git.sur5r.net Git - openldap/blob - servers/slapd/sasl.c

   1 /* $OpenLDAP$ */
   2 /*
   3  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   4  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   5  */
   6
   7 #include "portable.h"
   8
   9 #include <ac/stdlib.h>
  10 #include <stdio.h>
  11
  12 #include "slap.h"
  13 #include "proto-slap.h"
  14
  15 #include <lber.h>
  16 #include <ldap_log.h>
  17
  18 #ifdef HAVE_CYRUS_SASL
  19 #include <limits.h>
  20 #include <sasl.h>
  21
  22 #include <ldap_pvt.h>
  23
  24 #ifdef SLAPD_SPASSWD
  25 #include <lutil.h>
  26 #endif
  27
  28 static char *sasl_host = NULL;
  29 static sasl_security_properties_t sasl_secprops;
  30
  31 static int
  32 slap_sasl_err2ldap( int saslerr )
  33 {
  34         int rc;
  35
  36         switch (saslerr) {
  37                 case SASL_CONTINUE:
  38                         rc = LDAP_SASL_BIND_IN_PROGRESS;
  39                         break;
  40                 case SASL_FAIL:
  41                         rc = LDAP_OTHER;
  42                         break;
  43                 case SASL_NOMEM:
  44                         rc = LDAP_OTHER;
  45                         break;
  46                 case SASL_NOMECH:
  47                         rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
  48                         break;
  49                 case SASL_BADAUTH:
  50                         rc = LDAP_INVALID_CREDENTIALS;
  51                         break;
  52                 case SASL_NOAUTHZ:
  53                         rc = LDAP_INSUFFICIENT_ACCESS;
  54                         break;
  55                 case SASL_TOOWEAK:
  56                 case SASL_ENCRYPT:
  57                         rc = LDAP_INAPPROPRIATE_AUTH;
  58                         break;
  59                 default:
  60                         rc = LDAP_OTHER;
  61                         break;
  62         }
  63
  64         return rc;
  65 }
  66 #endif
  67
  68
  69 int slap_sasl_init( void )
  70 {
  71 #ifdef HAVE_CYRUS_SASL
  72         int rc;
  73         sasl_conn_t *server = NULL;
  74         static sasl_callback_t server_callbacks[] = {
  75                 { SASL_CB_LIST_END, NULL, NULL }
  76         };
  77
  78         sasl_set_alloc(
  79                 ch_malloc,
  80                 ch_calloc,
  81                 ch_realloc,
  82                 ch_free );
  83
  84         sasl_set_mutex(
  85                 ldap_pvt_sasl_mutex_new,
  86                 ldap_pvt_sasl_mutex_lock,
  87                 ldap_pvt_sasl_mutex_unlock,
  88                 ldap_pvt_sasl_mutex_dispose );
  89
  90         /* should provide callbacks for logging */
  91         /* server name should be configurable */
  92         rc = sasl_server_init( server_callbacks, "slapd" );
  93
  94         if( rc != SASL_OK ) {
  95                 Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n",
  96                         0, 0, 0 );
  97                 return -1;
  98         }
  99
 100         if( sasl_host == NULL ) {
 101                 static char hostname[MAXHOSTNAMELEN+1];
 102
 103                 if( gethostname( hostname, MAXHOSTNAMELEN ) == 0 ) {
 104                         hostname[MAXHOSTNAMELEN] = '\0';
 105                         sasl_host = hostname;
 106                 }
 107         }
 108
 109         Debug( LDAP_DEBUG_TRACE,
 110                 "slap_sasl_init: %s initialized!\n",
 111                 sasl_host, 0, 0 );
 112
 113         /* default security properties */
 114         memset( &sasl_secprops, '\0', sizeof(sasl_secprops) );
 115     sasl_secprops.max_ssf = UINT_MAX;
 116     sasl_secprops.maxbufsize = 65536;
 117     sasl_secprops.security_flags = SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS;
 118
 119 #ifdef SLAPD_SPASSWD
 120         lutil_passwd_sasl_conn = server;
 121 #else
 122         sasl_dispose( &server );
 123 #endif
 124
 125 #endif
 126         return 0;
 127 }
 128
 129 int slap_sasl_destroy( void )
 130 {
 131 #ifdef HAVE_CYRUS_SASL
 132 #ifdef SLAPD_SPASSWD
 133         sasl_dispose( &lutil_passwd_sasl_conn );
 134 #endif
 135         sasl_done();
 136 #endif
 137         return 0;
 138 }
 139
 140 int slap_sasl_open( Connection *conn )
 141 {
 142         int sc = LDAP_SUCCESS;
 143
 144 #ifdef HAVE_CYRUS_SASL
 145         sasl_conn_t *ctx = NULL;
 146
 147         /* create new SASL context */
 148         sc = sasl_server_new( "ldap", sasl_host, global_realm, NULL,
 149 #ifdef LDAP_SASL_SECURITY_LAYER
 150                 SASL_SECURITY_LAYER,
 151 #else
 152                 0,
 153 #endif
 154                 &ctx );
 155
 156
 157         if( sc != SASL_OK ) {
 158                 Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n",
 159                         sc, 0, 0 );
 160                 return -1;
 161         }
 162
 163         conn->c_sasl_context = ctx;
 164
 165         if( sc == SASL_OK ) {
 166                 sc = sasl_setprop( ctx,
 167                         SASL_SEC_PROPS, &sasl_secprops );
 168
 169                 if( sc != SASL_OK ) {
 170                         Debug( LDAP_DEBUG_ANY, "sasl_setprop failed: %d\n",
 171                                 sc, 0, 0 );
 172                         slap_sasl_close( conn );
 173                         return -1;
 174                 }
 175         }
 176
 177         sc = slap_sasl_err2ldap( sc );
 178 #endif
 179         return sc;
 180 }
 181
 182 int slap_sasl_external(
 183         Connection *conn,
 184         unsigned ssf,
 185         char *auth_id )
 186 {
 187 #ifdef HAVE_CYRUS_SASL
 188         int sc;
 189         sasl_conn_t *ctx = conn->c_sasl_context;
 190         sasl_external_properties_t extprops;
 191
 192         if ( ctx == NULL ) {
 193                 return LDAP_UNAVAILABLE;
 194         }
 195
 196         memset( &extprops, 0L, sizeof(extprops) );
 197         extprops.ssf = ssf;
 198         extprops.auth_id = auth_id;
 199
 200         sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 201                 (void *) &extprops );
 202
 203         if ( sc != SASL_OK ) {
 204                 return LDAP_OTHER;
 205         }
 206 #endif
 207
 208         return LDAP_SUCCESS;
 209 }
 210
 211 int slap_sasl_reset( Connection *conn )
 212 {
 213 #ifdef HAVE_CYRUS_SASL
 214         sasl_conn_t *ctx = conn->c_sasl_context;
 215
 216         if( ctx != NULL ) {
 217         }
 218 #endif
 219         /* must return "anonymous" */
 220         return LDAP_SUCCESS;
 221 }
 222
 223 char ** slap_sasl_mechs( Connection *conn )
 224 {
 225         char **mechs = NULL;
 226
 227 #ifdef HAVE_CYRUS_SASL
 228         sasl_conn_t *ctx = conn->c_sasl_context;
 229
 230         if( ctx != NULL ) {
 231                 int sc;
 232                 char *mechstr;
 233
 234                 sc = sasl_listmech( ctx,
 235                         NULL, NULL, ",", NULL,
 236                         &mechstr, NULL, NULL );
 237
 238                 if( sc != SASL_OK ) {
 239                         Debug( LDAP_DEBUG_ANY, "slap_sasl_listmech failed: %d\n",
 240                                 sc, 0, 0 );
 241                         return NULL;
 242                 }
 243
 244                 mechs = str2charray( mechstr, "," );
 245
 246                 ch_free( mechstr );
 247         }
 248 #endif
 249
 250         return mechs;
 251 }
 252
 253 int slap_sasl_close( Connection *conn )
 254 {
 255 #ifdef HAVE_CYRUS_SASL
 256         sasl_conn_t *ctx = conn->c_sasl_context;
 257
 258         if( ctx != NULL ) {
 259                 sasl_dispose( &ctx );
 260         }
 261
 262         conn->c_sasl_context = NULL;
 263 #endif
 264         return LDAP_SUCCESS;
 265 }
 266
 267 int slap_sasl_bind(
 268     Connection          *conn,
 269     Operation           *op,
 270     const char          *dn,
 271     const char          *ndn,
 272     const char          *mech,
 273     struct berval       *cred,
 274         char                            **edn )
 275 {
 276         int rc = 1;
 277
 278 #ifdef HAVE_CYRUS_SASL
 279         sasl_conn_t *ctx = conn->c_sasl_context;
 280         struct berval response;
 281         unsigned reslen;
 282         const char *errstr;
 283         int sc;
 284
 285         Debug(LDAP_DEBUG_ARGS,
 286                 "==> sasl_bind: dn=\"%s\" mech=%s cred->bv_len=%d\n",
 287                 dn, mech, cred ? cred->bv_len : 0 );
 288
 289         if( ctx == NULL ) {
 290                 send_ldap_result( conn, op, LDAP_UNAVAILABLE,
 291                         NULL, "SASL unavailable on this session", NULL, NULL );
 292                 return rc;
 293         }
 294
 295         if ( mech != NULL ) {
 296                 sc = sasl_server_start( ctx,
 297                         mech,
 298                         cred->bv_val, cred->bv_len,
 299                         (char **)&response.bv_val, &reslen, &errstr );
 300
 301         } else {
 302                 sc = sasl_server_step( ctx,
 303                         cred->bv_val, cred->bv_len,
 304                         (char **)&response.bv_val, &reslen, &errstr );
 305         }
 306
 307         response.bv_len = reslen;
 308
 309         if ( sc == SASL_OK ) {
 310                 char *username = NULL;
 311
 312                 sc = sasl_getprop( ctx,
 313                         SASL_USERNAME, (void **)&username );
 314
 315                 if ( sc != SASL_OK ) {
 316                         Debug(LDAP_DEBUG_TRACE,
 317                                 "slap_sasl_bind: getprop(USERNAME) failed!\n",
 318                                 0, 0, 0);
 319
 320                         send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 321                                 NULL, "no SASL username", NULL, NULL );
 322
 323                 } else if ( username == NULL || *username == '\0' ) {
 324                         Debug(LDAP_DEBUG_TRACE,
 325                                 "slap_sasl_bind: getprop(USERNAME) returned NULL!\n",
 326                                 0, 0, 0);
 327
 328                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 329                                 NULL, "no SASL username", NULL, NULL );
 330
 331                 } else {
 332                         char *realm = NULL;
 333                         sasl_ssf_t ssf = 0;
 334
 335                         (void) sasl_getprop( ctx,
 336                                 SASL_REALM, (void **)&realm );
 337
 338                         (void) sasl_getprop( ctx,
 339                                 SASL_SSF, (void *)&ssf );
 340
 341                         Debug(LDAP_DEBUG_TRACE,
 342                                 "slap_sasl_bind: username=\"%s\" realm=\"%s\" ssf=%lu\n",
 343                                 username ? username : "",
 344                                 realm ? realm : "",
 345                                 (unsigned long) ssf );
 346
 347                         if( !strncasecmp( username, "anonymous", sizeof("anonyous")-1 ) &&
 348                                 ( ( username[sizeof("anonymous")] == '\0' ) ||
 349                                   ( username[sizeof("anonymous")] == '@' ) ) )
 350                         {
 351                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: anonymous\n",
 352                                         0, 0, 0);
 353
 354                         } else {
 355                                 *edn = ch_malloc( sizeof( "uid= + realm=" )
 356                                         + ( username ? strlen( username ) : 0 )
 357                                         + ( realm ? strlen( realm ) : 0 ) );
 358
 359                                 strcpy( *edn, "uid=" );
 360                                 strcat( *edn, username );
 361
 362                                 if( realm && *realm ) {
 363                                         strcat( *edn, " + realm=" );
 364                                         strcat( *edn, realm );
 365                                 }
 366
 367                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: authzdn: \"%s\"\n",
 368                                         *edn, 0, 0);
 369                         }
 370
 371                         send_ldap_sasl( conn, op, rc = LDAP_SUCCESS,
 372                                 NULL, NULL, NULL, NULL, &response );
 373                 }
 374
 375         } else if ( sc == SASL_CONTINUE ) {
 376                 send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS,
 377                         NULL, NULL, NULL, NULL,  &response );
 378
 379         } else {
 380                 send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 381                         NULL, errstr, NULL, NULL );
 382         }
 383
 384         Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0);
 385
 386 #else
 387         send_ldap_result( conn, op, rc = LDAP_UNAVAILABLE,
 388                 NULL, "SASL not supported", NULL, NULL );
 389 #endif
 390
 391         return rc;
 392 }
 393
 394 char* slap_sasl_secprops( const char *in )
 395 {
 396 #ifdef HAVE_CYRUS_SASL
 397         int rc = ldap_pvt_sasl_secprops( in, &sasl_secprops );
 398
 399         return rc == LDAP_SUCCESS ? NULL : "Invalid security properties";
 400 #else
 401         return "SASL not supported";
 402 #endif
 403 }