git.sur5r.net Git - openldap/blob - servers/slapd/sasl.c

   1 /* $OpenLDAP$ */
   2 /*
   3  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   4  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   5  */
   6
   7 #include "portable.h"
   8
   9 #include <ac/stdlib.h>
  10 #include <stdio.h>
  11
  12 #include "slap.h"
  13 #include "proto-slap.h"
  14
  15 #include <lber.h>
  16 #include <ldap_log.h>
  17
  18 char **supportedSASLMechanisms = NULL;
  19 char *sasl_host = NULL;
  20
  21 #ifdef HAVE_CYRUS_SASL
  22
  23 #ifdef SLAPD_SPASSWD
  24 #include <lutil.h>
  25 #endif
  26
  27 static void *slap_sasl_mutex_new(void)
  28 {
  29         ldap_pvt_thread_mutex_t *mutex;
  30
  31         mutex = (ldap_pvt_thread_mutex_t *) ch_malloc( sizeof(ldap_pvt_thread_mutex_t) );
  32         if ( ldap_pvt_thread_mutex_init( mutex ) == 0 ) {
  33                 return mutex;
  34         }
  35         return NULL;
  36 }
  37
  38 static int slap_sasl_mutex_lock(void *mutex)
  39 {
  40         return ldap_pvt_thread_mutex_lock( (ldap_pvt_thread_mutex_t *)mutex );
  41 }
  42
  43 static int slap_sasl_mutex_unlock(void *mutex)
  44 {
  45         return ldap_pvt_thread_mutex_unlock( (ldap_pvt_thread_mutex_t *)mutex );
  46 }
  47
  48 static void slap_sasl_mutex_dispose(void *mutex)
  49 {
  50         (void) ldap_pvt_thread_mutex_destroy( (ldap_pvt_thread_mutex_t *)mutex );
  51         free( mutex );
  52 }
  53
  54 static int
  55 slap_sasl_err2ldap( int saslerr )
  56 {
  57         int rc;
  58
  59         switch (saslerr) {
  60                 case SASL_CONTINUE:
  61                         rc = LDAP_SASL_BIND_IN_PROGRESS;
  62                         break;
  63                 case SASL_OK:
  64                         rc = LDAP_SUCCESS;
  65                         break;
  66                 case SASL_FAIL:
  67                         rc = LDAP_OTHER;
  68                         break;
  69                 case SASL_NOMEM:
  70                         rc = LDAP_OTHER;
  71                         break;
  72                 case SASL_NOMECH:
  73                         rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
  74                         break;
  75                 case SASL_BADAUTH:
  76                         rc = LDAP_INVALID_CREDENTIALS;
  77                         break;
  78                 case SASL_NOAUTHZ:
  79                         rc = LDAP_INSUFFICIENT_ACCESS;
  80                         break;
  81                 case SASL_TOOWEAK:
  82                 case SASL_ENCRYPT:
  83                         rc = LDAP_INAPPROPRIATE_AUTH;
  84                         break;
  85                 default:
  86                         rc = LDAP_OTHER;
  87                         break;
  88         }
  89
  90         return rc;
  91 }
  92
  93
  94 int sasl_init( void )
  95 {
  96         int rc;
  97         char *mechs;
  98         sasl_conn_t *server = NULL;
  99
 100         sasl_set_alloc( ch_malloc, ch_calloc, ch_realloc, ch_free );
 101
 102         sasl_set_mutex(
 103                 slap_sasl_mutex_new,
 104                 slap_sasl_mutex_lock,
 105                 slap_sasl_mutex_unlock,
 106                 slap_sasl_mutex_dispose );
 107
 108         rc = sasl_server_init( NULL, "slapd" );
 109
 110         if( rc != SASL_OK ) {
 111                 Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n",
 112                         0, 0, 0 );
 113                 return -1;
 114         }
 115
 116         if( sasl_host == NULL ) {
 117                 static char hostname[MAXHOSTNAMELEN+1];
 118
 119                 if( gethostname( hostname, MAXHOSTNAMELEN ) == 0 ) {
 120                         hostname[MAXHOSTNAMELEN] = '\0';
 121                         sasl_host = hostname;
 122                 }
 123         }
 124
 125         rc = sasl_server_new( "ldap", sasl_host, NULL, NULL,
 126                 SASL_SECURITY_LAYER,
 127                 &server );
 128
 129         if( rc != SASL_OK ) {
 130                 Debug( LDAP_DEBUG_ANY, "sasl_server_new failed\n",
 131                         0, 0, 0 );
 132                 return -1;
 133         }
 134
 135 #ifdef RESTRICT_SASL
 136         {
 137                 sasl_security_properties_t secprops;
 138                 memset(&secprops, 0, sizeof(secprops));
 139                 secprops.security_flags = SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS;
 140                 secprops.property_names = NULL;
 141                 secprops.property_values = NULL;
 142
 143                 rc = sasl_setprop( server, SASL_SEC_PROPS, &secprops );
 144
 145                 if( rc != SASL_OK ) {
 146                         Debug( LDAP_DEBUG_ANY, "sasl_setprop failed\n",
 147                                 0, 0, 0 );
 148                         return -1;
 149                 }
 150         }
 151 #endif
 152
 153         rc = sasl_listmech( server, NULL, NULL, ",", NULL,
 154                 &mechs, NULL, NULL);
 155
 156         if( rc != SASL_OK ) {
 157                 Debug( LDAP_DEBUG_ANY, "sasl_listmech failed: %d\n",
 158                         rc, 0, 0 );
 159                 return -1;
 160         }
 161
 162         Debug( LDAP_DEBUG_TRACE, "SASL mechanisms: %s\n",
 163                 mechs, 0, 0 );
 164
 165         supportedSASLMechanisms = str2charray( mechs, "," );
 166
 167 #ifdef SLAPD_SPASSWD
 168         lutil_passwd_sasl_conn = server;
 169 #else
 170         sasl_dispose( &server );
 171 #endif
 172
 173         return 0;
 174 }
 175
 176 int sasl_destroy( void )
 177 {
 178 #ifdef SLAPD_SPASSWD
 179         sasl_dispose( &lutil_passwd_sasl_conn );
 180 #endif
 181         charray_free( supportedSASLMechanisms );
 182         return 0;
 183 }
 184
 185 #ifdef HAVE_CYRUS_SASL
 186 int sasl_bind(
 187     Connection          *conn,
 188     Operation           *op,
 189     char                *dn,
 190     char                *ndn,
 191     char                *mech,
 192     struct berval       *cred,
 193         char                            **edn )
 194 {
 195         struct berval response;
 196         const char *errstr;
 197         int sc;
 198         int rc = 1;
 199
 200         Debug(LDAP_DEBUG_ARGS, "==> sasl_bind: dn=%s, mech=%s, cred->bv_len=%d\n",
 201                 dn, mech, cred ? cred->bv_len : 0 );
 202
 203         if ( conn->c_sasl_bind_context == NULL ) {
 204                 sasl_callback_t callbacks[4];
 205                 int cbnum = 0;
 206
 207 #if 0
 208                 if (be->be_sasl_authorize) {
 209                         callbacks[cbnum].id = SASL_CB_PROXY_POLICY;
 210                         callbacks[cbnum].proc = be->be_sasl_authorize;
 211                         callbacks[cbnum].context = be;
 212                         ++cbnum;
 213                 }
 214
 215                 if (be->be_sasl_getsecret) {
 216                         callbacks[cbnum].id = SASL_CB_SERVER_GETSECRET;
 217                         callbacks[cbnum].proc = be->be_sasl_getsecret;
 218                         callbacks[cbnum].context = be;
 219                         ++cbnum;
 220                 }
 221
 222                 if (be->be_sasl_putsecret) {
 223                         callbacks[cbnum].id = SASL_CB_SERVER_PUTSECRET;
 224                         callbacks[cbnum].proc = be->be_sasl_putsecret;
 225                         callbacks[cbnum].context = be;
 226                         ++cbnum;
 227                 }
 228 #endif
 229
 230                 callbacks[cbnum].id = SASL_CB_LIST_END;
 231                 callbacks[cbnum].proc = NULL;
 232                 callbacks[cbnum].context = NULL;
 233
 234                 /* create new SASL context */
 235                 sc = sasl_server_new( "ldap", sasl_host, global_realm,
 236                         callbacks, SASL_SECURITY_LAYER, &conn->c_sasl_bind_context );
 237
 238                 if( sc != SASL_OK ) {
 239                         send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED,
 240                                 NULL, NULL, NULL, NULL );
 241                 } else {
 242                         unsigned reslen;
 243                         conn->c_authmech = ch_strdup( mech );
 244
 245                         sc = sasl_server_start( conn->c_sasl_bind_context, conn->c_authmech,
 246                                 cred->bv_val, cred->bv_len,
 247                                 (char **)&response.bv_val, &reslen, &errstr );
 248
 249                         response.bv_len = reslen;
 250
 251                         if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
 252                                 send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 253                                         NULL, errstr, NULL, NULL );
 254                         }
 255                 }
 256         } else {
 257                 unsigned reslen;
 258                 sc = sasl_server_step( conn->c_sasl_bind_context, cred->bv_val, cred->bv_len,
 259                         (char **)&response.bv_val, &reslen, &errstr );
 260
 261                 response.bv_len = reslen;
 262
 263                 if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
 264                         send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 265                                 NULL, errstr, NULL, NULL );
 266                 }
 267         }
 268
 269         if ( sc == SASL_OK ) {
 270                 char *authzid;
 271
 272                 if ( ( sc = sasl_getprop( conn->c_sasl_bind_context, SASL_USERNAME,
 273                         (void **)&authzid ) ) != SASL_OK ) {
 274                         send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 275                                 NULL, NULL, NULL, NULL );
 276
 277                 } else {
 278                         Debug(LDAP_DEBUG_TRACE, "<== sasl_bind: username=%s\n",
 279                                 authzid, 0, 0);
 280
 281                         if( strncasecmp( authzid, "anonymous", sizeof("anonyous")-1 ) &&
 282                                 ( ( authzid[sizeof("anonymous")] == '\0' ) ||
 283                                 ( authzid[sizeof("anonymous")] == '@' ) ) )
 284                         {
 285                                 *edn = ch_malloc( sizeof( "authzid=" ) + strlen( authzid ) );
 286                                 strcpy( *edn, "authzid=" );
 287                                 strcat( *edn, authzid );
 288                         }
 289
 290                         send_ldap_result( conn, op, rc = LDAP_SUCCESS,
 291                                 NULL, NULL, NULL, NULL );
 292                 }
 293
 294         } else if ( sc == SASL_CONTINUE ) {
 295                 send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS,
 296                         NULL, NULL, NULL, NULL,  &response );
 297         }
 298
 299         if ( sc != SASL_CONTINUE && conn->c_sasl_bind_context != NULL ) {
 300                 sasl_dispose( &conn->c_sasl_bind_context );
 301                 conn->c_sasl_bind_context = NULL;
 302         }
 303
 304         Debug(LDAP_DEBUG_TRACE, "<== sasl_bind: rc=%d\n", rc, 0, 0);
 305
 306         return rc;
 307 }
 308 #endif /* HAVE_CYRUS_SASL */
 309
 310 #else
 311 /* no SASL support */
 312 int sasl_bind(
 313     Connection          *conn,
 314     Operation           *op,
 315     char                *dn,
 316     char                *ndn,
 317     char                *mech,
 318     struct berval       *cred,
 319         char                            **edn )
 320 {
 321         int rc;
 322
 323         send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM,
 324                 NULL, "SASL unavailable", NULL, NULL );
 325
 326         return rc;
 327 }
 328
 329 int sasl_init( void ) { return 0; }
 330 int sasl_destroy( void ) { return 0; }
 331 #endif