git.sur5r.net Git - openldap/blob - servers/slapd/sasl.c

   1 /* $OpenLDAP$ */
   2 /*
   3  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   4  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   5  */
   6
   7 #include "portable.h"
   8
   9 #include <ac/stdlib.h>
  10 #include <stdio.h>
  11
  12 #include "slap.h"
  13 #include "proto-slap.h"
  14
  15 #include <lber.h>
  16 #include <ldap_log.h>
  17
  18 #ifdef HAVE_CYRUS_SASL
  19 #include <limits.h>
  20 #include <sasl.h>
  21
  22 #include <ldap_pvt.h>
  23
  24 #ifdef SLAPD_SPASSWD
  25 #include <lutil.h>
  26 #endif
  27
  28 static sasl_security_properties_t sasl_secprops;
  29
  30
  31 static int
  32 slap_sasl_log(
  33         void *context,
  34         int priority,
  35         const char *message)
  36 {
  37         Connection *conn = context;
  38         int level;
  39         const char * label;
  40
  41         if ( message == NULL ) {
  42                 return SASL_BADPARAM;
  43         }
  44
  45         switch (priority) {
  46         case SASL_LOG_ERR:
  47                 level = LDAP_DEBUG_ANY;
  48                 label = "Error";
  49                 break;
  50         case SASL_LOG_WARNING:
  51                 level = LDAP_DEBUG_TRACE;
  52                 label = "Warning";
  53                 break;
  54         case SASL_LOG_INFO:
  55                 level = LDAP_DEBUG_TRACE;
  56                 label = "Info";
  57                 break;
  58         default:
  59                 return SASL_BADPARAM;
  60         }
  61
  62         Debug( level, "SASL [conn=%d] %s: %s\n",
  63                 conn ? conn->c_connid: -1,
  64                 label, message );
  65
  66         return SASL_OK;
  67 }
  68
  69 static int
  70 slap_sasl_authorize(
  71         void *context,
  72         const char *authcid,
  73         const char *authzid,
  74         const char **user,
  75         const char **errstr)
  76 {
  77         char *cuser;
  78         int rc;
  79         Connection *conn = context;
  80
  81         *user = NULL;
  82
  83         if ( authcid == NULL || *authcid == '\0' ) {
  84                 *errstr = "empty authentication identity";
  85
  86                 Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
  87                         "empty authentication identity\n",
  88                         (long) (conn ? conn->c_connid : -1),
  89                         0, 0 );
  90                 return SASL_BADAUTH;
  91         }
  92
  93         Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: "
  94                 "authcid=\"%s\" authzid=\"%s\"\n",
  95                 (long) (conn ? conn->c_connid : -1),
  96                 authcid ? authcid : "<empty>",
  97                 authzid ? authzid : "<empty>" );
  98
  99         if ( authzid == NULL || *authzid == '\0' ||
 100                 strcmp( authcid, authzid ) == 0 )
 101         {
 102                 size_t len = sizeof("u:") + strlen( authcid );
 103
 104                 cuser = ch_malloc( len );
 105                 strcpy( cuser, "u:" );
 106                 strcpy( &cuser[sizeof("u:")-1], authcid );
 107
 108                 *user = cuser;
 109
 110                 Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
 111                         "\"%s\" as \"%s\"\n",
 112                         (long) (conn ? conn->c_connid : -1),
 113                         authcid, cuser );
 114
 115                 return SASL_OK;
 116         }
 117
 118         rc = slap_sasl_authorized( conn, authcid, authzid );
 119         Debug( LDAP_DEBUG_TRACE, "SASL Authorization returned %d\n", rc,0,0);
 120         if( rc ) {
 121                 *errstr = "not authorized";
 122                 return SASL_NOAUTHZ;
 123         }
 124
 125         cuser = ch_strdup( authzid );
 126         dn_normalize( cuser );
 127         *errstr = NULL;
 128         *user = cuser;
 129         return SASL_OK;
 130 }
 131
 132
 133 static int
 134 slap_sasl_err2ldap( int saslerr )
 135 {
 136         int rc;
 137
 138         switch (saslerr) {
 139                 case SASL_CONTINUE:
 140                         rc = LDAP_SASL_BIND_IN_PROGRESS;
 141                         break;
 142                 case SASL_FAIL:
 143                         rc = LDAP_OTHER;
 144                         break;
 145                 case SASL_NOMEM:
 146                         rc = LDAP_OTHER;
 147                         break;
 148                 case SASL_NOMECH:
 149                         rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
 150                         break;
 151                 case SASL_BADAUTH:
 152                         rc = LDAP_INVALID_CREDENTIALS;
 153                         break;
 154                 case SASL_NOAUTHZ:
 155                         rc = LDAP_INSUFFICIENT_ACCESS;
 156                         break;
 157                 case SASL_TOOWEAK:
 158                 case SASL_ENCRYPT:
 159                         rc = LDAP_INAPPROPRIATE_AUTH;
 160                         break;
 161                 default:
 162                         rc = LDAP_OTHER;
 163                         break;
 164         }
 165
 166         return rc;
 167 }
 168 #endif
 169
 170
 171 int slap_sasl_init( void )
 172 {
 173 #ifdef HAVE_CYRUS_SASL
 174         int rc;
 175         static sasl_callback_t server_callbacks[] = {
 176                 { SASL_CB_LOG, &slap_sasl_log, NULL },
 177                 { SASL_CB_LIST_END, NULL, NULL }
 178         };
 179
 180         sasl_set_alloc(
 181                 ch_malloc,
 182                 ch_calloc,
 183                 ch_realloc,
 184                 ch_free );
 185
 186         sasl_set_mutex(
 187                 ldap_pvt_sasl_mutex_new,
 188                 ldap_pvt_sasl_mutex_lock,
 189                 ldap_pvt_sasl_mutex_unlock,
 190                 ldap_pvt_sasl_mutex_dispose );
 191
 192         /* should provide callbacks for logging */
 193         /* server name should be configurable */
 194         rc = sasl_server_init( server_callbacks, "slapd" );
 195
 196         if( rc != SASL_OK ) {
 197                 Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n",
 198                         0, 0, 0 );
 199                 return -1;
 200         }
 201
 202         Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n",
 203                 0, 0, 0 );
 204
 205         /* default security properties */
 206         memset( &sasl_secprops, '\0', sizeof(sasl_secprops) );
 207     sasl_secprops.max_ssf = INT_MAX;
 208     sasl_secprops.maxbufsize = 65536;
 209     sasl_secprops.security_flags = SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS;
 210 #endif
 211
 212         return 0;
 213 }
 214
 215 int slap_sasl_destroy( void )
 216 {
 217 #ifdef HAVE_CYRUS_SASL
 218         sasl_done();
 219 #endif
 220         return 0;
 221 }
 222
 223 int slap_sasl_open( Connection *conn )
 224 {
 225         int sc = LDAP_SUCCESS;
 226
 227 #ifdef HAVE_CYRUS_SASL
 228         sasl_conn_t *ctx = NULL;
 229         sasl_callback_t *session_callbacks;
 230
 231         assert( conn->c_sasl_context == NULL );
 232         assert( conn->c_sasl_extra == NULL );
 233
 234         conn->c_sasl_layers = 0;
 235
 236         session_callbacks =
 237                 ch_calloc( 3, sizeof(sasl_callback_t));
 238         conn->c_sasl_extra = session_callbacks;
 239
 240         session_callbacks[0].id = SASL_CB_LOG;
 241         session_callbacks[0].proc = &slap_sasl_log;
 242         session_callbacks[0].context = conn;
 243
 244         session_callbacks[1].id = SASL_CB_PROXY_POLICY;
 245         session_callbacks[1].proc = &slap_sasl_authorize;
 246         session_callbacks[1].context = conn;
 247
 248         session_callbacks[2].id = SASL_CB_LIST_END;
 249         session_callbacks[2].proc = NULL;
 250         session_callbacks[2].context = NULL;
 251
 252         if( global_host == NULL ) {
 253                 global_host = ldap_pvt_get_fqdn( NULL );
 254         }
 255
 256         /* create new SASL context */
 257         sc = sasl_server_new( "ldap", global_host, global_realm,
 258                 session_callbacks, SASL_SECURITY_LAYER, &ctx );
 259
 260         if( sc != SASL_OK ) {
 261                 Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n",
 262                         sc, 0, 0 );
 263                 return -1;
 264         }
 265
 266         conn->c_sasl_context = ctx;
 267
 268         if( sc == SASL_OK ) {
 269                 sc = sasl_setprop( ctx,
 270                         SASL_SEC_PROPS, &sasl_secprops );
 271
 272                 if( sc != SASL_OK ) {
 273                         Debug( LDAP_DEBUG_ANY, "sasl_setprop failed: %d\n",
 274                                 sc, 0, 0 );
 275                         slap_sasl_close( conn );
 276                         return -1;
 277                 }
 278         }
 279
 280         sc = slap_sasl_err2ldap( sc );
 281 #endif
 282         return sc;
 283 }
 284
 285 int slap_sasl_external(
 286         Connection *conn,
 287         slap_ssf_t ssf,
 288         const char *auth_id )
 289 {
 290 #ifdef HAVE_CYRUS_SASL
 291         int sc;
 292         sasl_conn_t *ctx = conn->c_sasl_context;
 293         sasl_external_properties_t extprops;
 294
 295         if ( ctx == NULL ) {
 296                 return LDAP_UNAVAILABLE;
 297         }
 298
 299         memset( &extprops, '\0', sizeof(extprops) );
 300         extprops.ssf = ssf;
 301         extprops.auth_id = (char *) auth_id;
 302
 303         sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 304                 (void *) &extprops );
 305
 306         if ( sc != SASL_OK ) {
 307                 return LDAP_OTHER;
 308         }
 309 #endif
 310
 311         return LDAP_SUCCESS;
 312 }
 313
 314 int slap_sasl_reset( Connection *conn )
 315 {
 316 #ifdef HAVE_CYRUS_SASL
 317         sasl_conn_t *ctx = conn->c_sasl_context;
 318
 319         if( ctx != NULL ) {
 320         }
 321 #endif
 322         /* must return "anonymous" */
 323         return LDAP_SUCCESS;
 324 }
 325
 326 char ** slap_sasl_mechs( Connection *conn )
 327 {
 328         char **mechs = NULL;
 329
 330 #ifdef HAVE_CYRUS_SASL
 331         sasl_conn_t *ctx = conn->c_sasl_context;
 332
 333         if( ctx != NULL ) {
 334                 int sc;
 335                 char *mechstr;
 336
 337                 sc = sasl_listmech( ctx,
 338                         NULL, NULL, ",", NULL,
 339                         &mechstr, NULL, NULL );
 340
 341                 if( sc != SASL_OK ) {
 342                         Debug( LDAP_DEBUG_ANY, "slap_sasl_listmech failed: %d\n",
 343                                 sc, 0, 0 );
 344                         return NULL;
 345                 }
 346
 347                 mechs = str2charray( mechstr, "," );
 348
 349                 ch_free( mechstr );
 350         }
 351 #endif
 352
 353         return mechs;
 354 }
 355
 356 int slap_sasl_close( Connection *conn )
 357 {
 358 #ifdef HAVE_CYRUS_SASL
 359         sasl_conn_t *ctx = conn->c_sasl_context;
 360
 361         if( ctx != NULL ) {
 362                 sasl_dispose( &ctx );
 363         }
 364
 365         conn->c_sasl_context = NULL;
 366
 367         free( conn->c_sasl_extra );
 368         conn->c_sasl_extra = NULL;
 369 #endif
 370
 371         return LDAP_SUCCESS;
 372 }
 373
 374 int slap_sasl_bind(
 375     Connection          *conn,
 376     Operation           *op,
 377     const char          *dn,
 378     const char          *ndn,
 379     struct berval       *cred,
 380         char                            **edn,
 381         slap_ssf_t                      *ssfp )
 382 {
 383         int rc = 1;
 384
 385 #ifdef HAVE_CYRUS_SASL
 386         sasl_conn_t *ctx = conn->c_sasl_context;
 387         struct berval response;
 388         unsigned reslen;
 389         const char *errstr;
 390         int sc;
 391
 392         Debug(LDAP_DEBUG_ARGS,
 393           "==> sasl_bind: dn=\"%s\" mech=%s datalen=%d\n", dn,
 394           conn->c_sasl_bind_in_progress ? "<continuing>":conn->c_sasl_bind_mech,
 395           cred ? cred->bv_len : 0 );
 396
 397         if( ctx == NULL ) {
 398                 send_ldap_result( conn, op, LDAP_UNAVAILABLE,
 399                         NULL, "SASL unavailable on this session", NULL, NULL );
 400                 return rc;
 401         }
 402
 403         if ( !conn->c_sasl_bind_in_progress ) {
 404                 sc = sasl_server_start( ctx,
 405                         conn->c_sasl_bind_mech,
 406                         cred->bv_val, cred->bv_len,
 407                         (char **)&response.bv_val, &reslen, &errstr );
 408
 409         } else {
 410                 sc = sasl_server_step( ctx,
 411                         cred->bv_val, cred->bv_len,
 412                         (char **)&response.bv_val, &reslen, &errstr );
 413         }
 414
 415         response.bv_len = reslen;
 416
 417         if ( sc == SASL_OK ) {
 418                 char *username = NULL;
 419
 420                 sc = sasl_getprop( ctx,
 421                         SASL_USERNAME, (void **)&username );
 422
 423                 if ( sc != SASL_OK ) {
 424                         Debug(LDAP_DEBUG_TRACE,
 425                                 "slap_sasl_bind: getprop(USERNAME) failed!\n",
 426                                 0, 0, 0);
 427
 428                         send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 429                                 NULL, "no SASL username", NULL, NULL );
 430
 431                 } else if ( username == NULL || *username == '\0' ) {
 432                         Debug(LDAP_DEBUG_TRACE,
 433                                 "slap_sasl_bind: getprop(USERNAME) returned NULL!\n",
 434                                 0, 0, 0);
 435
 436                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 437                                 NULL, "no SASL username", NULL, NULL );
 438
 439                 } else {
 440                         char *realm = NULL;
 441                         sasl_ssf_t *ssf = NULL;
 442
 443                         (void) sasl_getprop( ctx,
 444                                 SASL_REALM, (void **)&realm );
 445
 446                         (void) sasl_getprop( ctx,
 447                                 SASL_SSF, (void *)&ssf );
 448
 449                         Debug(LDAP_DEBUG_TRACE,
 450                                 "slap_sasl_bind: username=\"%s\" realm=\"%s\" ssf=%lu\n",
 451                                 username ? username : "",
 452                                 realm ? realm : "",
 453                                 (unsigned long) ( ssf ? *ssf : 0 ) );
 454
 455                         *ssfp = ssf ? *ssf : 0;
 456
 457                         rc = LDAP_SUCCESS;
 458
 459                         if( username == NULL || (
 460                                 !strncasecmp( username, "anonymous", sizeof("anonymous")-1 ) &&
 461                                 ( username[sizeof("anonymous")-1] == '\0' ||
 462                                   username[sizeof("anonymous")-1] == '@' ) ) )
 463                         {
 464                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: anonymous\n",
 465                                         0, 0, 0);
 466
 467                         } else if ( username[0] == 'u' && username[1] == ':'
 468                                 && username[2] != '\0'
 469                                 && strpbrk( &username[2], "+=,;\"\\ \t") == NULL )
 470                         {
 471                                 *edn = ch_malloc( sizeof( "uid= + realm=" )
 472                                         + strlen( &username[2] )
 473                                         + ( realm ? strlen( realm ) : 0 ) );
 474
 475                                 strcpy( *edn, "uid=" );
 476                                 strcat( *edn, &username[2] );
 477
 478                                 if( realm && *realm ) {
 479                                         strcat( *edn, " + realm=" );
 480                                         strcat( *edn, realm );
 481                                 }
 482
 483                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: authzdn: \"%s\"\n",
 484                                         *edn, 0, 0);
 485
 486                         }
 487
 488                         if( rc == LDAP_SUCCESS ) {
 489                                 send_ldap_sasl( conn, op, rc,
 490                                         NULL, NULL, NULL, NULL,
 491                                         response.bv_len ? &response : NULL );
 492
 493                         } else {
 494                                 send_ldap_result( conn, op, rc,
 495                                         NULL, errstr, NULL, NULL );
 496                         }
 497                 }
 498
 499         } else if ( sc == SASL_CONTINUE ) {
 500                 send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS,
 501                         NULL, NULL, NULL, NULL, &response );
 502
 503         } else {
 504                 send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 505                         NULL, errstr, NULL, NULL );
 506         }
 507
 508         Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0);
 509
 510 #else
 511         send_ldap_result( conn, op, rc = LDAP_UNAVAILABLE,
 512                 NULL, "SASL not supported", NULL, NULL );
 513 #endif
 514
 515         return rc;
 516 }
 517
 518 char* slap_sasl_secprops( const char *in )
 519 {
 520 #ifdef HAVE_CYRUS_SASL
 521         int rc = ldap_pvt_sasl_secprops( in, &sasl_secprops );
 522
 523         return rc == LDAP_SUCCESS ? NULL : "Invalid security properties";
 524 #else
 525         return "SASL not supported";
 526 #endif
 527 }