git.sur5r.net Git - openldap/blob - servers/slapd/sasl.c

   1 /* $OpenLDAP$ */
   2 /*
   3  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   4  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   5  */
   6
   7 #include "portable.h"
   8
   9 #include <ac/stdlib.h>
  10 #include <stdio.h>
  11
  12 #include "slap.h"
  13 #include "proto-slap.h"
  14
  15 #include <lber.h>
  16 #include <ldap_log.h>
  17
  18 #ifdef HAVE_CYRUS_SASL
  19 #include <limits.h>
  20 #include <sasl.h>
  21
  22 #include <ldap_pvt.h>
  23
  24 #ifdef SLAPD_SPASSWD
  25 #include <lutil.h>
  26 #endif
  27
  28 static sasl_security_properties_t sasl_secprops;
  29
  30
  31 static int
  32 slap_sasl_log(
  33         void *context,
  34         int priority,
  35         const char *message)
  36 {
  37         Connection *conn = context;
  38         int level;
  39         const char * label;
  40
  41         if ( message == NULL ) {
  42                 return SASL_BADPARAM;
  43         }
  44
  45         switch (priority) {
  46         case SASL_LOG_ERR:
  47                 level = LDAP_DEBUG_ANY;
  48                 label = "Error";
  49                 break;
  50         case SASL_LOG_WARNING:
  51                 level = LDAP_DEBUG_TRACE;
  52                 label = "Warning";
  53                 break;
  54         case SASL_LOG_INFO:
  55                 level = LDAP_DEBUG_TRACE;
  56                 label = "Info";
  57                 break;
  58         default:
  59                 return SASL_BADPARAM;
  60         }
  61
  62         Debug( level, "SASL [conn=%d] %s: %s\n",
  63                 conn ? conn->c_connid: -1,
  64                 label, message );
  65
  66         return SASL_OK;
  67 }
  68
  69 static int
  70 slap_sasl_authorize(
  71         void *context,
  72         const char *authcid,
  73         const char *authzid,
  74         const char **user,
  75         const char **errstr)
  76 {
  77         char *cuser;
  78         int rc;
  79         Connection *conn = context;
  80
  81         *user = NULL;
  82
  83         if ( authcid == NULL || *authcid == '\0' ) {
  84                 *errstr = "empty authentication identity";
  85
  86                 Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
  87                         "empty authentication identity\n",
  88                         (long) (conn ? conn->c_connid : -1),
  89                         0, 0 );
  90                 return SASL_BADAUTH;
  91         }
  92
  93         Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: "
  94                 "authcid=\"%s\" authzid=\"%s\"\n",
  95                 (long) (conn ? conn->c_connid : -1),
  96                 authcid ? authcid : "<empty>",
  97                 authzid ? authzid : "<empty>" );
  98
  99         if ( authzid == NULL || *authzid == '\0' ||
 100                 strcmp( authcid, authzid ) == 0 )
 101         {
 102                 size_t len = sizeof("u:") + strlen( authcid );
 103
 104                 cuser = ch_malloc( len );
 105                 strcpy( cuser, "u:" );
 106                 strcpy( &cuser[sizeof("u:")-1], authcid );
 107
 108                 *user = cuser;
 109
 110                 Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
 111                         "\"%s\" as \"%s\"\n",
 112                         (long) (conn ? conn->c_connid : -1),
 113                         authcid, cuser );
 114
 115                 return SASL_OK;
 116         }
 117
 118         rc = slap_sasl_authorized( conn, authcid, authzid );
 119         Debug( LDAP_DEBUG_TRACE, "SASL Authorization returned %d\n", rc,0,0);
 120         if( rc ) {
 121                 *errstr = "not authorized";
 122                 return SASL_NOAUTHZ;
 123         }
 124
 125         cuser = ch_strdup( authzid );
 126         dn_normalize( cuser );
 127         *errstr = NULL;
 128         *user = cuser;
 129         return SASL_OK;
 130 }
 131
 132
 133 static int
 134 slap_sasl_err2ldap( int saslerr )
 135 {
 136         int rc;
 137
 138         switch (saslerr) {
 139                 case SASL_CONTINUE:
 140                         rc = LDAP_SASL_BIND_IN_PROGRESS;
 141                         break;
 142                 case SASL_FAIL:
 143                         rc = LDAP_OTHER;
 144                         break;
 145                 case SASL_NOMEM:
 146                         rc = LDAP_OTHER;
 147                         break;
 148                 case SASL_NOMECH:
 149                         rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
 150                         break;
 151                 case SASL_BADAUTH:
 152                         rc = LDAP_INVALID_CREDENTIALS;
 153                         break;
 154                 case SASL_NOAUTHZ:
 155                         rc = LDAP_INSUFFICIENT_ACCESS;
 156                         break;
 157                 case SASL_TOOWEAK:
 158                 case SASL_ENCRYPT:
 159                         rc = LDAP_INAPPROPRIATE_AUTH;
 160                         break;
 161                 default:
 162                         rc = LDAP_OTHER;
 163                         break;
 164         }
 165
 166         return rc;
 167 }
 168 #endif
 169
 170
 171 int slap_sasl_init( void )
 172 {
 173 #ifdef HAVE_CYRUS_SASL
 174         int rc;
 175         sasl_conn_t *server = NULL;
 176         static sasl_callback_t server_callbacks[] = {
 177                 { SASL_CB_LOG, &slap_sasl_log, NULL },
 178                 { SASL_CB_LIST_END, NULL, NULL }
 179         };
 180
 181         sasl_set_alloc(
 182                 ch_malloc,
 183                 ch_calloc,
 184                 ch_realloc,
 185                 ch_free );
 186
 187         sasl_set_mutex(
 188                 ldap_pvt_sasl_mutex_new,
 189                 ldap_pvt_sasl_mutex_lock,
 190                 ldap_pvt_sasl_mutex_unlock,
 191                 ldap_pvt_sasl_mutex_dispose );
 192
 193         /* should provide callbacks for logging */
 194         /* server name should be configurable */
 195         rc = sasl_server_init( server_callbacks, "slapd" );
 196
 197         if( rc != SASL_OK ) {
 198                 Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n",
 199                         0, 0, 0 );
 200                 return -1;
 201         }
 202
 203         Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n",
 204                 0, 0, 0 );
 205
 206         /* default security properties */
 207         memset( &sasl_secprops, '\0', sizeof(sasl_secprops) );
 208     sasl_secprops.max_ssf = INT_MAX;
 209     sasl_secprops.maxbufsize = 65536;
 210     sasl_secprops.security_flags = SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS;
 211
 212         sasl_dispose( &server );
 213
 214 #endif
 215         return 0;
 216 }
 217
 218 int slap_sasl_destroy( void )
 219 {
 220 #ifdef HAVE_CYRUS_SASL
 221         sasl_done();
 222 #endif
 223         return 0;
 224 }
 225
 226 int slap_sasl_open( Connection *conn )
 227 {
 228         int sc = LDAP_SUCCESS;
 229
 230 #ifdef HAVE_CYRUS_SASL
 231         sasl_conn_t *ctx = NULL;
 232         sasl_callback_t *session_callbacks;
 233
 234         assert( conn->c_sasl_context == NULL );
 235         assert( conn->c_sasl_extra == NULL );
 236
 237         conn->c_sasl_layers = 0;
 238
 239         session_callbacks =
 240                 ch_calloc( 3, sizeof(sasl_callback_t));
 241         conn->c_sasl_extra = session_callbacks;
 242
 243         session_callbacks[0].id = SASL_CB_LOG;
 244         session_callbacks[0].proc = &slap_sasl_log;
 245         session_callbacks[0].context = conn;
 246
 247         session_callbacks[1].id = SASL_CB_PROXY_POLICY;
 248         session_callbacks[1].proc = &slap_sasl_authorize;
 249         session_callbacks[1].context = conn;
 250
 251         session_callbacks[2].id = SASL_CB_LIST_END;
 252         session_callbacks[2].proc = NULL;
 253         session_callbacks[2].context = NULL;
 254
 255         if( global_host == NULL ) {
 256                 global_host = ldap_pvt_get_fqdn( NULL );
 257         }
 258
 259         /* create new SASL context */
 260         sc = sasl_server_new( "ldap", global_host, global_realm,
 261                 session_callbacks, SASL_SECURITY_LAYER, &ctx );
 262
 263         if( sc != SASL_OK ) {
 264                 Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n",
 265                         sc, 0, 0 );
 266                 return -1;
 267         }
 268
 269         conn->c_sasl_context = ctx;
 270
 271         if( sc == SASL_OK ) {
 272                 sc = sasl_setprop( ctx,
 273                         SASL_SEC_PROPS, &sasl_secprops );
 274
 275                 if( sc != SASL_OK ) {
 276                         Debug( LDAP_DEBUG_ANY, "sasl_setprop failed: %d\n",
 277                                 sc, 0, 0 );
 278                         slap_sasl_close( conn );
 279                         return -1;
 280                 }
 281         }
 282
 283         sc = slap_sasl_err2ldap( sc );
 284 #endif
 285         return sc;
 286 }
 287
 288 int slap_sasl_external(
 289         Connection *conn,
 290         slap_ssf_t ssf,
 291         const char *auth_id )
 292 {
 293 #ifdef HAVE_CYRUS_SASL
 294         int sc;
 295         sasl_conn_t *ctx = conn->c_sasl_context;
 296         sasl_external_properties_t extprops;
 297
 298         if ( ctx == NULL ) {
 299                 return LDAP_UNAVAILABLE;
 300         }
 301
 302         memset( &extprops, '\0', sizeof(extprops) );
 303         extprops.ssf = ssf;
 304         extprops.auth_id = (char *) auth_id;
 305
 306         sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 307                 (void *) &extprops );
 308
 309         if ( sc != SASL_OK ) {
 310                 return LDAP_OTHER;
 311         }
 312 #endif
 313
 314         return LDAP_SUCCESS;
 315 }
 316
 317 int slap_sasl_reset( Connection *conn )
 318 {
 319 #ifdef HAVE_CYRUS_SASL
 320         sasl_conn_t *ctx = conn->c_sasl_context;
 321
 322         if( ctx != NULL ) {
 323         }
 324 #endif
 325         /* must return "anonymous" */
 326         return LDAP_SUCCESS;
 327 }
 328
 329 char ** slap_sasl_mechs( Connection *conn )
 330 {
 331         char **mechs = NULL;
 332
 333 #ifdef HAVE_CYRUS_SASL
 334         sasl_conn_t *ctx = conn->c_sasl_context;
 335
 336         if( ctx != NULL ) {
 337                 int sc;
 338                 char *mechstr;
 339
 340                 sc = sasl_listmech( ctx,
 341                         NULL, NULL, ",", NULL,
 342                         &mechstr, NULL, NULL );
 343
 344                 if( sc != SASL_OK ) {
 345                         Debug( LDAP_DEBUG_ANY, "slap_sasl_listmech failed: %d\n",
 346                                 sc, 0, 0 );
 347                         return NULL;
 348                 }
 349
 350                 mechs = str2charray( mechstr, "," );
 351
 352                 ch_free( mechstr );
 353         }
 354 #endif
 355
 356         return mechs;
 357 }
 358
 359 int slap_sasl_close( Connection *conn )
 360 {
 361 #ifdef HAVE_CYRUS_SASL
 362         sasl_conn_t *ctx = conn->c_sasl_context;
 363
 364         if( ctx != NULL ) {
 365                 sasl_dispose( &ctx );
 366         }
 367
 368         conn->c_sasl_context = NULL;
 369
 370         free( conn->c_sasl_extra );
 371         conn->c_sasl_extra = NULL;
 372 #endif
 373
 374         return LDAP_SUCCESS;
 375 }
 376
 377 int slap_sasl_bind(
 378     Connection          *conn,
 379     Operation           *op,
 380     const char          *dn,
 381     const char          *ndn,
 382     struct berval       *cred,
 383         char                            **edn,
 384         slap_ssf_t                      *ssfp )
 385 {
 386         int rc = 1;
 387
 388 #ifdef HAVE_CYRUS_SASL
 389         sasl_conn_t *ctx = conn->c_sasl_context;
 390         struct berval response;
 391         unsigned reslen;
 392         const char *errstr;
 393         int sc;
 394
 395         Debug(LDAP_DEBUG_ARGS,
 396           "==> sasl_bind: dn=\"%s\" mech=%s datalen=%d\n", dn,
 397           conn->c_sasl_bind_in_progress ? "<continuing>":conn->c_sasl_bind_mech,
 398           cred ? cred->bv_len : 0 );
 399
 400         if( ctx == NULL ) {
 401                 send_ldap_result( conn, op, LDAP_UNAVAILABLE,
 402                         NULL, "SASL unavailable on this session", NULL, NULL );
 403                 return rc;
 404         }
 405
 406         if ( !conn->c_sasl_bind_in_progress ) {
 407                 sc = sasl_server_start( ctx,
 408                         conn->c_sasl_bind_mech,
 409                         cred->bv_val, cred->bv_len,
 410                         (char **)&response.bv_val, &reslen, &errstr );
 411
 412         } else {
 413                 sc = sasl_server_step( ctx,
 414                         cred->bv_val, cred->bv_len,
 415                         (char **)&response.bv_val, &reslen, &errstr );
 416         }
 417
 418         response.bv_len = reslen;
 419
 420         if ( sc == SASL_OK ) {
 421                 char *username = NULL;
 422
 423                 sc = sasl_getprop( ctx,
 424                         SASL_USERNAME, (void **)&username );
 425
 426                 if ( sc != SASL_OK ) {
 427                         Debug(LDAP_DEBUG_TRACE,
 428                                 "slap_sasl_bind: getprop(USERNAME) failed!\n",
 429                                 0, 0, 0);
 430
 431                         send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 432                                 NULL, "no SASL username", NULL, NULL );
 433
 434                 } else if ( username == NULL || *username == '\0' ) {
 435                         Debug(LDAP_DEBUG_TRACE,
 436                                 "slap_sasl_bind: getprop(USERNAME) returned NULL!\n",
 437                                 0, 0, 0);
 438
 439                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 440                                 NULL, "no SASL username", NULL, NULL );
 441
 442                 } else {
 443                         char *realm = NULL;
 444                         sasl_ssf_t *ssf = NULL;
 445
 446                         (void) sasl_getprop( ctx,
 447                                 SASL_REALM, (void **)&realm );
 448
 449                         (void) sasl_getprop( ctx,
 450                                 SASL_SSF, (void *)&ssf );
 451
 452                         Debug(LDAP_DEBUG_TRACE,
 453                                 "slap_sasl_bind: username=\"%s\" realm=\"%s\" ssf=%lu\n",
 454                                 username ? username : "",
 455                                 realm ? realm : "",
 456                                 (unsigned long) ( ssf ? *ssf : 0 ) );
 457
 458                         *ssfp = ssf ? *ssf : 0;
 459
 460                         rc = LDAP_SUCCESS;
 461
 462                         if( username == NULL || (
 463                                 !strncasecmp( username, "anonymous", sizeof("anonymous")-1 ) &&
 464                                 ( username[sizeof("anonymous")-1] == '\0' ||
 465                                   username[sizeof("anonymous")-1] == '@' ) ) )
 466                         {
 467                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: anonymous\n",
 468                                         0, 0, 0);
 469
 470                         } else if ( username[0] == 'u' && username[1] == ':'
 471                                 && username[2] != '\0'
 472                                 && strpbrk( &username[2], "+=,;\"\\ \t") == NULL )
 473                         {
 474                                 *edn = ch_malloc( sizeof( "uid= + realm=" )
 475                                         + strlen( &username[2] )
 476                                         + ( realm ? strlen( realm ) : 0 ) );
 477
 478                                 strcpy( *edn, "uid=" );
 479                                 strcat( *edn, &username[2] );
 480
 481                                 if( realm && *realm ) {
 482                                         strcat( *edn, " + realm=" );
 483                                         strcat( *edn, realm );
 484                                 }
 485
 486                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: authzdn: \"%s\"\n",
 487                                         *edn, 0, 0);
 488
 489                         }
 490
 491                         if( rc == LDAP_SUCCESS ) {
 492                                 send_ldap_sasl( conn, op, rc,
 493                                         NULL, NULL, NULL, NULL,
 494                                         response.bv_len ? &response : NULL );
 495
 496                         } else {
 497                                 send_ldap_result( conn, op, rc,
 498                                         NULL, errstr, NULL, NULL );
 499                         }
 500                 }
 501
 502         } else if ( sc == SASL_CONTINUE ) {
 503                 send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS,
 504                         NULL, NULL, NULL, NULL, &response );
 505
 506         } else {
 507                 send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 508                         NULL, errstr, NULL, NULL );
 509         }
 510
 511         Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0);
 512
 513 #else
 514         send_ldap_result( conn, op, rc = LDAP_UNAVAILABLE,
 515                 NULL, "SASL not supported", NULL, NULL );
 516 #endif
 517
 518         return rc;
 519 }
 520
 521 char* slap_sasl_secprops( const char *in )
 522 {
 523 #ifdef HAVE_CYRUS_SASL
 524         int rc = ldap_pvt_sasl_secprops( in, &sasl_secprops );
 525
 526         return rc == LDAP_SUCCESS ? NULL : "Invalid security properties";
 527 #else
 528         return "SASL not supported";
 529 #endif
 530 }