+static int
+slap_sasl_checkpass(
+ sasl_conn_t *sconn,
+ void *context,
+ const char *username,
+ const char *pass,
+ unsigned passlen,
+ struct propctx *propctx)
+{
+ Connection *conn = (Connection *)context;
+ struct berval dn, cred;
+ int rc;
+ BerVarray vals, bv;
+
+ cred.bv_val = (char *)pass;
+ cred.bv_len = passlen;
+
+ /* SASL will fallback to its own mechanisms if we don't
+ * find an answer here.
+ */
+
+ rc = slap_sasl_getdn( conn, (char *)username, 0, NULL, &dn,
+ FLAG_GETDN_AUTHCID );
+ if ( rc != LDAP_SUCCESS ) {
+ sasl_seterror( sconn, 0, ldap_err2string( rc ) );
+ return SASL_NOUSER;
+ }
+
+ if ( dn.bv_len == 0 ) {
+ sasl_seterror( sconn, 0,
+ "No password is associated with the Root DSE" );
+ if ( dn.bv_val != NULL ) {
+ ch_free( dn.bv_val );
+ }
+ return SASL_NOUSER;
+ }
+
+ rc = backend_attribute( NULL, NULL, NULL, NULL, &dn,
+ slap_schema.si_ad_userPassword, &vals);
+ if ( rc != LDAP_SUCCESS ) {
+ ch_free( dn.bv_val );
+ sasl_seterror( sconn, 0, ldap_err2string( rc ) );
+ return SASL_NOVERIFY;
+ }
+
+ rc = SASL_NOVERIFY;
+
+ if ( vals != NULL ) {
+ for ( bv = vals; bv->bv_val != NULL; bv++ ) {
+ if ( !lutil_passwd( bv, &cred, NULL ) ) {
+ rc = SASL_OK;
+ break;
+ }
+ }
+ ber_bvarray_free( vals );
+ }
+
+ if ( rc != SASL_OK ) {
+ sasl_seterror( sconn, 0,
+ ldap_err2string( LDAP_INVALID_CREDENTIALS ) );
+ }
+
+ ch_free( dn.bv_val );
+
+ return rc;
+}
+
+/* Convert a SASL authcid or authzid into a DN. Store the DN in an
+ * auxiliary property, so that we can refer to it in sasl_authorize
+ * without interfering with anything else. Also, the SASL username
+ * buffer is constrained to 256 characters, and our DNs could be
+ * much longer (totally arbitrary length)...
+ */
+static int
+slap_sasl_canonicalize(
+ sasl_conn_t *sconn,
+ void *context,
+ const char *in,
+ unsigned inlen,
+ unsigned flags,
+ const char *user_realm,
+ char *out,
+ unsigned out_max,
+ unsigned *out_len)
+{
+ Connection *conn = (Connection *)context;
+ struct propctx *props = sasl_auxprop_getctx( sconn );
+ struct propval auxvals[3];
+ struct berval dn;
+ int rc, which;
+ const char *names[2];
+
+ *out_len = 0;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_canonicalize: conn %d %s=\"%s\"\n",
+ conn ? conn->c_connid : -1,
+ (flags & SASL_CU_AUTHID) ? "authcid" : "authzid",
+ in ? in : "<empty>" ));
+#else
+ Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: "
+ "%s=\"%s\"\n",
+ conn ? conn->c_connid : -1,
+ (flags & SASL_CU_AUTHID) ? "authcid" : "authzid",
+ in ? in : "<empty>" );
+#endif
+
+ /* If name is too big, just truncate. We don't care, we're
+ * using DNs, not the usernames.
+ */
+ if ( inlen > out_max )
+ inlen = out_max-1;
+
+ /* See if we need to add request, can only do it once */
+ prop_getnames( props, slap_propnames, auxvals );
+ if ( !auxvals[0].name )
+ prop_request( props, slap_propnames );
+
+ if ( flags & SASL_CU_AUTHID )
+ which = 0;
+ else
+ which = 1;
+
+ /* Already been here? */
+ if ( auxvals[which].values )
+ goto done;
+
+ if ( flags == SASL_CU_AUTHZID ) {
+ /* If we got unqualified authzid's, they probably came from SASL
+ * itself just passing the authcid to us. Look inside the oparams
+ * structure to see if that's true. (HACK: the out_len pointer is
+ * the address of a member of a sasl_out_params_t structure...)
+ */
+ sasl_out_params_t dummy;
+ int offset = (void *)&dummy.ulen - (void *)&dummy.authid;
+ char **authid = (void *)out_len - offset;
+ if ( *authid && !strcmp( in, *authid ) )
+ goto done;
+ }
+
+ rc = slap_sasl_getdn( conn, (char *)in, inlen, (char *)user_realm, &dn,
+ (flags & SASL_CU_AUTHID) ? FLAG_GETDN_AUTHCID : FLAG_GETDN_AUTHZID );
+ if ( rc != LDAP_SUCCESS ) {
+ sasl_seterror( sconn, 0, ldap_err2string( rc ) );
+ return SASL_NOAUTHZ;
+ }
+
+ names[0] = slap_propnames[which];
+ names[1] = NULL;
+
+ prop_set( props, names[0], (char *)&dn, sizeof( dn ) );
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_canonicalize: conn %d %s=\"%s\"\n",
+ conn ? conn->c_connid : -1,
+ names[0]+1, dn.bv_val ));
+#else
+ Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: "
+ "%s=\"%s\"\n",
+ conn ? conn->c_connid : -1,
+ names[0]+1, dn.bv_val );
+#endif
+done: AC_MEMCPY( out, in, inlen );
+ out[inlen] = '\0';
+
+ *out_len = inlen;
+
+ return SASL_OK;
+}
+
+static int
+slap_sasl_authorize(
+ sasl_conn_t *sconn,
+ void *context,
+ char *requested_user,
+ unsigned rlen,
+ char *auth_identity,
+ unsigned alen,
+ const char *def_realm,
+ unsigned urlen,
+ struct propctx *props)
+{
+ Connection *conn = (Connection *)context;
+ struct propval auxvals[3];
+ struct berval authcDN, authzDN;
+ int rc;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_authorize: conn %d authcid=\"%s\" authzid=\"%s\"\n",
+ conn ? conn->c_connid : -1, auth_identity, requested_user));
+#else
+ Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: "
+ "authcid=\"%s\" authzid=\"%s\"\n",
+ conn ? conn->c_connid : -1, auth_identity, requested_user );
+#endif
+ if ( conn->c_sasl_dn.bv_val ) {
+ ch_free( conn->c_sasl_dn.bv_val );
+ conn->c_sasl_dn.bv_val = NULL;
+ conn->c_sasl_dn.bv_len = 0;
+ }
+
+ prop_getnames( props, slap_propnames, auxvals );
+
+ AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) );
+
+ /* Nothing to do if no authzID was given */
+ if ( !auxvals[1].name || !auxvals[1].values ) {
+ conn->c_sasl_dn = authcDN;
+ return SASL_OK;
+ }
+
+ AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
+
+ rc = slap_sasl_authorized( &authcDN, &authzDN );
+ ch_free( authcDN.bv_val );
+ if ( rc != LDAP_SUCCESS ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_INFO,
+ "slap_sasl_authorize: conn %ld authorization disallowed (%d)\n",
+ (long)(conn ? conn->c_connid : -1), rc ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+ " authorization disallowed (%d)\n",
+ (long) (conn ? conn->c_connid : -1), rc, 0 );
+#endif
+
+ sasl_seterror( sconn, 0, "not authorized" );
+ ch_free( authzDN.bv_val );
+ return SASL_NOAUTHZ;
+ }
+
+ conn->c_sasl_dn = authzDN;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_authorize: conn %d authorization allowed\n",
+ (long)(conn ? conn->c_connid : -1 ) ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+ " authorization allowed\n",
+ (long) (conn ? conn->c_connid : -1), 0, 0 );
+#endif
+ return SASL_OK;
+}
+#else
+static int
+slap_sasl_authorize(
+ void *context,
+ char *authcid,
+ char *authzid,
+ const char **user,
+ const char **errstr)
+{
+ struct berval authcDN, authzDN;
+ int rc;
+ Connection *conn = context;
+ char *realm;
+
+ *user = NULL;
+ if ( conn->c_sasl_dn.bv_val ) {
+ ch_free( conn->c_sasl_dn.bv_val );
+ conn->c_sasl_dn.bv_val = NULL;
+ conn->c_sasl_dn.bv_len = 0;
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_authorize: conn %d authcid=\"%s\" authzid=\"%s\"\n",
+ conn ? conn->c_connid : -1,
+ authcid ? authcid : "<empty>",
+ authzid ? authzid : "<empty>" ));
+#else
+ Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: "
+ "authcid=\"%s\" authzid=\"%s\"\n",
+ (long) (conn ? conn->c_connid : -1),
+ authcid ? authcid : "<empty>",
+ authzid ? authzid : "<empty>" );
+#endif
+
+ /* Figure out how much data we have for the dn */
+ rc = sasl_getprop( conn->c_sasl_context, SASL_REALM, (void **)&realm );
+ if( rc != SASL_OK && rc != SASL_NOTDONE ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ERR,
+ "slap_sasl_authorize: getprop(REALM) failed.\n" ));
+#else
+ Debug(LDAP_DEBUG_TRACE,
+ "authorize: getprop(REALM) failed!\n", 0,0,0);
+#endif
+ *errstr = "Could not extract realm";
+ return SASL_NOAUTHZ;
+ }
+
+ /* Convert the identities to DN's. If no authzid was given, client will
+ be bound as the DN matching their username */
+ rc = slap_sasl_getdn( conn, (char *)authcid, 0, realm, &authcDN, FLAG_GETDN_AUTHCID );
+ if( rc != LDAP_SUCCESS ) {
+ *errstr = ldap_err2string( rc );
+ return SASL_NOAUTHZ;
+ }
+ if( ( authzid == NULL ) || !strcmp( authcid,authzid ) ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_authorize: conn %d Using authcDN=%s\n",
+ conn ? conn->c_connid : -1, authcDN.bv_val ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+ "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 );
+#endif
+
+ conn->c_sasl_dn = authcDN;
+ *errstr = NULL;
+ return SASL_OK;
+ }
+ rc = slap_sasl_getdn( conn, (char *)authzid, 0, realm, &authzDN, FLAG_GETDN_AUTHZID );
+ if( rc != LDAP_SUCCESS ) {
+ ch_free( authcDN.bv_val );
+ *errstr = ldap_err2string( rc );
+ return SASL_NOAUTHZ;
+ }
+
+ rc = slap_sasl_authorized( &authcDN, &authzDN );
+ ch_free( authcDN.bv_val );
+ if( rc ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_INFO,
+ "slap_sasl_authorize: conn %ld authorization disallowed (%d)\n",
+ (long)(conn ? conn->c_connid : -1), rc ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+ " authorization disallowed (%d)\n",
+ (long) (conn ? conn->c_connid : -1), rc, 0 );
+#endif
+
+ *errstr = "not authorized";
+ ch_free( authzDN.bv_val );
+ return SASL_NOAUTHZ;
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_authorize: conn %d authorization allowed\n",
+ (long)(conn ? conn->c_connid : -1 ) ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+ " authorization allowed\n",
+ (long) (conn ? conn->c_connid : -1), 0, 0 );
+#endif
+
+ conn->c_sasl_dn = authzDN;
+ *errstr = NULL;
+ return SASL_OK;
+}
+#endif /* SASL_VERSION_MAJOR >= 2 */
+