git.sur5r.net Git - openldap/blob - servers/slapd/sasl.c

   1 /* $OpenLDAP$ */
   2 /*
   3  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   4  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   5  */
   6
   7 #include "portable.h"
   8
   9 #include <ac/stdlib.h>
  10 #include <stdio.h>
  11
  12 #include "slap.h"
  13 #include "proto-slap.h"
  14
  15 #include <lber.h>
  16 #include <ldap_log.h>
  17
  18 #ifdef HAVE_CYRUS_SASL
  19 #include <limits.h>
  20 #include <sasl.h>
  21
  22 #include <ldap_pvt.h>
  23
  24 #ifdef SLAPD_SPASSWD
  25 #include <lutil.h>
  26 #endif
  27
  28 static char *sasl_host = NULL;
  29 static sasl_security_properties_t sasl_secprops;
  30
  31
  32 static int
  33 sasl_cb_log(
  34         void *context,
  35         int priority,
  36         const char *message)
  37 {
  38         Connection *conn = context;
  39         int level;
  40         const char * label;
  41
  42         if ( message == NULL ) {
  43                 return SASL_BADPARAM;
  44         }
  45
  46         switch (priority) {
  47         case SASL_LOG_ERR:
  48                 level = LDAP_DEBUG_ANY;
  49                 label = "Error";
  50                 break;
  51         case SASL_LOG_WARNING:
  52                 level = LDAP_DEBUG_TRACE;
  53                 label = "Warning";
  54                 break;
  55         case SASL_LOG_INFO:
  56                 level = LDAP_DEBUG_TRACE;
  57                 label = "Info";
  58                 break;
  59         default:
  60                 return SASL_BADPARAM;
  61         }
  62
  63         Debug( level, "SASL [conn=%d] %s: %s\n",
  64                 conn ? conn->c_connid: -1,
  65                 label, message );
  66
  67         return SASL_OK;
  68 }
  69
  70 static int
  71 slap_sasl_proxy_policy(
  72         void *context,
  73         const char *authcid,
  74         const char *authzid,
  75         const char **user,
  76         const char **errstr)
  77 {
  78         char *canon = NULL;
  79
  80         if ( !authcid || *authcid ) {
  81                 *errstr = "empty authentication identity";
  82                 return SASL_BADAUTH;
  83         }
  84
  85         if ( !authzid || *authzid ) {
  86                 size_t len = sizeof("u:") + strlen( authcid );
  87                 canon = ch_malloc( len );
  88                 strcpy( canon, "u:" );
  89                 strcpy( &canon[sizeof("u:")-1], authcid );
  90
  91                 *user = canon;
  92                 return SASL_OK;
  93         }
  94
  95         *errstr = "no proxy policy";
  96     return SASL_BADAUTH;
  97 }
  98
  99
 100 static int
 101 slap_sasl_err2ldap( int saslerr )
 102 {
 103         int rc;
 104
 105         switch (saslerr) {
 106                 case SASL_CONTINUE:
 107                         rc = LDAP_SASL_BIND_IN_PROGRESS;
 108                         break;
 109                 case SASL_FAIL:
 110                         rc = LDAP_OTHER;
 111                         break;
 112                 case SASL_NOMEM:
 113                         rc = LDAP_OTHER;
 114                         break;
 115                 case SASL_NOMECH:
 116                         rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
 117                         break;
 118                 case SASL_BADAUTH:
 119                         rc = LDAP_INVALID_CREDENTIALS;
 120                         break;
 121                 case SASL_NOAUTHZ:
 122                         rc = LDAP_INSUFFICIENT_ACCESS;
 123                         break;
 124                 case SASL_TOOWEAK:
 125                 case SASL_ENCRYPT:
 126                         rc = LDAP_INAPPROPRIATE_AUTH;
 127                         break;
 128                 default:
 129                         rc = LDAP_OTHER;
 130                         break;
 131         }
 132
 133         return rc;
 134 }
 135 #endif
 136
 137
 138 int slap_sasl_init( void )
 139 {
 140 #ifdef HAVE_CYRUS_SASL
 141         int rc;
 142         sasl_conn_t *server = NULL;
 143         sasl_callback_t server_callbacks[] = {
 144                 { SASL_CB_LOG, &sasl_cb_log, NULL },
 145                 { SASL_CB_LIST_END, NULL, NULL }
 146         };
 147
 148         sasl_set_alloc(
 149                 ch_malloc,
 150                 ch_calloc,
 151                 ch_realloc,
 152                 ch_free );
 153
 154         sasl_set_mutex(
 155                 ldap_pvt_sasl_mutex_new,
 156                 ldap_pvt_sasl_mutex_lock,
 157                 ldap_pvt_sasl_mutex_unlock,
 158                 ldap_pvt_sasl_mutex_dispose );
 159
 160         /* should provide callbacks for logging */
 161         /* server name should be configurable */
 162         rc = sasl_server_init( server_callbacks, "slapd" );
 163
 164         if( rc != SASL_OK ) {
 165                 Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n",
 166                         0, 0, 0 );
 167                 return -1;
 168         }
 169
 170         if( sasl_host == NULL ) {
 171                 static char hostname[MAXHOSTNAMELEN+1];
 172
 173                 if( gethostname( hostname, MAXHOSTNAMELEN ) == 0 ) {
 174                         hostname[MAXHOSTNAMELEN] = '\0';
 175                         sasl_host = hostname;
 176                 }
 177         }
 178
 179         Debug( LDAP_DEBUG_TRACE,
 180                 "slap_sasl_init: %s initialized!\n",
 181                 sasl_host, 0, 0 );
 182
 183         /* default security properties */
 184         memset( &sasl_secprops, '\0', sizeof(sasl_secprops) );
 185     sasl_secprops.max_ssf = UINT_MAX;
 186     sasl_secprops.maxbufsize = 65536;
 187     sasl_secprops.security_flags = SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS;
 188
 189 #ifdef SLAPD_SPASSWD
 190         lutil_passwd_sasl_conn = server;
 191 #else
 192         sasl_dispose( &server );
 193 #endif
 194
 195 #endif
 196         return 0;
 197 }
 198
 199 int slap_sasl_destroy( void )
 200 {
 201 #ifdef HAVE_CYRUS_SASL
 202 #ifdef SLAPD_SPASSWD
 203         sasl_dispose( &lutil_passwd_sasl_conn );
 204 #endif
 205         sasl_done();
 206 #endif
 207         return 0;
 208 }
 209
 210 int slap_sasl_open( Connection *conn )
 211 {
 212         int sc = LDAP_SUCCESS;
 213
 214 #ifdef HAVE_CYRUS_SASL
 215         sasl_conn_t *ctx = NULL;
 216         sasl_callback_t session_callbacks[] = {
 217                 { SASL_CB_LOG, &sasl_cb_log, conn },
 218                 { SASL_CB_PROXY_POLICY, &slap_sasl_proxy_policy, conn },
 219                 { SASL_CB_LIST_END, NULL, NULL }
 220         };
 221
 222         /* create new SASL context */
 223         sc = sasl_server_new( "ldap", sasl_host, global_realm,
 224                 session_callbacks,
 225 #ifdef LDAP_SASL_SECURITY_LAYER
 226                 SASL_SECURITY_LAYER,
 227 #else
 228                 0,
 229 #endif
 230                 &ctx );
 231
 232
 233         if( sc != SASL_OK ) {
 234                 Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n",
 235                         sc, 0, 0 );
 236                 return -1;
 237         }
 238
 239         conn->c_sasl_context = ctx;
 240
 241         if( sc == SASL_OK ) {
 242                 sc = sasl_setprop( ctx,
 243                         SASL_SEC_PROPS, &sasl_secprops );
 244
 245                 if( sc != SASL_OK ) {
 246                         Debug( LDAP_DEBUG_ANY, "sasl_setprop failed: %d\n",
 247                                 sc, 0, 0 );
 248                         slap_sasl_close( conn );
 249                         return -1;
 250                 }
 251         }
 252
 253         sc = slap_sasl_err2ldap( sc );
 254 #endif
 255         return sc;
 256 }
 257
 258 int slap_sasl_external(
 259         Connection *conn,
 260         unsigned ssf,
 261         char *auth_id )
 262 {
 263 #ifdef HAVE_CYRUS_SASL
 264         int sc;
 265         sasl_conn_t *ctx = conn->c_sasl_context;
 266         sasl_external_properties_t extprops;
 267
 268         if ( ctx == NULL ) {
 269                 return LDAP_UNAVAILABLE;
 270         }
 271
 272         memset( &extprops, 0L, sizeof(extprops) );
 273         extprops.ssf = ssf;
 274         extprops.auth_id = auth_id;
 275
 276         sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 277                 (void *) &extprops );
 278
 279         if ( sc != SASL_OK ) {
 280                 return LDAP_OTHER;
 281         }
 282 #endif
 283
 284         return LDAP_SUCCESS;
 285 }
 286
 287 int slap_sasl_reset( Connection *conn )
 288 {
 289 #ifdef HAVE_CYRUS_SASL
 290         sasl_conn_t *ctx = conn->c_sasl_context;
 291
 292         if( ctx != NULL ) {
 293         }
 294 #endif
 295         /* must return "anonymous" */
 296         return LDAP_SUCCESS;
 297 }
 298
 299 char ** slap_sasl_mechs( Connection *conn )
 300 {
 301         char **mechs = NULL;
 302
 303 #ifdef HAVE_CYRUS_SASL
 304         sasl_conn_t *ctx = conn->c_sasl_context;
 305
 306         if( ctx != NULL ) {
 307                 int sc;
 308                 char *mechstr;
 309
 310                 sc = sasl_listmech( ctx,
 311                         NULL, NULL, ",", NULL,
 312                         &mechstr, NULL, NULL );
 313
 314                 if( sc != SASL_OK ) {
 315                         Debug( LDAP_DEBUG_ANY, "slap_sasl_listmech failed: %d\n",
 316                                 sc, 0, 0 );
 317                         return NULL;
 318                 }
 319
 320                 mechs = str2charray( mechstr, "," );
 321
 322                 ch_free( mechstr );
 323         }
 324 #endif
 325
 326         return mechs;
 327 }
 328
 329 int slap_sasl_close( Connection *conn )
 330 {
 331 #ifdef HAVE_CYRUS_SASL
 332         sasl_conn_t *ctx = conn->c_sasl_context;
 333
 334         if( ctx != NULL ) {
 335                 sasl_dispose( &ctx );
 336         }
 337
 338         conn->c_sasl_context = NULL;
 339 #endif
 340         return LDAP_SUCCESS;
 341 }
 342
 343 int slap_sasl_bind(
 344     Connection          *conn,
 345     Operation           *op,
 346     const char          *dn,
 347     const char          *ndn,
 348     const char          *mech,
 349     struct berval       *cred,
 350         char                            **edn )
 351 {
 352         int rc = 1;
 353
 354 #ifdef HAVE_CYRUS_SASL
 355         sasl_conn_t *ctx = conn->c_sasl_context;
 356         struct berval response;
 357         unsigned reslen;
 358         const char *errstr;
 359         int sc;
 360
 361         Debug(LDAP_DEBUG_ARGS,
 362                 "==> sasl_bind: dn=\"%s\" mech=%s cred->bv_len=%d\n",
 363                 dn, mech, cred ? cred->bv_len : 0 );
 364
 365         if( ctx == NULL ) {
 366                 send_ldap_result( conn, op, LDAP_UNAVAILABLE,
 367                         NULL, "SASL unavailable on this session", NULL, NULL );
 368                 return rc;
 369         }
 370
 371         if ( mech != NULL ) {
 372                 sc = sasl_server_start( ctx,
 373                         mech,
 374                         cred->bv_val, cred->bv_len,
 375                         (char **)&response.bv_val, &reslen, &errstr );
 376
 377         } else {
 378                 sc = sasl_server_step( ctx,
 379                         cred->bv_val, cred->bv_len,
 380                         (char **)&response.bv_val, &reslen, &errstr );
 381         }
 382
 383         response.bv_len = reslen;
 384
 385         if ( sc == SASL_OK ) {
 386                 char *username = NULL;
 387
 388                 sc = sasl_getprop( ctx,
 389                         SASL_USERNAME, (void **)&username );
 390
 391                 if ( sc != SASL_OK ) {
 392                         Debug(LDAP_DEBUG_TRACE,
 393                                 "slap_sasl_bind: getprop(USERNAME) failed!\n",
 394                                 0, 0, 0);
 395
 396                         send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 397                                 NULL, "no SASL username", NULL, NULL );
 398
 399                 } else if ( username == NULL || *username == '\0' ) {
 400                         Debug(LDAP_DEBUG_TRACE,
 401                                 "slap_sasl_bind: getprop(USERNAME) returned NULL!\n",
 402                                 0, 0, 0);
 403
 404                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 405                                 NULL, "no SASL username", NULL, NULL );
 406
 407                 } else {
 408                         char *realm = NULL;
 409                         sasl_ssf_t *ssf = NULL;
 410
 411                         (void) sasl_getprop( ctx,
 412                                 SASL_REALM, (void **)&realm );
 413
 414                         (void) sasl_getprop( ctx,
 415                                 SASL_SSF, (void *)&ssf );
 416
 417                         Debug(LDAP_DEBUG_TRACE,
 418                                 "slap_sasl_bind: username=\"%s\" realm=\"%s\" ssf=%lu\n",
 419                                 username ? username : "",
 420                                 realm ? realm : "",
 421                                 (unsigned long) ( ssf ? *ssf : 0 ) );
 422
 423                         if( !strncasecmp( username, "anonymous", sizeof("anonyous")-1 ) &&
 424                                 ( ( username[sizeof("anonymous")] == '\0' ) ||
 425                                   ( username[sizeof("anonymous")] == '@' ) ) )
 426                         {
 427                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: anonymous\n",
 428                                         0, 0, 0);
 429
 430                         } else {
 431                                 *edn = ch_malloc( sizeof( "uid= + realm=" )
 432                                         + ( username ? strlen( username ) : 0 )
 433                                         + ( realm ? strlen( realm ) : 0 ) );
 434
 435                                 strcpy( *edn, "uid=" );
 436                                 strcat( *edn, username );
 437
 438                                 if( realm && *realm ) {
 439                                         strcat( *edn, " + realm=" );
 440                                         strcat( *edn, realm );
 441                                 }
 442
 443                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: authzdn: \"%s\"\n",
 444                                         *edn, 0, 0);
 445                         }
 446
 447                         send_ldap_sasl( conn, op, rc = LDAP_SUCCESS,
 448                                 NULL, NULL, NULL, NULL, &response );
 449                 }
 450
 451         } else if ( sc == SASL_CONTINUE ) {
 452                 send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS,
 453                         NULL, NULL, NULL, NULL,  &response );
 454
 455         } else {
 456                 send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 457                         NULL, errstr, NULL, NULL );
 458         }
 459
 460         Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0);
 461
 462 #else
 463         send_ldap_result( conn, op, rc = LDAP_UNAVAILABLE,
 464                 NULL, "SASL not supported", NULL, NULL );
 465 #endif
 466
 467         return rc;
 468 }
 469
 470 char* slap_sasl_secprops( const char *in )
 471 {
 472 #ifdef HAVE_CYRUS_SASL
 473         int rc = ldap_pvt_sasl_secprops( in, &sasl_secprops );
 474
 475         return rc == LDAP_SUCCESS ? NULL : "Invalid security properties";
 476 #else
 477         return "SASL not supported";
 478 #endif
 479 }
 480