git.sur5r.net Git - openldap/blob - servers/slapd/sasl.c

   1 /* $OpenLDAP$ */
   2 /*
   3  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   4  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   5  */
   6
   7 #include "portable.h"
   8
   9 #include <ac/stdlib.h>
  10 #include <stdio.h>
  11
  12 #include "slap.h"
  13 #include "proto-slap.h"
  14
  15 #include <lber.h>
  16 #include <ldap_log.h>
  17
  18 #ifdef HAVE_CYRUS_SASL
  19 #include <limits.h>
  20 #include <sasl.h>
  21
  22 #include <ldap_pvt.h>
  23
  24 #ifdef SLAPD_SPASSWD
  25 #include <lutil.h>
  26 #endif
  27
  28 static sasl_security_properties_t sasl_secprops;
  29
  30
  31 static int
  32 slap_sasl_log(
  33         void *context,
  34         int priority,
  35         const char *message)
  36 {
  37         Connection *conn = context;
  38         int level;
  39         const char * label;
  40
  41         if ( message == NULL ) {
  42                 return SASL_BADPARAM;
  43         }
  44
  45         switch (priority) {
  46         case SASL_LOG_ERR:
  47                 level = LDAP_DEBUG_ANY;
  48                 label = "Error";
  49                 break;
  50         case SASL_LOG_WARNING:
  51                 level = LDAP_DEBUG_TRACE;
  52                 label = "Warning";
  53                 break;
  54         case SASL_LOG_INFO:
  55                 level = LDAP_DEBUG_TRACE;
  56                 label = "Info";
  57                 break;
  58         default:
  59                 return SASL_BADPARAM;
  60         }
  61
  62         Debug( level, "SASL [conn=%d] %s: %s\n",
  63                 conn ? conn->c_connid: -1,
  64                 label, message );
  65
  66         return SASL_OK;
  67 }
  68
  69 static int
  70 slap_sasl_authorize(
  71         void *context,
  72         const char *authcid,
  73         const char *authzid,
  74         const char **user,
  75         const char **errstr)
  76 {
  77         Connection *conn = context;
  78
  79         *user = NULL;
  80
  81         if ( authcid == NULL || *authcid == '\0' ) {
  82                 *errstr = "empty authentication identity";
  83
  84                 Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
  85                         "empty authentication identity\n",
  86                         (long) (conn ? conn->c_connid : -1),
  87                         0, 0 );
  88                 return SASL_BADAUTH;
  89         }
  90
  91         Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: "
  92                 "authcid=\"%s\" authzid=\"%s\"\n",
  93                 (long) (conn ? conn->c_connid : -1),
  94                 authcid ? authcid : "<empty>",
  95                 authcid ? authcid : "<empty>" );
  96
  97         if ( authzid == NULL || *authzid == '\0' ||
  98                 strcmp( authcid, authzid ) == 0 )
  99         {
 100                 char* cuser;
 101                 size_t len = sizeof("u:") + strlen( authcid );
 102
 103                 cuser = ch_malloc( len );
 104                 strcpy( cuser, "u:" );
 105                 strcpy( &cuser[sizeof("u:")-1], authcid );
 106
 107                 *user = cuser;
 108
 109                 Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
 110                         "\"%s\" as \"%s\"\n",
 111                         (long) (conn ? conn->c_connid : -1),
 112                         authcid, cuser );
 113
 114                 return SASL_OK;
 115         }
 116
 117         Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
 118                 "\"%s\" as \"%s\" disallowed. No policy.\n",
 119                 (long) (conn ? conn->c_connid : -1),
 120                 authcid, authzid );
 121
 122         *errstr = "no proxy policy";
 123     return SASL_NOAUTHZ;
 124 }
 125
 126
 127 static int
 128 slap_sasl_err2ldap( int saslerr )
 129 {
 130         int rc;
 131
 132         switch (saslerr) {
 133                 case SASL_CONTINUE:
 134                         rc = LDAP_SASL_BIND_IN_PROGRESS;
 135                         break;
 136                 case SASL_FAIL:
 137                         rc = LDAP_OTHER;
 138                         break;
 139                 case SASL_NOMEM:
 140                         rc = LDAP_OTHER;
 141                         break;
 142                 case SASL_NOMECH:
 143                         rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
 144                         break;
 145                 case SASL_BADAUTH:
 146                         rc = LDAP_INVALID_CREDENTIALS;
 147                         break;
 148                 case SASL_NOAUTHZ:
 149                         rc = LDAP_INSUFFICIENT_ACCESS;
 150                         break;
 151                 case SASL_TOOWEAK:
 152                 case SASL_ENCRYPT:
 153                         rc = LDAP_INAPPROPRIATE_AUTH;
 154                         break;
 155                 default:
 156                         rc = LDAP_OTHER;
 157                         break;
 158         }
 159
 160         return rc;
 161 }
 162 #endif
 163
 164
 165 int slap_sasl_init( void )
 166 {
 167 #ifdef HAVE_CYRUS_SASL
 168         int rc;
 169         sasl_conn_t *server = NULL;
 170         static sasl_callback_t server_callbacks[] = {
 171                 { SASL_CB_LOG, &slap_sasl_log, NULL },
 172                 { SASL_CB_LIST_END, NULL, NULL }
 173         };
 174
 175         sasl_set_alloc(
 176                 ch_malloc,
 177                 ch_calloc,
 178                 ch_realloc,
 179                 ch_free );
 180
 181         sasl_set_mutex(
 182                 ldap_pvt_sasl_mutex_new,
 183                 ldap_pvt_sasl_mutex_lock,
 184                 ldap_pvt_sasl_mutex_unlock,
 185                 ldap_pvt_sasl_mutex_dispose );
 186
 187         /* should provide callbacks for logging */
 188         /* server name should be configurable */
 189         rc = sasl_server_init( server_callbacks, "slapd" );
 190
 191         if( rc != SASL_OK ) {
 192                 Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n",
 193                         0, 0, 0 );
 194                 return -1;
 195         }
 196
 197         Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n",
 198                 0, 0, 0 );
 199
 200         /* default security properties */
 201         memset( &sasl_secprops, '\0', sizeof(sasl_secprops) );
 202     sasl_secprops.max_ssf = INT_MAX;
 203     sasl_secprops.maxbufsize = 65536;
 204     sasl_secprops.security_flags = SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS;
 205
 206 #ifdef SLAPD_SPASSWD
 207         lutil_passwd_sasl_conn = server;
 208 #else
 209         sasl_dispose( &server );
 210 #endif
 211
 212 #endif
 213         return 0;
 214 }
 215
 216 int slap_sasl_destroy( void )
 217 {
 218 #ifdef HAVE_CYRUS_SASL
 219 #ifdef SLAPD_SPASSWD
 220         sasl_dispose( &lutil_passwd_sasl_conn );
 221 #endif
 222         sasl_done();
 223 #endif
 224         return 0;
 225 }
 226
 227 int slap_sasl_open( Connection *conn )
 228 {
 229         int sc = LDAP_SUCCESS;
 230
 231 #ifdef HAVE_CYRUS_SASL
 232         sasl_conn_t *ctx = NULL;
 233         sasl_callback_t *session_callbacks;
 234
 235         assert( conn->c_sasl_context == NULL );
 236         assert( conn->c_sasl_extra == NULL );
 237
 238         conn->c_sasl_layers = 0;
 239
 240         session_callbacks =
 241                 ch_calloc( 3, sizeof(sasl_callback_t));
 242         conn->c_sasl_extra = session_callbacks;
 243
 244         session_callbacks[0].id = SASL_CB_LOG;
 245         session_callbacks[0].proc = &slap_sasl_log;
 246         session_callbacks[0].context = conn;
 247
 248         session_callbacks[1].id = SASL_CB_PROXY_POLICY;
 249         session_callbacks[1].proc = &slap_sasl_authorize;
 250         session_callbacks[1].context = conn;
 251
 252         session_callbacks[2].id = SASL_CB_LIST_END;
 253         session_callbacks[2].proc = NULL;
 254         session_callbacks[2].context = NULL;
 255
 256         if( global_host == NULL ) {
 257                 global_host = ldap_pvt_get_fqdn( NULL );
 258         }
 259
 260         /* create new SASL context */
 261         sc = sasl_server_new( "ldap", global_host, global_realm,
 262                 session_callbacks, SASL_SECURITY_LAYER, &ctx );
 263
 264         if( sc != SASL_OK ) {
 265                 Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n",
 266                         sc, 0, 0 );
 267                 return -1;
 268         }
 269
 270         conn->c_sasl_context = ctx;
 271
 272         if( sc == SASL_OK ) {
 273                 sc = sasl_setprop( ctx,
 274                         SASL_SEC_PROPS, &sasl_secprops );
 275
 276                 if( sc != SASL_OK ) {
 277                         Debug( LDAP_DEBUG_ANY, "sasl_setprop failed: %d\n",
 278                                 sc, 0, 0 );
 279                         slap_sasl_close( conn );
 280                         return -1;
 281                 }
 282         }
 283
 284         sc = slap_sasl_err2ldap( sc );
 285 #endif
 286         return sc;
 287 }
 288
 289 int slap_sasl_external(
 290         Connection *conn,
 291         slap_ssf_t ssf,
 292         char *auth_id )
 293 {
 294 #ifdef HAVE_CYRUS_SASL
 295         int sc;
 296         sasl_conn_t *ctx = conn->c_sasl_context;
 297         sasl_external_properties_t extprops;
 298
 299         if ( ctx == NULL ) {
 300                 return LDAP_UNAVAILABLE;
 301         }
 302
 303         memset( &extprops, '\0', sizeof(extprops) );
 304         extprops.ssf = ssf;
 305         extprops.auth_id = auth_id;
 306
 307         sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 308                 (void *) &extprops );
 309
 310         if ( sc != SASL_OK ) {
 311                 return LDAP_OTHER;
 312         }
 313 #endif
 314
 315         return LDAP_SUCCESS;
 316 }
 317
 318 int slap_sasl_reset( Connection *conn )
 319 {
 320 #ifdef HAVE_CYRUS_SASL
 321         sasl_conn_t *ctx = conn->c_sasl_context;
 322
 323         if( ctx != NULL ) {
 324         }
 325 #endif
 326         /* must return "anonymous" */
 327         return LDAP_SUCCESS;
 328 }
 329
 330 char ** slap_sasl_mechs( Connection *conn )
 331 {
 332         char **mechs = NULL;
 333
 334 #ifdef HAVE_CYRUS_SASL
 335         sasl_conn_t *ctx = conn->c_sasl_context;
 336
 337         if( ctx != NULL ) {
 338                 int sc;
 339                 char *mechstr;
 340
 341                 sc = sasl_listmech( ctx,
 342                         NULL, NULL, ",", NULL,
 343                         &mechstr, NULL, NULL );
 344
 345                 if( sc != SASL_OK ) {
 346                         Debug( LDAP_DEBUG_ANY, "slap_sasl_listmech failed: %d\n",
 347                                 sc, 0, 0 );
 348                         return NULL;
 349                 }
 350
 351                 mechs = str2charray( mechstr, "," );
 352
 353                 ch_free( mechstr );
 354         }
 355 #endif
 356
 357         return mechs;
 358 }
 359
 360 int slap_sasl_close( Connection *conn )
 361 {
 362 #ifdef HAVE_CYRUS_SASL
 363         sasl_conn_t *ctx = conn->c_sasl_context;
 364
 365         if( ctx != NULL ) {
 366                 sasl_dispose( &ctx );
 367         }
 368
 369         conn->c_sasl_context = NULL;
 370
 371         free( conn->c_sasl_extra );
 372         conn->c_sasl_extra = NULL;
 373 #endif
 374
 375         return LDAP_SUCCESS;
 376 }
 377
 378 int slap_sasl_bind(
 379     Connection          *conn,
 380     Operation           *op,
 381     const char          *dn,
 382     const char          *ndn,
 383     const char          *mech,
 384     struct berval       *cred,
 385         char                            **edn,
 386         slap_ssf_t                      *ssfp )
 387 {
 388         int rc = 1;
 389
 390 #ifdef HAVE_CYRUS_SASL
 391         sasl_conn_t *ctx = conn->c_sasl_context;
 392         struct berval response;
 393         unsigned reslen;
 394         const char *errstr;
 395         int sc;
 396
 397         Debug(LDAP_DEBUG_ARGS,
 398                 "==> sasl_bind: dn=\"%s\" mech=%s datalen=%d\n",
 399                 dn, mech ? mech : "<continuing>", cred ? cred->bv_len : 0 );
 400
 401         if( ctx == NULL ) {
 402                 send_ldap_result( conn, op, LDAP_UNAVAILABLE,
 403                         NULL, "SASL unavailable on this session", NULL, NULL );
 404                 return rc;
 405         }
 406
 407         if ( mech != NULL ) {
 408                 sc = sasl_server_start( ctx,
 409                         mech,
 410                         cred->bv_val, cred->bv_len,
 411                         (char **)&response.bv_val, &reslen, &errstr );
 412
 413         } else {
 414                 sc = sasl_server_step( ctx,
 415                         cred->bv_val, cred->bv_len,
 416                         (char **)&response.bv_val, &reslen, &errstr );
 417         }
 418
 419         response.bv_len = reslen;
 420
 421         if ( sc == SASL_OK ) {
 422                 char *username = NULL;
 423
 424                 sc = sasl_getprop( ctx,
 425                         SASL_USERNAME, (void **)&username );
 426
 427                 if ( sc != SASL_OK ) {
 428                         Debug(LDAP_DEBUG_TRACE,
 429                                 "slap_sasl_bind: getprop(USERNAME) failed!\n",
 430                                 0, 0, 0);
 431
 432                         send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 433                                 NULL, "no SASL username", NULL, NULL );
 434
 435                 } else if ( username == NULL || *username == '\0' ) {
 436                         Debug(LDAP_DEBUG_TRACE,
 437                                 "slap_sasl_bind: getprop(USERNAME) returned NULL!\n",
 438                                 0, 0, 0);
 439
 440                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 441                                 NULL, "no SASL username", NULL, NULL );
 442
 443                 } else {
 444                         char *realm = NULL;
 445                         sasl_ssf_t *ssf = NULL;
 446
 447                         (void) sasl_getprop( ctx,
 448                                 SASL_REALM, (void **)&realm );
 449
 450                         (void) sasl_getprop( ctx,
 451                                 SASL_SSF, (void *)&ssf );
 452
 453                         Debug(LDAP_DEBUG_TRACE,
 454                                 "slap_sasl_bind: username=\"%s\" realm=\"%s\" ssf=%lu\n",
 455                                 username ? username : "",
 456                                 realm ? realm : "",
 457                                 (unsigned long) ( ssf ? *ssf : 0 ) );
 458
 459                         *ssfp = ssf ? *ssf : 0;
 460
 461                         rc = LDAP_SUCCESS;
 462
 463                         if( username == NULL || (
 464                                 !strncasecmp( username, "anonymous", sizeof("anonymous")-1 ) &&
 465                                 ( username[sizeof("anonymous")-1] == '\0' ||
 466                                   username[sizeof("anonymous")-1] == '@' ) ) )
 467                         {
 468                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: anonymous\n",
 469                                         0, 0, 0);
 470
 471                         } else if ( username[0] == 'u' && username[1] == ':'
 472                                 && username[2] != '\0'
 473                                 && strpbrk( &username[2], "+=,;\"\\ \t") == NULL )
 474                         {
 475                                 *edn = ch_malloc( sizeof( "uid= + realm=" )
 476                                         + strlen( &username[2] )
 477                                         + ( realm ? strlen( realm ) : 0 ) );
 478
 479                                 strcpy( *edn, "uid=" );
 480                                 strcat( *edn, &username[2] );
 481
 482                                 if( realm && *realm ) {
 483                                         strcat( *edn, " + realm=" );
 484                                         strcat( *edn, realm );
 485                                 }
 486
 487                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: authzdn: \"%s\"\n",
 488                                         *edn, 0, 0);
 489
 490                         } else {
 491                                 rc = LDAP_INAPPROPRIATE_AUTH;
 492                                 errstr = "authorization disallowed";
 493                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: %s\n",
 494                                         errstr, 0, 0);
 495                         }
 496
 497                         if( rc == LDAP_SUCCESS ) {
 498                                 send_ldap_sasl( conn, op, rc,
 499                                         NULL, NULL, NULL, NULL,
 500                                         response.bv_len ? &response : NULL );
 501
 502                         } else {
 503                                 send_ldap_result( conn, op, rc,
 504                                         NULL, errstr, NULL, NULL );
 505                         }
 506                 }
 507
 508         } else if ( sc == SASL_CONTINUE ) {
 509                 send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS,
 510                         NULL, NULL, NULL, NULL, &response );
 511
 512         } else {
 513                 send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 514                         NULL, errstr, NULL, NULL );
 515         }
 516
 517         Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0);
 518
 519 #else
 520         send_ldap_result( conn, op, rc = LDAP_UNAVAILABLE,
 521                 NULL, "SASL not supported", NULL, NULL );
 522 #endif
 523
 524         return rc;
 525 }
 526
 527 char* slap_sasl_secprops( const char *in )
 528 {
 529 #ifdef HAVE_CYRUS_SASL
 530         int rc = ldap_pvt_sasl_secprops( in, &sasl_secprops );
 531
 532         return rc == LDAP_SUCCESS ? NULL : "Invalid security properties";
 533 #else
 534         return "SASL not supported";
 535 #endif
 536 }