git.sur5r.net Git - openldap/blob - servers/slapd/sasl.c

   1 /* $OpenLDAP$ */
   2 /*
   3  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   4  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   5  */
   6
   7 #include "portable.h"
   8
   9 #include <ac/stdlib.h>
  10 #include <stdio.h>
  11
  12 #include "slap.h"
  13 #include "proto-slap.h"
  14
  15 #include <lber.h>
  16 #include <ldap_log.h>
  17
  18 #ifdef HAVE_CYRUS_SASL
  19 #include <limits.h>
  20 #include <sasl.h>
  21
  22 #include <ldap_pvt.h>
  23
  24 #ifdef SLAPD_SPASSWD
  25 #include <lutil.h>
  26 #endif
  27
  28 static sasl_security_properties_t sasl_secprops;
  29
  30
  31 static int
  32 slap_sasl_log(
  33         void *context,
  34         int priority,
  35         const char *message)
  36 {
  37         Connection *conn = context;
  38         int level;
  39         const char * label;
  40
  41         if ( message == NULL ) {
  42                 return SASL_BADPARAM;
  43         }
  44
  45         switch (priority) {
  46         case SASL_LOG_ERR:
  47                 level = LDAP_DEBUG_ANY;
  48                 label = "Error";
  49                 break;
  50         case SASL_LOG_WARNING:
  51                 level = LDAP_DEBUG_TRACE;
  52                 label = "Warning";
  53                 break;
  54         case SASL_LOG_INFO:
  55                 level = LDAP_DEBUG_TRACE;
  56                 label = "Info";
  57                 break;
  58         default:
  59                 return SASL_BADPARAM;
  60         }
  61
  62         Debug( level, "SASL [conn=%d] %s: %s\n",
  63                 conn ? conn->c_connid: -1,
  64                 label, message );
  65
  66         return SASL_OK;
  67 }
  68
  69 static int
  70 slap_sasl_authorize(
  71         void *context,
  72         const char *authcid,
  73         const char *authzid,
  74         const char **user,
  75         const char **errstr)
  76 {
  77         Connection *conn = context;
  78
  79         *user = NULL;
  80
  81         if ( authcid == NULL || *authcid == '\0' ) {
  82                 *errstr = "empty authentication identity";
  83
  84                 Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
  85                         "empty authentication identity\n",
  86                         (long) (conn ? conn->c_connid : -1),
  87                         0, 0 );
  88                 return SASL_BADAUTH;
  89         }
  90
  91         Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: "
  92                 "authcid=\"%s\" authzid=\"%s\"\n",
  93                 (long) (conn ? conn->c_connid : -1),
  94                 authcid ? authcid : "<empty>",
  95                 authcid ? authcid : "<empty>" );
  96
  97         if ( authzid == NULL || *authzid == '\0' ||
  98                 strcmp( authcid, authzid ) == 0 )
  99         {
 100                 char* cuser;
 101                 size_t len = sizeof("u:") + strlen( authcid );
 102
 103                 cuser = ch_malloc( len );
 104                 strcpy( cuser, "u:" );
 105                 strcpy( &cuser[sizeof("u:")-1], authcid );
 106
 107                 *user = cuser;
 108
 109                 Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
 110                         "\"%s\" as \"%s\"\n",
 111                         (long) (conn ? conn->c_connid : -1),
 112                         authcid, cuser );
 113
 114                 return SASL_OK;
 115         }
 116
 117         Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
 118                 "\"%s\" as \"%s\" disallowed. No policy.\n",
 119                 (long) (conn ? conn->c_connid : -1),
 120                 authcid, authzid );
 121
 122         *errstr = "no proxy policy";
 123     return SASL_NOAUTHZ;
 124 }
 125
 126
 127 static int
 128 slap_sasl_err2ldap( int saslerr )
 129 {
 130         int rc;
 131
 132         switch (saslerr) {
 133                 case SASL_CONTINUE:
 134                         rc = LDAP_SASL_BIND_IN_PROGRESS;
 135                         break;
 136                 case SASL_FAIL:
 137                         rc = LDAP_OTHER;
 138                         break;
 139                 case SASL_NOMEM:
 140                         rc = LDAP_OTHER;
 141                         break;
 142                 case SASL_NOMECH:
 143                         rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
 144                         break;
 145                 case SASL_BADAUTH:
 146                         rc = LDAP_INVALID_CREDENTIALS;
 147                         break;
 148                 case SASL_NOAUTHZ:
 149                         rc = LDAP_INSUFFICIENT_ACCESS;
 150                         break;
 151                 case SASL_TOOWEAK:
 152                 case SASL_ENCRYPT:
 153                         rc = LDAP_INAPPROPRIATE_AUTH;
 154                         break;
 155                 default:
 156                         rc = LDAP_OTHER;
 157                         break;
 158         }
 159
 160         return rc;
 161 }
 162 #endif
 163
 164
 165 int slap_sasl_init( void )
 166 {
 167 #ifdef HAVE_CYRUS_SASL
 168         int rc;
 169         sasl_conn_t *server = NULL;
 170         static sasl_callback_t server_callbacks[] = {
 171                 { SASL_CB_LOG, &slap_sasl_log, NULL },
 172                 { SASL_CB_LIST_END, NULL, NULL }
 173         };
 174
 175         sasl_set_alloc(
 176                 ch_malloc,
 177                 ch_calloc,
 178                 ch_realloc,
 179                 ch_free );
 180
 181         sasl_set_mutex(
 182                 ldap_pvt_sasl_mutex_new,
 183                 ldap_pvt_sasl_mutex_lock,
 184                 ldap_pvt_sasl_mutex_unlock,
 185                 ldap_pvt_sasl_mutex_dispose );
 186
 187         /* should provide callbacks for logging */
 188         /* server name should be configurable */
 189         rc = sasl_server_init( server_callbacks, "slapd" );
 190
 191         if( rc != SASL_OK ) {
 192                 Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n",
 193                         0, 0, 0 );
 194                 return -1;
 195         }
 196
 197         Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n",
 198                 0, 0, 0 );
 199
 200         /* default security properties */
 201         memset( &sasl_secprops, '\0', sizeof(sasl_secprops) );
 202     sasl_secprops.max_ssf = INT_MAX;
 203     sasl_secprops.maxbufsize = 65536;
 204     sasl_secprops.security_flags = SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS;
 205
 206         sasl_dispose( &server );
 207
 208 #endif
 209         return 0;
 210 }
 211
 212 int slap_sasl_destroy( void )
 213 {
 214 #ifdef HAVE_CYRUS_SASL
 215         sasl_done();
 216 #endif
 217         return 0;
 218 }
 219
 220 int slap_sasl_open( Connection *conn )
 221 {
 222         int sc = LDAP_SUCCESS;
 223
 224 #ifdef HAVE_CYRUS_SASL
 225         sasl_conn_t *ctx = NULL;
 226         sasl_callback_t *session_callbacks;
 227
 228         assert( conn->c_sasl_context == NULL );
 229         assert( conn->c_sasl_extra == NULL );
 230
 231         conn->c_sasl_layers = 0;
 232
 233         session_callbacks =
 234                 ch_calloc( 3, sizeof(sasl_callback_t));
 235         conn->c_sasl_extra = session_callbacks;
 236
 237         session_callbacks[0].id = SASL_CB_LOG;
 238         session_callbacks[0].proc = &slap_sasl_log;
 239         session_callbacks[0].context = conn;
 240
 241         session_callbacks[1].id = SASL_CB_PROXY_POLICY;
 242         session_callbacks[1].proc = &slap_sasl_authorize;
 243         session_callbacks[1].context = conn;
 244
 245         session_callbacks[2].id = SASL_CB_LIST_END;
 246         session_callbacks[2].proc = NULL;
 247         session_callbacks[2].context = NULL;
 248
 249         if( global_host == NULL ) {
 250                 global_host = ldap_pvt_get_fqdn( NULL );
 251         }
 252
 253         /* create new SASL context */
 254         sc = sasl_server_new( "ldap", global_host, global_realm,
 255                 session_callbacks, SASL_SECURITY_LAYER, &ctx );
 256
 257         if( sc != SASL_OK ) {
 258                 Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n",
 259                         sc, 0, 0 );
 260                 return -1;
 261         }
 262
 263         conn->c_sasl_context = ctx;
 264
 265         if( sc == SASL_OK ) {
 266                 sc = sasl_setprop( ctx,
 267                         SASL_SEC_PROPS, &sasl_secprops );
 268
 269                 if( sc != SASL_OK ) {
 270                         Debug( LDAP_DEBUG_ANY, "sasl_setprop failed: %d\n",
 271                                 sc, 0, 0 );
 272                         slap_sasl_close( conn );
 273                         return -1;
 274                 }
 275         }
 276
 277         sc = slap_sasl_err2ldap( sc );
 278 #endif
 279         return sc;
 280 }
 281
 282 int slap_sasl_external(
 283         Connection *conn,
 284         slap_ssf_t ssf,
 285         char *auth_id )
 286 {
 287 #ifdef HAVE_CYRUS_SASL
 288         int sc;
 289         sasl_conn_t *ctx = conn->c_sasl_context;
 290         sasl_external_properties_t extprops;
 291
 292         if ( ctx == NULL ) {
 293                 return LDAP_UNAVAILABLE;
 294         }
 295
 296         memset( &extprops, '\0', sizeof(extprops) );
 297         extprops.ssf = ssf;
 298         extprops.auth_id = auth_id;
 299
 300         sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
 301                 (void *) &extprops );
 302
 303         if ( sc != SASL_OK ) {
 304                 return LDAP_OTHER;
 305         }
 306 #endif
 307
 308         return LDAP_SUCCESS;
 309 }
 310
 311 int slap_sasl_reset( Connection *conn )
 312 {
 313 #ifdef HAVE_CYRUS_SASL
 314         sasl_conn_t *ctx = conn->c_sasl_context;
 315
 316         if( ctx != NULL ) {
 317         }
 318 #endif
 319         /* must return "anonymous" */
 320         return LDAP_SUCCESS;
 321 }
 322
 323 char ** slap_sasl_mechs( Connection *conn )
 324 {
 325         char **mechs = NULL;
 326
 327 #ifdef HAVE_CYRUS_SASL
 328         sasl_conn_t *ctx = conn->c_sasl_context;
 329
 330         if( ctx != NULL ) {
 331                 int sc;
 332                 char *mechstr;
 333
 334                 sc = sasl_listmech( ctx,
 335                         NULL, NULL, ",", NULL,
 336                         &mechstr, NULL, NULL );
 337
 338                 if( sc != SASL_OK ) {
 339                         Debug( LDAP_DEBUG_ANY, "slap_sasl_listmech failed: %d\n",
 340                                 sc, 0, 0 );
 341                         return NULL;
 342                 }
 343
 344                 mechs = str2charray( mechstr, "," );
 345
 346                 ch_free( mechstr );
 347         }
 348 #endif
 349
 350         return mechs;
 351 }
 352
 353 int slap_sasl_close( Connection *conn )
 354 {
 355 #ifdef HAVE_CYRUS_SASL
 356         sasl_conn_t *ctx = conn->c_sasl_context;
 357
 358         if( ctx != NULL ) {
 359                 sasl_dispose( &ctx );
 360         }
 361
 362         conn->c_sasl_context = NULL;
 363
 364         free( conn->c_sasl_extra );
 365         conn->c_sasl_extra = NULL;
 366 #endif
 367
 368         return LDAP_SUCCESS;
 369 }
 370
 371 int slap_sasl_bind(
 372     Connection          *conn,
 373     Operation           *op,
 374     const char          *dn,
 375     const char          *ndn,
 376     const char          *mech,
 377     struct berval       *cred,
 378         char                            **edn,
 379         slap_ssf_t                      *ssfp )
 380 {
 381         int rc = 1;
 382
 383 #ifdef HAVE_CYRUS_SASL
 384         sasl_conn_t *ctx = conn->c_sasl_context;
 385         struct berval response;
 386         unsigned reslen;
 387         const char *errstr;
 388         int sc;
 389
 390         Debug(LDAP_DEBUG_ARGS,
 391                 "==> sasl_bind: dn=\"%s\" mech=%s datalen=%d\n",
 392                 dn, mech ? mech : "<continuing>", cred ? cred->bv_len : 0 );
 393
 394         if( ctx == NULL ) {
 395                 send_ldap_result( conn, op, LDAP_UNAVAILABLE,
 396                         NULL, "SASL unavailable on this session", NULL, NULL );
 397                 return rc;
 398         }
 399
 400         if ( mech != NULL ) {
 401                 sc = sasl_server_start( ctx,
 402                         mech,
 403                         cred->bv_val, cred->bv_len,
 404                         (char **)&response.bv_val, &reslen, &errstr );
 405
 406         } else {
 407                 sc = sasl_server_step( ctx,
 408                         cred->bv_val, cred->bv_len,
 409                         (char **)&response.bv_val, &reslen, &errstr );
 410         }
 411
 412         response.bv_len = reslen;
 413
 414         if ( sc == SASL_OK ) {
 415                 char *username = NULL;
 416
 417                 sc = sasl_getprop( ctx,
 418                         SASL_USERNAME, (void **)&username );
 419
 420                 if ( sc != SASL_OK ) {
 421                         Debug(LDAP_DEBUG_TRACE,
 422                                 "slap_sasl_bind: getprop(USERNAME) failed!\n",
 423                                 0, 0, 0);
 424
 425                         send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 426                                 NULL, "no SASL username", NULL, NULL );
 427
 428                 } else if ( username == NULL || *username == '\0' ) {
 429                         Debug(LDAP_DEBUG_TRACE,
 430                                 "slap_sasl_bind: getprop(USERNAME) returned NULL!\n",
 431                                 0, 0, 0);
 432
 433                         send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
 434                                 NULL, "no SASL username", NULL, NULL );
 435
 436                 } else {
 437                         char *realm = NULL;
 438                         sasl_ssf_t *ssf = NULL;
 439
 440                         (void) sasl_getprop( ctx,
 441                                 SASL_REALM, (void **)&realm );
 442
 443                         (void) sasl_getprop( ctx,
 444                                 SASL_SSF, (void *)&ssf );
 445
 446                         Debug(LDAP_DEBUG_TRACE,
 447                                 "slap_sasl_bind: username=\"%s\" realm=\"%s\" ssf=%lu\n",
 448                                 username ? username : "",
 449                                 realm ? realm : "",
 450                                 (unsigned long) ( ssf ? *ssf : 0 ) );
 451
 452                         *ssfp = ssf ? *ssf : 0;
 453
 454                         rc = LDAP_SUCCESS;
 455
 456                         if( username == NULL || (
 457                                 !strncasecmp( username, "anonymous", sizeof("anonymous")-1 ) &&
 458                                 ( username[sizeof("anonymous")-1] == '\0' ||
 459                                   username[sizeof("anonymous")-1] == '@' ) ) )
 460                         {
 461                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: anonymous\n",
 462                                         0, 0, 0);
 463
 464                         } else if ( username[0] == 'u' && username[1] == ':'
 465                                 && username[2] != '\0'
 466                                 && strpbrk( &username[2], "+=,;\"\\ \t") == NULL )
 467                         {
 468                                 *edn = ch_malloc( sizeof( "uid= + realm=" )
 469                                         + strlen( &username[2] )
 470                                         + ( realm ? strlen( realm ) : 0 ) );
 471
 472                                 strcpy( *edn, "uid=" );
 473                                 strcat( *edn, &username[2] );
 474
 475                                 if( realm && *realm ) {
 476                                         strcat( *edn, " + realm=" );
 477                                         strcat( *edn, realm );
 478                                 }
 479
 480                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: authzdn: \"%s\"\n",
 481                                         *edn, 0, 0);
 482
 483                         } else {
 484                                 rc = LDAP_INAPPROPRIATE_AUTH;
 485                                 errstr = "authorization disallowed";
 486                                 Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: %s\n",
 487                                         errstr, 0, 0);
 488                         }
 489
 490                         if( rc == LDAP_SUCCESS ) {
 491                                 send_ldap_sasl( conn, op, rc,
 492                                         NULL, NULL, NULL, NULL,
 493                                         response.bv_len ? &response : NULL );
 494
 495                         } else {
 496                                 send_ldap_result( conn, op, rc,
 497                                         NULL, errstr, NULL, NULL );
 498                         }
 499                 }
 500
 501         } else if ( sc == SASL_CONTINUE ) {
 502                 send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS,
 503                         NULL, NULL, NULL, NULL, &response );
 504
 505         } else {
 506                 send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
 507                         NULL, errstr, NULL, NULL );
 508         }
 509
 510         Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0);
 511
 512 #else
 513         send_ldap_result( conn, op, rc = LDAP_UNAVAILABLE,
 514                 NULL, "SASL not supported", NULL, NULL );
 515 #endif
 516
 517         return rc;
 518 }
 519
 520 char* slap_sasl_secprops( const char *in )
 521 {
 522 #ifdef HAVE_CYRUS_SASL
 523         int rc = ldap_pvt_sasl_secprops( in, &sasl_secprops );
 524
 525         return rc == LDAP_SUCCESS ? NULL : "Invalid security properties";
 526 #else
 527         return "SASL not supported";
 528 #endif
 529 }