: &lt;LDAP base dn&gt;
++ <dd>ldap_uidattr: &lt;LDAP uid attribute [uid]&gt;
++ <dd>ldap_port: &lt;LDAP port [389]&gt;
++ </dl>
++
++ <p>It is a requirement that "ldap_basedn" be set to the appropriate
++ value for your site<br>
++ (ex. ldap_basedn: o=surf, c=UK)<p>
++
++ <p>LDAP pwcheck_method created by <a href="mailto:simon@surf.org.uk">Simon@surf.org.uk</a>
++ the original patch may be found at <a href="http://www.surf.org.uk/">http://www.surf.org.uk/</a>.<p>
++
+ <dt><i>write your own</i><dd> Last, but not least, the most flexible
+ method of authentication for PLAIN is to write your own. If you do
+ so, any application that calls the "<tt>sasl_checkpass()</tt>"
diff --git a/security/cyrus-sasl/files/patch-ak b/security/cyrus-sasl/files/patch-ak
new file mode 100644
index 000000000000..ecbd20ca3239
--- /dev/null
+++ b/security/cyrus-sasl/files/patch-ak
@@ -0,0 +1,30 @@
+--- plugins/kerberos4.c.orig Wed Apr 19 11:18:48 2000
++++ plugins/kerberos4.c Sat Sep 16 18:49:20 2000
+@@ -696,8 +696,13 @@
+
+ /* decrypt; verify checksum */
+
++#ifdef __FreeBSD__
++ des_pcbc_encrypt((const unsigned char *)in,
++ (unsigned char *)in,
++#else
+ des_pcbc_encrypt((des_cblock *)in,
+ (des_cblock *)in,
++#endif
+ clientinlen,
+ text->init_keysched,
+ &text->session,
+@@ -1192,8 +1197,13 @@
+ }
+ sout[len]=0;
+
++#ifdef __FreeBSD__
++ des_pcbc_encrypt((const unsigned char *)sout,
++ (unsigned char *)sout,
++#else
+ des_pcbc_encrypt((des_cblock *)sout,
+ (des_cblock *)sout,
++#endif
+ len,
+ text->init_keysched,
+ (des_cblock *)text->session,
diff --git a/security/cyrus-sasl/pkg-install b/security/cyrus-sasl/pkg-install
index d008d0c8ac5a..b3b0fa2cdd31 100644
--- a/security/cyrus-sasl/pkg-install
+++ b/security/cyrus-sasl/pkg-install
@@ -7,11 +7,15 @@
#set -vx
+PKG_BATCH=${BATCH:=NO}
+
+PKG_PREFIX=${PKG_PREFIX:=/usr/local}
+
#
# create 'cyrus' user and group before installing
#
-create() {
+create_user() {
if [ ! -x /usr/sbin/pw ]; then
echo "*** Please add a user and a group named \`cyrus' before installing this package."
exit 69
@@ -65,9 +69,31 @@ create() {
fi
}
+create_sasldb() {
+ if [ ! -f ${PGK_PREFIX}/etc/sasldb.db ]; then
+ touch ${PGK_PREFIX}/etc/sasldb.db
+ chown cyrus:mail ${PGK_PREFIX}/etc/sasldb.db
+ chmod 640 ${PGK_PREFIX}/etc/sasldb.db
+ fi
+}
+
+# This should really be installed by Sendmail
+
+sendmail_conf() {
+ if [ ! -f ${PKG_PREFIX}/lib/sasl/Sendmail.conf ]; then
+ echo "pwcheck_method: pwcheck" > ${PKG_PREFIX}/lib/sasl/Sendmail.conf
+ fi
+}
+
case $2 in
PRE-INSTALL)
- create
+ create_user
+ ;;
+ POST-INSTALL)
+ if [ "${PKG_BATCH}" = "NO" ]; then
+ create_sasldb
+ sendmail_conf
+ fi
;;
esac
diff --git a/security/cyrus-sasl/pkg-message b/security/cyrus-sasl/pkg-message
index 6f87cd3c393b..1016d9655c5a 100644
--- a/security/cyrus-sasl/pkg-message
+++ b/security/cyrus-sasl/pkg-message
@@ -1,4 +1,15 @@
-Start the pwcheck program to have clients use the SASL libraries
-as a non-root user:
+PREFIX/etc/cyrusdb.db now needs to be created
+before applications that depend on SASL are used.
- /usr/local/etc/rc.d/pwcheck.sh [start|stop]
+ su cyrus
+ PREFIX/sbin/saslpasswd -c userid
+
+You will also need to start the pwcheck daemon:
+
+ PREFIX/etc/rc.d/pwcheck.sh start
+
+Read the documentation in PREFIX/share/doc/SASL
+
+How to enable SMTP AUTH with system Sendmail 8.11 - Sendmail.README
+
+How to use LDAP or MySQL for passwords - see html/sysadmin.html
diff --git a/security/cyrus-sasl/pkg-plist b/security/cyrus-sasl/pkg-plist
index 8d412ca78221..dbb7a8d31995 100644
--- a/security/cyrus-sasl/pkg-plist
+++ b/security/cyrus-sasl/pkg-plist
@@ -1,5 +1,7 @@
@unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped."
etc/rc.d/pwcheck.sh
+@comment remove ../etc/sasldb.db only if it exists and has a zero size.
+@unexec [ -f %D/etc/sasldb.db -a ! -s %D/etc/sasldb.db ] && rm %D/etc/sasldb.db
include/sasl/hmac-md5.h
include/sasl/md5.h
include/sasl/md5global.h
@@ -31,7 +33,10 @@ lib/sasl/liblogin.so.0
lib/sasl/libplain.a
lib/sasl/libplain.so
lib/sasl/libplain.so.1
-@dirrm lib/sasl
+@comment Sendmail.conf should be installed/uninstalled by Sendmail 8.11.
+@comment We install it here because Sendmail 8.11 is in the base system.
+@unexec echo "pwcheck_method: pwcheck" > %B/Sendmail.conf.tmp
+@unexec if cmp -s %B/Sendmail.conf %B/Sendmail.conf.tmp; then rm -f %B/Sendmail.conf %B/Sendmail.conf.tmp; else rm -f %B/Sendmail.conf.tmp fi
sbin/sasldblistusers
sbin/saslpasswd
sbin/pwcheck
@@ -41,6 +46,7 @@ sbin/pwcheck
%%NOPORTDOCS%%share/doc/SASL/INSTALL
%%NOPORTDOCS%%share/doc/SASL/NEWS
%%NOPORTDOCS%%share/doc/SASL/README
+%%NOPORTDOCS%%share/doc/SASL/Sendmail.README
%%NOPORTDOCS%%share/doc/SASL/TODO
%%NOPORTDOCS%%share/doc/SASL/draft-leach-digest-sasl-05.txt
%%NOPORTDOCS%%share/doc/SASL/draft-newman-auth-scram-03.txt
@@ -55,12 +61,13 @@ sbin/pwcheck
%%NOPORTDOCS%%share/doc/SASL/html/sysadmin.html
%%NOPORTDOCS%%@dirrm share/doc/SASL/html
%%NOPORTDOCS%%@dirrm share/doc/SASL
+@dirrm lib/sasl
@mode u=rwx,go=
@cwd /var
@exec mkdir pwcheck
@exec chown cyrus:cyrus pwcheck
@exec chmod go= pwcheck
-@comment This file gets create by the pwcheck program
-@unexec rm -f pwcheck/pwcheck
+@comment This file gets created by the pwcheck program
+@unexec rm -f /var/pwcheck/pwcheck
@dirrm pwcheck
@cwd %%PREFIX%%
diff --git a/security/cyrus-sasl/scripts/configure.sasl b/security/cyrus-sasl/scripts/configure.sasl
new file mode 100644
index 000000000000..75c4258fa056
--- /dev/null
+++ b/security/cyrus-sasl/scripts/configure.sasl
@@ -0,0 +1,59 @@
+#!/bin/sh
+# $FreeBSD$
+
+if [ -f ${WRKDIRPREFIX}${CURDIR}/Makefile.inc ]; then
+ exit
+fi
+
+if [ "${BATCH}" ]; then
+ exit
+else
+ /usr/bin/dialog --title "Additional pwcheck methods" --clear \
+ --checklist "\n\
+Please select desired options:" -1 -1 16 \
+MySQL "MySQL password Authentication" OFF \
+OpenLDAP "OpenLDAP password Authentication" OFF \
+2> /tmp/checklist.tmp.$$
+
+ retval=$?
+
+ if [ -s /tmp/checklist.tmp.$$ ]; then
+ set `cat /tmp/checklist.tmp.$$`
+ fi
+ rm -f /tmp/checklist.tmp.$$
+
+ case $retval in
+ 0) if [ -z "$*" ]; then
+ echo "Nothing selected"
+ fi
+ ;;
+ 1) echo "Cancel pressed."
+ exit 1
+ ;;
+ esac
+fi
+
+${MKDIR} ${WRKDIRPREFIX}${CURDIR}
+exec > ${WRKDIRPREFIX}${CURDIR}/Makefile.inc
+
+echo "PREFIX= ${PREFIX}"
+
+while [ "$1" ]; do
+ case $1 in
+ \"MySQL\")
+ echo "LIB_DEPENDS+= mysqlclient.6:\${PORTSDIR}/databases/mysql322-client"
+ echo "CONFIGURE_ARGS+=--with-mysql=\${PREFIX}"
+ ;;
+ \"OpenLDAP\")
+ echo "LIB_DEPENDS+= ldap.1:\${PORTSDIR}/net/openldap"
+ echo "LIB_DEPENDS+= lber.1:\${PORTSDIR}/net/openldap"
+ echo "CONFIGURE_ARGS+=--with-ldap=\${PREFIX}"
+ ;;
+ *)
+ echo "Invalid option(s): $*" > /dev/stderr
+ rm -f ${WRKDIRPREFIX}${CURDIR}/Makefile.inc
+ exit 1
+ ;;
+ esac
+ shift
+done
diff --git a/security/cyrus-sasl2/Makefile b/security/cyrus-sasl2/Makefile
index f3005bb5f4e9..ae2a1b27b0db 100644
--- a/security/cyrus-sasl2/Makefile
+++ b/security/cyrus-sasl2/Makefile
@@ -7,6 +7,7 @@
PORTNAME= cyrus-sasl
PORTVERSION= 1.5.24
+PORTREVISION= 1
CATEGORIES= security
MASTER_SITES= ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ \
${MASTER_SITE_LOCAL} \
@@ -19,8 +20,6 @@ USE_OPENSSL= RSA
INSTALLS_SHLIB= yes
-.include <bsd.port.pre.mk>
-
Y2K= http://asg.web.cmu.edu/cyrus/imapd/y2k.html
MAN3= sasl.3 sasl_authorize_t.3 sasl_callbacks.3 sasl_checkpass.3 \
@@ -32,8 +31,11 @@ MAN3= sasl.3 sasl_authorize_t.3 sasl_callbacks.3 sasl_checkpass.3 \
sasl_setprop.3 sasl_usererr.3
MAN8= sasldblistusers.8 saslpasswd.8
-USE_AUTOCONF= YES
+USE_AUTOMAKE= YES
USE_LIBTOOL= YES
+AUTOHEADER= autoheader
+AUTOMAKE= automake --add-missing --include-deps
+
CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \
--with-plugindir=${PREFIX}/lib/sasl \
--with-dbpath=${PREFIX}/etc/sasldb \
@@ -43,7 +45,12 @@ CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \
--with-pwcheck=/var/pwcheck \
--with-rc4=openssl
-# JavaSASL is currently Broken
+SCRIPTS_ENV= WRKDIRPREFIX="${WRKDIRPREFIX}" \
+ PREFIX="${PREFIX}" \
+ TOUCH="${TOUCH}" \
+ MKDIR="${MKDIR}"
+
+# JavaSASL needs someone to look at to get it to build
#JAVADIR= jdk1.1.8
#JAVALIBDIR= ${PREFIX}/${JAVADIR}/lib/i386/green_threads/
@@ -93,12 +100,18 @@ PLIST_SUB= PREFIX=${PREFIX} \
EBONES=${EBONES} \
NOPORTDOCS=${NODOCS}
+pre-fetch:
+ @${SETENV} ${SCRIPTS_ENV} ${SH} ${SCRIPTDIR}/configure.sasl
+
+pre-configure:
+ @(cd ${WRKSRC} && ${AUTOHEADER})
+
# Create Cyrus user and group
pre-install:
@${SH} ${PKGDIR}/INSTALL ${PKGNAME} PRE-INSTALL
post-install:
- @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
+ @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \
> ${PREFIX}/etc/rc.d/pwcheck.sh
@${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh
${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck
@@ -110,20 +123,19 @@ post-install:
.for file in ${DOC2}
@${INSTALL_DATA} ${WRKSRC}/doc/${file} ${PREFIX}/share/doc/SASL
.endfor
+ @${INSTALL_DATA} ${FILESDIR}/Sendmail.README ${PREFIX}/share/doc
.for file in ${HTDOCS}
@${INSTALL_DATA} ${WRKSRC}/doc/${file}.html ${PREFIX}/share/doc/SASL/html
.endfor
.endif
+ @PKG_PREFIX=${PREFIX} BATCH=${BATCH} ${SH} ${PKGDIR}/INSTALL ${PKGNAME} POST-INSTALL
+ @${CAT} ${PKGMESSAGE}
-.if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc)
post-clean:
@${RM} -f ${WRKDIRPREFIX}${.CURDIR}/Makefile.inc
+.if exists(${WRKDIRPREFIX}${.CURDIR}/Makefile.inc)
.include "${WRKDIRPREFIX}${.CURDIR}/Makefile.inc"
-.elif ${PREFIX} != ${LOCALBASE}
-# Save PREFIX so that it can be used during make install
-.BEGIN:
- @echo "PREFIX= ${PREFIX}" > ${WRKDIRPREFIX}${.CURDIR}/Makefile.inc
.endif
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
diff --git a/security/cyrus-sasl2/distinfo b/security/cyrus-sasl2/distinfo
index 6981d65ce1b0..c21d945c6267 100644
--- a/security/cyrus-sasl2/distinfo
+++ b/security/cyrus-sasl2/distinfo
@@ -1 +1 @@
-MD5 (cyrus-sasl-1.5.24.tar.gz) = aedc0f8b594e2a13503b375ed78f62b7
+MD5 (cyrus-sasl-1.5.24.tar.gz) = ac3837c071c258b80021325936db2583
diff --git a/security/cyrus-sasl2/files/Sendmail.README b/security/cyrus-sasl2/files/Sendmail.README
new file mode 100644
index 000000000000..7063c93e90e8
--- /dev/null
+++ b/security/cyrus-sasl2/files/Sendmail.README
@@ -0,0 +1,25 @@
+How to enable SMTP AUTH with FreeBSD default Sendmail 8.11
+
+1. Edit /usr/src/usr.sbin/sendmail/Makefile, and change the line:
+
+ LDADD= -lutil -lwrap
+into
+ LDADD+= -lutil -lwrap
+
+ NOTE: This change is in 5.0-CURRENT and will be MFC'd to
+ 4.1-STABLE later.
+
+2) Add the following to /etc/make.conf:
+
+# Add SMTP AUTH support to Sendmail
+.if ${.CURDIR} == "/usr/src/usr.sbin/sendmail"
+CFLAGS+=-DSASL -I/usr/local/include/sasl -L/usr/local/lib
+LDADD+=-lsasl
+.endif
+
+3) Rebuild FreeBSD (make buildworld, ...)
+
+4) Create /usr/local/lib/sasl/Sendmail.conf with the following.
+
+ pwcheck_method: pwcheck
+
diff --git a/security/cyrus-sasl2/files/patch-ab b/security/cyrus-sasl2/files/patch-ab
index 797e5ef3a899..1acd48d34144 100644
--- a/security/cyrus-sasl2/files/patch-ab
+++ b/security/cyrus-sasl2/files/patch-ab
@@ -1,5 +1,5 @@
---- configure.in.orig Thu Aug 3 14:34:08 2000
-+++ configure.in Thu Aug 3 14:39:24 2000
+--- configure.in.orig Thu Jul 20 21:35:01 2000
++++ configure.in Sat Sep 16 13:58:02 2000
@@ -66,8 +66,9 @@
dnl check for -R, etc. switch
CMU_GUESS_RUNPATH_SWITCH
@@ -12,3 +12,112 @@
AM_DISABLE_STATIC
+@@ -310,6 +311,88 @@
+ fi
+ AM_CONDITIONAL(PWCHECK, test "$with_pwcheck" != no)
+
++dnl MySQL
++AC_ARG_WITH(mysql, [ --with-mysql=PATH enable authentication from MySQL database [no] ],
++ with_mysql=$withval,
++ with_mysql=no)
++
++if test -z "$with_mysql"; then
++ for mysqlloc in lib/mysql lib
++ do
++ if test -f ${prefix}/${mysqlloc}/libmysqlclient.a; then
++ with_mysql="${prefix}"
++ break
++ elif test -f /usr/local/${mysqlloc}/libmysqlclient.a; then
++ with_mysql="/usr/local"
++ break
++ elif test -f /usr/${mysqlloc}/libmysqlclient.a; then
++ with_mysql="/usr"
++ break
++ fi
++ done
++fi
++
++LIB_MYSQL=""
++case "$with_mysql" in
++ no) true;;
++ ""|yes) AC_CHECK_LIB(mysqlclient, mysql_select_db,
++ AC_DEFINE(HAVE_MYSQL)
++ LIB_MYSQL="-lmysqlclient",
++ with_mysql=no);;
++ *) if test -d ${with_mysql}/include/mysql; then
++ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include/mysql"
++ else
++ CPPFLAGS="$CPPFLAGS -I${with_mysql}/include"
++ fi
++ if test -d ${with_mysql}/lib/mysql; then
++ LDFLAGS="$LDFLAGS -L${with_mysql}/lib/mysql"
++ fi
++ AC_DEFINE(HAVE_MYSQL)
++ LIB_MYSQL="-lmysqlclient";;
++esac
++AC_SUBST(LIB_MYSQL)
++
++dnl LDAP
++AC_ARG_WITH(ldap, [ --with-ldap=PATH enable authentication from LDAP [no] ],
++ with_ldap=$withval,
++ with_ldap=no)
++
++if test -z "$with_ldap"; then
++ for ldaploc in lib/ldap lib
++ do
++ if test -f ${prefix}/${ldaploc}/libldap.a; then
++ with_ldap="${prefix}"
++ break
++ elif test -f /usr/local/${ldaploc}/libldap.a; then
++ with_ldap="/usr/local"
++ break
++ elif test -f /usr/${ldaploc}/libldap.a; then
++ with_ldap="/usr"
++ break
++ fi
++ done
++fi
++
++LIB_LDAP=""
++case "$with_ldap" in
++ no) true;;
++ ""|yes) AC_CHECK_LIB(ldap, ldap_open,
++ AC_DEFINE(HAVE_LDAP)
++ LIB_LDAP="-lldap -llber",
++ with_ldap=no);;
++ *) if test -d ${with_ldap}/include/ldap; then
++ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include/ldap"
++ else
++ CPPFLAGS="${CPPFLAGS} -I${with_ldap}/include"
++ fi
++ if test -d ${with_ldap}/lib/ldap; then
++ LDFLAGS="$LDFLAGS -L${with_ldap}/lib/ldap"
++ fi
++ AC_DEFINE(HAVE_LDAP)
++ LIB_LDAP="-lldap -llber";;
++esac
++AC_SUBST(LIB_LDAP)
++
+ dnl CRAM-MD5
+ AC_ARG_ENABLE(cram, [ --enable-cram enable CRAM-MD5 authentication [yes] ],
+ cram=$enableval,
+@@ -434,11 +517,15 @@
+ fi
+
+ if test "$with_des" != no; then
++ case "$host_os" in
++ freebsd*)
++ COM_ERR="-lcom_err"
++ ;;
++ esac
+ AC_CHECK_HEADER(krb.h,
+- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="",
+- AC_CHECK_LIB(krb, krb_mk_priv, COM_ERR="-lcom_err",
+- AC_WARN(No Kerberos V4 found); krb4=no, -ldes -lcom_err),
+- -ldes),
++ AC_CHECK_LIB(krb, krb_mk_priv,:,
++ AC_WARN(No Kerberos V4 found); krb4=no,
++ -ldes $COM_ERR),
+ AC_WARN(No Kerberos V4 found); krb4=no)
+ else
+ AC_WARN(No DES library found for Kerberos V4 support)
diff --git a/security/cyrus-sasl2/files/patch-ag b/security/cyrus-sasl2/files/patch-ag
new file mode 100644
index 000000000000..591a08e66ab5
--- /dev/null
+++ b/security/cyrus-sasl2/files/patch-ag
@@ -0,0 +1,15 @@
+--- acconfig.h.orig Wed Jul 5 11:59:25 2000
++++ acconfig.h Fri Sep 15 20:56:28 2000
+@@ -84,6 +84,12 @@
+ /* do we have PAM for plaintext password checking? */
+ #undef HAVE_PAM
+
++/* do we have MySQL for plaintext password checking? */
++#undef HAVE_MYSQL
++
++/* do we have LDAP for plaintext password checking? */
++#undef HAVE_LDAP
++
+ /* what flavor of GSSAPI are we using? */
+ #undef HAVE_GSS_C_NT_HOSTBASED_SERVICE
+
diff --git a/security/cyrus-sasl2/files/patch-ah b/security/cyrus-sasl2/files/patch-ah
new file mode 100644
index 000000000000..deb47e550737
--- /dev/null
+++ b/security/cyrus-sasl2/files/patch-ah
@@ -0,0 +1,9 @@
+--- lib/Makefile.am.orig Thu Jul 20 21:35:02 2000
++++ lib/Makefile.am Fri Sep 15 20:56:28 2000
+@@ -53,5 +53,5 @@
+ EXTRA_libsasl_la_SOURCES = db_none.c db_ndbm.c db_gdbm.c db_berkeley.c db_testw32.c
+ libsasl_la_LDFLAGS = -version-info $(sasl_version)
+ libsasl_la_DEPENDENCIES = $(SASL_DB_BACKEND) @LTLIBOBJS@
+-libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS)
++libsasl_la_LIBADD = @LTLIBOBJS@ $(SASL_DB_BACKEND) $(SASL_DB_LIB) $(SASL_DL_LIB) $(PLAIN_LIBS) ${LIB_LDAP} ${LIB_MYSQL}
+ # PLAIN_LIBS are linked in for sasl_checkpass
diff --git a/security/cyrus-sasl2/files/patch-ai b/security/cyrus-sasl2/files/patch-ai
new file mode 100644
index 000000000000..a630c2ca8d67
--- /dev/null
+++ b/security/cyrus-sasl2/files/patch-ai
@@ -0,0 +1,357 @@
+--- lib/checkpw.c.orig Wed Jul 19 20:24:13 2000
++++ lib/checkpw.c Sat Sep 16 21:07:33 2000
+@@ -95,10 +95,19 @@
+ #include <sys/un.h>
+ #ifdef HAVE_UNISTD_H
+ #include <unistd.h>
+-#endif
++#endif /* HAVE_UNISTD_H */
+
+ extern int errno;
+-#endif
++#endif /* HAVE_PWCHECK */
++
++#ifdef HAVE_MYSQL
++#include <mysql.h>
++#endif /* HAVE_MYSQL */
++
++#ifdef HAVE_LDAP
++#include <lber.h>
++#include <ldap.h>
++#endif /* HAVE_LDAP */
+
+ #ifdef HAVE_KRB
+
+@@ -170,12 +179,20 @@
+ memcpy (&temp_key, "kerberos", 8);
+ des_fixup_key_parity (&temp_key);
+ des_key_sched (&temp_key, schedule);
++#ifdef __FreeBSD__
++ des_cbc_cksum ((const unsigned char *)password, &ivec, passlen, schedule, &ivec);
++#else
+ des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec);
++#endif
+
+ memcpy (&temp_key, &ivec, sizeof temp_key);
+ des_fixup_key_parity (&temp_key);
+ des_key_sched (&temp_key, schedule);
++#ifdef __FreeBSD__
++ des_cbc_cksum ((const unsigned char *)password, key, passlen, schedule, &ivec);
++#else
+ des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec);
++#endif
+
+ des_fixup_key_parity (key);
+
+@@ -210,10 +227,17 @@
+ return (str);
+ }
+
++#ifdef __FreeBSD__
++static int use_key(const char *user __attribute__((unused)),
++ char *instance __attribute__((unused)),
++ const char *realm __attribute__((unused)),
++ const void *key, des_cblock *returned_key)
++#else
+ static int use_key(char *user __attribute__((unused)),
+ char *instance __attribute__((unused)),
+ char *realm __attribute__((unused)),
+ void *key, des_cblock *returned_key)
++#endif
+ {
+ memcpy (returned_key, key, sizeof(des_cblock));
+ return 0;
+@@ -838,7 +862,7 @@
+
+
+ /* pwcheck daemon-authenticated login */
+-static int pwcheck_verify_password(sasl_conn_t *conn,
++static int pwcheck_verify_password(sasl_conn_t *conn __attribute__((unused)),
+ const char *userid,
+ const char *passwd,
+ const char *service __attribute__((unused)),
+@@ -853,8 +877,10 @@
+ static char response[1024];
+ int start, n;
+ char pwpath[1024];
++#if 0 /* Not used */
+ sasl_getopt_t *getopt;
+ void *context;
++#endif
+
+ if (reply) { *reply = NULL; }
+
+@@ -902,6 +928,260 @@
+
+ #endif
+
++#ifdef HAVE_MYSQL
++/* DMZ mysql auth 12/29/1999
++ * Updated to 1.5.24 by SWH 09/12/2000
++ */
++#ifdef USE_CRYPT_PASSWORD
++#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')"
++#else
++#define QUERY_STRING "select %s from %s where %s = '%s' and %s = '%s'"
++#endif
++
++static int mysql_verify_password(sasl_conn_t *conn,
++ const char *userid,
++ const char *password,
++ const char *service __attribute__((unused)),
++ const char *user_realm __attribute__((unused)),
++ const char **reply)
++{
++ unsigned int numrows;
++ MYSQL mysql,*sock;
++ MYSQL_RES *result;
++ char qbuf[300];
++ char *db_user="",
++ *db_passwd="",
++ *db_host="",
++ *db_uidcol="",
++ *db_pwcol="",
++ *db_database="",
++ *db_table="";
++ sasl_getopt_t *getopt;
++ void *context;
++
++ if (!userid || !password) {
++ return SASL_BADPARAM;
++ }
++ if (reply) { *reply = NULL; }
++
++ /* check to see if the user configured a mysqluser/passwd/host/etc */
++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
++ getopt(context, NULL, "mysql_user", (const char **) &db_user, NULL);
++ if (!db_user) db_user = "";
++ getopt(context, NULL, "mysql_passwd", (const char **) &db_passwd, NULL);
++ if (!db_passwd) db_passwd = "";
++ getopt(context, NULL, "mysql_host", (const char **) &db_host, NULL);
++ if (!db_host) db_host = "";
++ getopt(context, NULL, "mysql_database", (const char **) &db_database, NULL);
++ if (!db_database) db_database = "";
++ getopt(context, NULL, "mysql_table", (const char **) &db_table, NULL);
++ if (!db_table) db_table = "";
++ getopt(context, NULL, "mysql_uidcol", (const char **) &db_uidcol, NULL);
++ if (!db_uidcol) db_uidcol = "";
++ getopt(context, NULL, "mysql_pwdcol", (const char **) &db_pwcol, NULL);
++ if (!db_pwcol) db_pwcol = "";
++ }
++
++ if (!(sock = mysql_connect(&mysql,db_host,db_user,db_passwd)))
++ {
++ if (reply) { *reply = "cannot connect to MySQL server"; }
++ return SASL_FAIL;
++ }
++
++ if (mysql_select_db(sock,db_database) < 0)
++ {
++ mysql_close(sock);
++ if (reply) { *reply = "cannot select MySQL database"; }
++ return SASL_FAIL;
++ }
++ /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */
++ sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password);
++ if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock)))
++ {
++ mysql_close(sock);
++ return SASL_FAIL;
++ }
++
++ if (result) //There were some rows found
++ {
++ if ((numrows = mysql_affected_rows(&mysql)) != 1)
++ {
++ mysql_free_result(result);
++ mysql_close(sock);
++ if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
++ return SASL_BADAUTH;
++ } else {
++ mysql_free_result(result);
++ mysql_close(sock);
++ return SASL_OK;
++ }
++ }
++ mysql_free_result(result);
++ mysql_close(sock);
++ return SASL_BADAUTH;
++}
++#endif /* HAVE_MYSQL */
++
++#ifdef HAVE_LDAP
++/* simon@surf.org.uk LDAP auth 07/11/2000
++ * Updated to 1.5.24 by SWH 09/12/2000
++ */
++
++#define LDAP_SERVER "localhost"
++#define LDAP_BASEDN "o=JOFA, c=UK"
++#define LDAP_UIDATTR "uid"
++
++#ifndef TRUE
++# define TRUE 1
++# define FALSE 0
++#endif
++
++static int ldap_isdigits(char *value)
++{
++ char *ptr;
++ int num = TRUE;
++
++ for (ptr = value; *ptr != '\0' && num != FALSE; ptr++) {
++ if (!isdigit(*ptr))
++ num = FALSE;
++ }
++
++ return num;
++}
++
++static int ldap_verify_password(sasl_conn_t *conn,
++ const char *userid,
++ const char *password,
++ const char *service __attribute__((unused)),
++ const char *user_realm __attribute__((unused)),
++ const char **reply)
++{
++
++ LDAP *ld;
++ LDAPMessage *result;
++ LDAPMessage *entry;
++ char *attrs[2];
++ char filter[200];
++ char *dn,
++ *ldap_server="",
++ *ldap_basedn="",
++ *ldap_uidattr="",
++ *port_num="";
++ int ldap_port = LDAP_PORT;
++ int count;
++ sasl_getopt_t *getopt;
++ void *context;
++
++ /* If the password is NULL, reject the login...
++ * Otherwise the bind will succed as a reference bind. Not good...
++ */
++ if (strcmp(password,"") == 0)
++ {
++ return SASL_BADPARAM;
++ }
++
++ if (reply) { *reply = NULL; }
++
++ /* check to see if the user configured a mysqluser/passwd/host/etc */
++ if (_sasl_getcallback(conn, SASL_CB_GETOPT, &getopt, &context) == SASL_OK) {
++ getopt(context, NULL, "ldap_server", (const char **) &ldap_server, NULL);
++ if (!ldap_server) ldap_server = LDAP_SERVER;
++ getopt(context, NULL, "ldap_basedn", (const char **) &ldap_basedn, NULL);
++ if (!ldap_basedn) {
++ if (reply) { *reply = "ldap_basedn not defined"; }
++ return SASL_BADPARAM;
++ }
++ getopt(context, NULL, "ldap_uidattr", (const char **) &ldap_uidattr, NULL);
++ if (!ldap_uidattr) ldap_uidattr = LDAP_UIDATTR;
++ getopt(context, NULL, "ldap_port", (const char **) &port_num, NULL);
++ if (!port_num) {
++ ldap_port = LDAP_PORT;
++ } else if (!ldap_isdigits(port_num)) {
++ if (reply) { *reply = "ldap_port - invalid value"; }
++ return SASL_BADPARAM;
++ } else {
++ ldap_port = atoi(port_num);
++ }
++ }
++
++ /* Open the LDAP connection. */
++ if ((ld = ldap_open(ldap_server, ldap_port)) == NULL)
++ {
++ if (reply) { *reply = "cannot connect to LDAP server"; }
++ return SASL_FAIL;
++ }
++
++ /* Bind anonymously so that you can find the DN of the appropriate user. */
++ if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS)
++ {
++ ldap_unbind(ld);
++ if (reply) { *reply = "cannot bind to LDAP server"; }
++ return SASL_FAIL;
++ }
++
++ /* Generate a filter that will return the entry with a matching UID */
++ sprintf(filter,"(%s=%s)", ldap_uidattr,userid);
++
++ /* Just return country...This doesn't actually matter, since we will
++ * not read the attributes and values, only the DN
++ */
++ attrs[0] = "c";
++ attrs[1] = NULL;
++
++ /* Perform the search... */
++ if (ldap_search_s(ld,ldap_basedn,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS )
++ {
++ ldap_unbind(ld);
++ return SASL_BADAUTH;
++ }
++
++ /* If the entry count is not equal to one, either the UID was not unique or
++ * there was no match
++ */
++ if ((count = ldap_count_entries(ld,result)) != 1)
++ {
++ ldap_msgfree(result);
++ ldap_unbind(ld);
++ if ((count > 1) && (reply)) { *reply = "Detected duplicate entries for user"; }
++ return SASL_BADAUTH;
++ }
++
++ /* Get the first entry */
++ if ((entry = ldap_first_entry(ld,result)) == NULL)
++ {
++ ldap_msgfree(result);
++ ldap_unbind(ld);
++ return SASL_BADAUTH;
++ }
++
++ /* Get the DN of the entry */
++ if ((dn = ldap_get_dn(ld,entry)) == NULL)
++ {
++ ldap_msgfree(entry);
++ ldap_unbind(ld);
++ return SASL_BADAUTH;
++ }
++
++ /* Now bind as the DN with the password supplied earlier...
++ * Successful bind means the password was correct, otherwise the
++ * password is invalid.
++ */
++ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS)
++ {
++ free(dn);
++ ldap_msgfree(entry);
++ ldap_unbind(ld);
++ return SASL_BADAUTH;
++ }
++
++ free(dn);
++ ldap_msgfree(entry);
++ ldap_unbind(ld);
++ return SASL_OK;
++}
++
++#endif /* HAVE_LDAP */
++
+ struct sasl_verify_password_s _sasl_verify_password[] = {
+ { "sasldb", &sasldb_verify_password },
+ #ifdef HAVE_KRB
+@@ -921,6 +1201,12 @@
+ #endif
+ #ifdef HAVE_PWCHECK
+ { "pwcheck", &pwcheck_verify_password },
++#endif
++#ifdef HAVE_MYSQL
++ { "mysql", &mysql_verify_password },
++#endif
++#ifdef HAVE_LDAP
++ { "ldap", &ldap_verify_password },
+ #endif
+ { NULL, NULL }
+ };
diff --git a/security/cyrus-sasl2/files/patch-aj b/security/cyrus-sasl2/files/patch-aj
new file mode 100644
index 000000000000..569384a100d4
--- /dev/null
+++ b/security/cyrus-sasl2/files/patch-aj
@@ -0,0 +1,46 @@
+--- doc/sysadmin.html.orig Wed Jul 12 21:59:51 2000
++++ doc/sysadmin.html Fri Sep 15 20:56:28 2000
+@@ -171,6 +171,43 @@
+ <dt><i>pwcheck</i><dd> checks passwords with the use of a seperate,
+ helper daemon. <b>needs to be documented.</b><p>
+
++<dt><i>mysql</i><dd> A MySQL database can be used for plaintext
++ password checking by setting "pwcheck_method" to "mysql".<p>
++
++ <p>The following SASL options are used for MySQL Authentication:<p>
++
++ <dl>
++ <dd>mysql_user: &lt;user&gt;</dd>
++ <dd>mysql_passwd: &lt;cleartext pw&gt;</dd>
++ <dd>mysql_host: &lt;host&gt;</dd>
++ <dd>mysql_database: &lt;database&gt;</dd>
++ <dd>mysql_table: &lt;table&gt;</dd>
++ <dd>mysql_uidcol: &lt;username col&gt;</dd>
++ <dd>mysql_pwdcol: &lt;password col&gt;</dd>
++ </dl>
++
++ <p>MySQL pwcheck_method created by <a href="mailto:dmz@dmzs.com">David Matthew Zendzian</a>
++ the original patch may be found at <a href="http://www.dmzs.com/~dmz/projects/cyrus/">http://www.dmzs.com/~dmz/projects/cyrus/</a>.<p>
++
++<dt><i>ldap</i><dd> A LDAP server can be used for plaintext password
++ checking by setting "pwcheck_method" to "ldap".<p>
++
++ <p>The following SASL options are used for LDAP Authentication:<p>
++
++ <dl>
++ <dd>ldap_server: &lt;LDAP Server [localhost]&gt;
++ <dd>ldap_basedn: &lt;LDAP base dn&gt;
++ <dd>ldap_uidattr: &lt;LDAP uid attribute [uid]&gt;
++ <dd>ldap_port: &lt;LDAP port [389]&gt;
++ </dl>
++
++ <p>It is a requirement that "ldap_basedn" be set to the appropriate
++ value for your site<br>
++ (ex. ldap_basedn: o=surf, c=UK)<p>
++
++ <p>LDAP pwcheck_method created by <a href="mailto:simon@surf.org.uk">Simon@surf.org.uk</a>
++ the original patch may be found at <a href="http://www.surf.org.uk/">http://www.surf.org.uk/</a>.<p>
++
+ <dt><i>write your own</i><dd> Last, but not least, the most flexible
+ method of authentication for PLAIN is to write your own. If you do
+ so, any application that calls the "<tt>sasl_checkpass()</tt>"
diff --git a/security/cyrus-sasl2/files/patch-ak b/security/cyrus-sasl2/files/patch-ak
new file mode 100644
index 000000000000..ecbd20ca3239
--- /dev/null
+++ b/security/cyrus-sasl2/files/patch-ak
@@ -0,0 +1,30 @@
+--- plugins/kerberos4.c.orig Wed Apr 19 11:18:48 2000
++++ plugins/kerberos4.c Sat Sep 16 18:49:20 2000
+@@ -696,8 +696,13 @@
+
+ /* decrypt; verify checksum */
+
++#ifdef __FreeBSD__
++ des_pcbc_encrypt((const unsigned char *)in,
++ (unsigned char *)in,
++#else
+ des_pcbc_encrypt((des_cblock *)in,
+ (des_cblock *)in,
++#endif
+ clientinlen,
+ text->init_keysched,
+ &text->session,
+@@ -1192,8 +1197,13 @@
+ }
+ sout[len]=0;
+
++#ifdef __FreeBSD__
++ des_pcbc_encrypt((const unsigned char *)sout,
++ (unsigned char *)sout,
++#else
+ des_pcbc_encrypt((des_cblock *)sout,
+ (des_cblock *)sout,
++#endif
+ len,
+ text->init_keysched,
+ (des_cblock *)text->session,
diff --git a/security/cyrus-sasl2/pkg-install b/security/cyrus-sasl2/pkg-install
index d008d0c8ac5a..b3b0fa2cdd31 100644
--- a/security/cyrus-sasl2/pkg-install
+++ b/security/cyrus-sasl2/pkg-install
@@ -7,11 +7,15 @@
#set -vx
+PKG_BATCH=${BATCH:=NO}
+
+PKG_PREFIX=${PKG_PREFIX:=/usr/local}
+
#
# create 'cyrus' user and group before installing
#
-create() {
+create_user() {
if [ ! -x /usr/sbin/pw ]; then
echo "*** Please add a user and a group named \`cyrus' before installing this package."
exit 69
@@ -65,9 +69,31 @@ create() {
fi
}
+create_sasldb() {
+ if [ ! -f ${PGK_PREFIX}/etc/sasldb.db ]; then
+ touch ${PGK_PREFIX}/etc/sasldb.db
+ chown cyrus:mail ${PGK_PREFIX}/etc/sasldb.db
+ chmod 640 ${PGK_PREFIX}/etc/sasldb.db
+ fi
+}
+
+# This should really be installed by Sendmail
+
+sendmail_conf() {
+ if [ ! -f ${PKG_PREFIX}/lib/sasl/Sendmail.conf ]; then
+ echo "pwcheck_method: pwcheck" > ${PKG_PREFIX}/lib/sasl/Sendmail.conf
+ fi
+}
+
case $2 in
PRE-INSTALL)
- create
+ create_user
+ ;;
+ POST-INSTALL)
+ if [ "${PKG_BATCH}" = "NO" ]; then
+ create_sasldb
+ sendmail_conf
+ fi
;;
esac
diff --git a/security/cyrus-sasl2/pkg-message b/security/cyrus-sasl2/pkg-message
index 6f87cd3c393b..1016d9655c5a 100644
--- a/security/cyrus-sasl2/pkg-message
+++ b/security/cyrus-sasl2/pkg-message
@@ -1,4 +1,15 @@
-Start the pwcheck program to have clients use the SASL libraries
-as a non-root user:
+PREFIX/etc/cyrusdb.db now needs to be created
+before applications that depend on SASL are used.
- /usr/local/etc/rc.d/pwcheck.sh [start|stop]
+ su cyrus
+ PREFIX/sbin/saslpasswd -c userid
+
+You will also need to start the pwcheck daemon:
+
+ PREFIX/etc/rc.d/pwcheck.sh start
+
+Read the documentation in PREFIX/share/doc/SASL
+
+How to enable SMTP AUTH with system Sendmail 8.11 - Sendmail.README
+
+How to use LDAP or MySQL for passwords - see html/sysadmin.html
diff --git a/security/cyrus-sasl2/pkg-plist b/security/cyrus-sasl2/pkg-plist
index 8d412ca78221..dbb7a8d31995 100644
--- a/security/cyrus-sasl2/pkg-plist
+++ b/security/cyrus-sasl2/pkg-plist
@@ -1,5 +1,7 @@
@unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped."
etc/rc.d/pwcheck.sh
+@comment remove ../etc/sasldb.db only if it exists and has a zero size.
+@unexec [ -f %D/etc/sasldb.db -a ! -s %D/etc/sasldb.db ] && rm %D/etc/sasldb.db
include/sasl/hmac-md5.h
include/sasl/md5.h
include/sasl/md5global.h
@@ -31,7 +33,10 @@ lib/sasl/liblogin.so.0
lib/sasl/libplain.a
lib/sasl/libplain.so
lib/sasl/libplain.so.1
-@dirrm lib/sasl
+@comment Sendmail.conf should be installed/uninstalled by Sendmail 8.11.
+@comment We install it here because Sendmail 8.11 is in the base system.
+@unexec echo "pwcheck_method: pwcheck" > %B/Sendmail.conf.tmp
+@unexec if cmp -s %B/Sendmail.conf %B/Sendmail.conf.tmp; then rm -f %B/Sendmail.conf %B/Sendmail.conf.tmp; else rm -f %B/Sendmail.conf.tmp fi
sbin/sasldblistusers
sbin/saslpasswd
sbin/pwcheck
@@ -41,6 +46,7 @@ sbin/pwcheck
%%NOPORTDOCS%%share/doc/SASL/INSTALL
%%NOPORTDOCS%%share/doc/SASL/NEWS
%%NOPORTDOCS%%share/doc/SASL/README
+%%NOPORTDOCS%%share/doc/SASL/Sendmail.README
%%NOPORTDOCS%%share/doc/SASL/TODO
%%NOPORTDOCS%%share/doc/SASL/draft-leach-digest-sasl-05.txt
%%NOPORTDOCS%%share/doc/SASL/draft-newman-auth-scram-03.txt
@@ -55,12 +61,13 @@ sbin/pwcheck
%%NOPORTDOCS%%share/doc/SASL/html/sysadmin.html
%%NOPORTDOCS%%@dirrm share/doc/SASL/html
%%NOPORTDOCS%%@dirrm share/doc/SASL
+@dirrm lib/sasl
@mode u=rwx,go=
@cwd /var
@exec mkdir pwcheck
@exec chown cyrus:cyrus pwcheck
@exec chmod go= pwcheck
-@comment This file gets create by the pwcheck program
-@unexec rm -f pwcheck/pwcheck
+@comment This file gets created by the pwcheck program
+@unexec rm -f /var/pwcheck/pwcheck
@dirrm pwcheck
@cwd %%PREFIX%%
diff --git a/security/cyrus-sasl2/scripts/configure.sasl b/security/cyrus-sasl2/scripts/configure.sasl
new file mode 100644
index 000000000000..75c4258fa056
--- /dev/null
+++ b/security/cyrus-sasl2/scripts/configure.sasl
@@ -0,0 +1,59 @@
+#!/bin/sh
+# $FreeBSD$
+
+if [ -f ${WRKDIRPREFIX}${CURDIR}/Makefile.inc ]; then
+ exit
+fi
+
+if [ "${BATCH}" ]; then
+ exit
+else
+ /usr/bin/dialog --title "Additional pwcheck methods" --clear \
+ --checklist "\n\
+Please select desired options:" -1 -1 16 \
+MySQL "MySQL password Authentication" OFF \
+OpenLDAP "OpenLDAP password Authentication" OFF \
+2> /tmp/checklist.tmp.$$
+
+ retval=$?
+
+ if [ -s /tmp/checklist.tmp.$$ ]; then
+ set `cat /tmp/checklist.tmp.$$`
+ fi
+ rm -f /tmp/checklist.tmp.$$
+
+ case $retval in
+ 0) if [ -z "$*" ]; then
+ echo "Nothing selected"
+ fi
+ ;;
+ 1) echo "Cancel pressed."
+ exit 1
+ ;;
+ esac
+fi
+
+${MKDIR} ${WRKDIRPREFIX}${CURDIR}
+exec > ${WRKDIRPREFIX}${CURDIR}/Makefile.inc
+
+echo "PREFIX= ${PREFIX}"
+
+while [ "$1" ]; do
+ case $1 in
+ \"MySQL\")
+ echo "LIB_DEPENDS+= mysqlclient.6:\${PORTSDIR}/databases/mysql322-client"
+ echo "CONFIGURE_ARGS+=--with-mysql=\${PREFIX}"
+ ;;
+ \"OpenLDAP\")
+ echo "LIB_DEPENDS+= ldap.1:\${PORTSDIR}/net/openldap"
+ echo "LIB_DEPENDS+= lber.1:\${PORTSDIR}/net/openldap"
+ echo "CONFIGURE_ARGS+=--with-ldap=\${PREFIX}"
+ ;;
+ *)
+ echo "Invalid option(s): $*" > /dev/stderr
+ rm -f ${WRKDIRPREFIX}${CURDIR}/Makefile.inc
+ exit 1
+ ;;
+ esac
+ shift
+done