+/* Flags for telling slap_sasl_getdn() what type of identity is being passed */
+#define FLAG_GETDN_AUTHCID 2
+#define FLAG_GETDN_AUTHZID 4
+
+static sasl_security_properties_t sasl_secprops;
+
+int slap_sasl_config( int cargc, char **cargv, char *line,
+ const char *fname, int lineno )
+{
+ /* set SASL proxy authorization policy */
+ if ( strcasecmp( cargv[0], "sasl-authz-policy" ) == 0 ) {
+ if ( cargc != 2 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+ "%s: line %d: missing policy in \"sasl-authz-policy <policy>\" line\n",
+ fname, lineno ));
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: missing policy in \"sasl-authz-policy <policy>\" line\n",
+ fname, lineno, 0 );
+#endif
+
+ return( 1 );
+ }
+ if ( slap_sasl_setpolicy( cargv[1] ) ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+ "%s: line %d: unable "
+ "to parse value \"%s\" "
+ "in \"sasl-authz-policy "
+ "<policy>\" line.\n",
+ fname, lineno, cargv[1] ));
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: unable "
+ "to parse value \"%s\" "
+ "in \"sasl-authz-policy "
+ "<policy>\" line\n",
+ fname, lineno, cargv[1] );
+#endif
+ return( 1 );
+ }
+
+
+ /* set SASL host */
+ } else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) {
+ if ( cargc < 2 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+ "%s: line %d: missing host in \"sasl-host <host>\" line\n",
+ fname, lineno ));
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: missing host in \"sasl-host <host>\" line\n",
+ fname, lineno, 0 );
+#endif
+
+ return( 1 );
+ }
+
+ if ( global_host != NULL ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+ "%s: line %d: already set sasl-host!\n",
+ fname, lineno ));
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: already set sasl-host!\n",
+ fname, lineno, 0 );
+#endif
+
+ return 1;
+
+ } else {
+ global_host = ch_strdup( cargv[1] );
+ }
+
+ /* set SASL realm */
+ } else if ( strcasecmp( cargv[0], "sasl-realm" ) == 0 ) {
+ if ( cargc < 2 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+ "%s: line %d: missing realm in \"sasl-realm <realm>\" line.\n",
+ fname, lineno ));
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: missing realm in \"sasl-realm <realm>\" line\n",
+ fname, lineno, 0 );
+#endif
+
+ return( 1 );
+ }
+
+ if ( global_realm != NULL ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+ "%s: line %d: already set sasl-realm!\n",
+ fname, lineno ));
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: already set sasl-realm!\n",
+ fname, lineno, 0 );
+#endif
+
+ return 1;
+
+ } else {
+ global_realm = ch_strdup( cargv[1] );
+ }
+
+ } else if ( !strcasecmp( cargv[0], "sasl-regexp" )
+ || !strcasecmp( cargv[0], "saslregexp" ) )
+ {
+ int rc;
+ if ( cargc != 3 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+ "%s: line %d: need 2 args in "
+ "\"saslregexp <match> <replace>\"\n",
+ fname, lineno ));
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: need 2 args in \"saslregexp <match> <replace>\"\n",
+ fname, lineno, 0 );
+#endif
+
+ return( 1 );
+ }
+ rc = slap_sasl_regexp_config( cargv[1], cargv[2] );
+ if ( rc ) {
+ return rc;
+ }
+
+ /* SASL security properties */
+ } else if ( strcasecmp( cargv[0], "sasl-secprops" ) == 0 ) {
+ char *txt;
+
+ if ( cargc < 2 ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+ "%s: line %d: missing flags in "
+ "\"sasl-secprops <properties>\" line\n",
+ fname, lineno ));
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: missing flags in \"sasl-secprops <properties>\" line\n",
+ fname, lineno, 0 );
+#endif
+
+ return 1;
+ }
+
+ txt = slap_sasl_secprops( cargv[1] );
+ if ( txt != NULL ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+ "%s: line %d sasl-secprops: %s\n",
+ fname, lineno, txt ));
+#else
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: sasl-secprops: %s\n",
+ fname, lineno, txt );
+#endif
+
+ return 1;
+ }
+ }
+
+ return LDAP_SUCCESS;
+}
+
+static int
+slap_sasl_log(
+ void *context,
+ int priority,
+ const char *message)
+{
+ Connection *conn = context;
+ int level;
+ const char * label;
+
+ if ( message == NULL ) {
+ return SASL_BADPARAM;
+ }
+
+ switch (priority) {
+#if SASL_VERSION_MAJOR >= 2
+ case SASL_LOG_NONE:
+ level = LDAP_DEBUG_NONE;
+ label = "None";
+ break;
+ case SASL_LOG_ERR:
+ level = LDAP_DEBUG_ANY;
+ label = "Error";
+ break;
+ case SASL_LOG_FAIL:
+ level = LDAP_DEBUG_ANY;
+ label = "Failure";
+ break;
+ case SASL_LOG_WARN:
+ level = LDAP_DEBUG_TRACE;
+ label = "Warning";
+ break;
+ case SASL_LOG_NOTE:
+ level = LDAP_DEBUG_TRACE;
+ label = "Notice";
+ break;
+ case SASL_LOG_DEBUG:
+ level = LDAP_DEBUG_TRACE;
+ label = "Debug";
+ break;
+ case SASL_LOG_TRACE:
+ level = LDAP_DEBUG_TRACE;
+ label = "Trace";
+ break;
+ case SASL_LOG_PASS:
+ level = LDAP_DEBUG_TRACE;
+ label = "Password Trace";
+ break;
+#else
+ case SASL_LOG_ERR:
+ level = LDAP_DEBUG_ANY;
+ label = "Error";
+ break;
+ case SASL_LOG_WARNING:
+ level = LDAP_DEBUG_TRACE;
+ label = "Warning";
+ break;
+ case SASL_LOG_INFO:
+ level = LDAP_DEBUG_TRACE;
+ label = "Info";
+ break;
+#endif
+ default:
+ return SASL_BADPARAM;
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "SASL [conn=%ld] %s: %s\n",
+ conn ? conn->c_connid : -1,
+ label, message ));
+#else
+ Debug( level, "SASL [conn=%ld] %s: %s\n",
+ conn ? conn->c_connid: -1,
+ label, message );
+#endif
+
+
+ return SASL_OK;
+}
+
+
+/* Take any sort of identity string and return a DN with the "dn:" prefix. The
+ string returned in *dn is in its own allocated memory, and must be free'd
+ by the calling process.
+ -Mark Adamson, Carnegie Mellon
+
+ The "dn:" prefix is no longer used anywhere inside slapd. It is only used
+ on strings passed in directly from SASL.
+ -Howard Chu, Symas Corp.
+*/
+
+#define SET_DN 1
+#define SET_U 2
+
+static struct berval ext_bv = { sizeof("EXTERNAL")-1, "EXTERNAL" };
+
+int slap_sasl_getdn( Connection *conn, char *id, int len,
+ char *user_realm, struct berval *dn, int flags )
+{
+ char *c1;
+ int rc, is_dn = 0, do_norm = 1;
+ sasl_conn_t *ctx;
+ struct berval dn2;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_getdn: conn %d id=%s\n",
+ conn ? conn->c_connid : -1,
+ id ? (*id ? id : "<empty>") : "NULL" ));
+#else
+ Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s\n",
+ id?(*id?id:"<empty>"):"NULL",0,0 );
+#endif
+
+ dn->bv_val = NULL;
+ dn->bv_len = 0;
+
+ if ( id ) {
+ if ( len == 0 ) len = strlen( id );
+
+ /* Blatantly anonymous ID */
+ if ( len == sizeof("anonymous") - 1 &&
+ !strcasecmp( id, "anonymous" ) ) {
+ return( LDAP_SUCCESS );
+ }
+ } else {
+ len = 0;
+ }
+
+ ctx = conn->c_sasl_context;
+
+ /* An authcID needs to be converted to authzID form. Set the
+ * values directly into *dn; they will be normalized later. (and
+ * normalizing always makes a new copy.) An ID from a TLS certificate
+ * is already normalized, so copy it and skip normalization.
+ */
+ if( flags & FLAG_GETDN_AUTHCID ) {
+#ifdef HAVE_TLS
+ if( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
+ && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) {
+ /* X.509 DN is already normalized */
+ do_norm = 0;
+ is_dn = SET_DN;
+ ber_str2bv( id, len, 1, dn );
+
+ } else
+#endif
+ {
+ /* convert to u:<username> form */
+ is_dn = SET_U;
+ dn->bv_val = id;
+ dn->bv_len = len;
+ }
+ }
+ if( !is_dn ) {
+ if( !strncasecmp( id, "u:", sizeof("u:")-1 )) {
+ is_dn = SET_U;
+ dn->bv_val = id+2;
+ dn->bv_len = len-2;
+ } else if ( !strncasecmp( id, "dn:", sizeof("dn:")-1) ) {
+ is_dn = SET_DN;
+ dn->bv_val = id+3;
+ dn->bv_len = len-3;
+ }
+ }
+
+ /* No other possibilities from here */
+ if( !is_dn ) {
+ dn->bv_val = NULL;
+ dn->bv_len = 0;
+ return( LDAP_INAPPROPRIATE_AUTH );
+ }
+
+ /* Username strings */
+ if( is_dn == SET_U ) {
+ char *p, *realm;
+ len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1;
+
+ /* username may have embedded realm name */
+ if( realm = strchr( dn->bv_val, '@') ) {
+ *realm++ = '\0';
+ len += sizeof(",cn=")-2;
+ } else if( user_realm && *user_realm ) {
+ len += strlen( user_realm ) + sizeof(",cn=")-1;
+ }
+
+ if( conn->c_sasl_bind_mech.bv_len ) {
+ len += conn->c_sasl_bind_mech.bv_len + sizeof(",cn=")-1;
+ }
+
+ /* Build the new dn */
+ c1 = dn->bv_val;
+ dn->bv_val = ch_malloc( len+1 );
+ p = slap_strcopy( dn->bv_val, "uid=" );
+ p = slap_strncopy( p, c1, dn->bv_len );
+
+ if( realm ) {
+ int rlen = dn->bv_len - ( realm - c1 );
+ p = slap_strcopy( p, ",cn=" );
+ p = slap_strncopy( p, realm, rlen );
+ realm[-1] = '@';
+ } else if( user_realm && *user_realm ) {
+ p = slap_strcopy( p, ",cn=" );
+ p = slap_strcopy( p, user_realm );
+ }
+
+ if( conn->c_sasl_bind_mech.bv_len ) {
+ p = slap_strcopy( p, ",cn=" );
+ p = slap_strcopy( p, conn->c_sasl_bind_mech.bv_val );
+ }
+ p = slap_strcopy( p, ",cn=auth" );
+ dn->bv_len = p - dn->bv_val;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn->bv_val,0,0 );
+#endif
+ }
+
+ /* All strings are in DN form now. Normalize if needed. */
+ if ( do_norm ) {
+ rc = dnNormalize2( NULL, dn, &dn2 );
+
+ /* User DNs were constructed above and must be freed now */
+ if ( is_dn == SET_U )
+ ch_free( dn->bv_val );
+
+ if ( rc != LDAP_SUCCESS ) {
+ dn->bv_val = NULL;
+ dn->bv_len = 0;
+ return rc;
+ }
+ *dn = dn2;
+ }
+
+ /* Run thru regexp */
+ slap_sasl2dn( conn, dn, &dn2 );
+ if( dn2.bv_val ) {
+ ch_free( dn->bv_val );
+ *dn = dn2;
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_getdn: dn:id converted to %s.\n", dn->bv_val ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n",
+ dn->bv_val, 0, 0 );
+#endif
+ }
+
+ return( LDAP_SUCCESS );
+}
+
+#if SASL_VERSION_MAJOR >= 2
+static const char *slap_propnames[] = { "*authcDN", "*authzDN", NULL };
+
+static void
+slap_auxprop_lookup(
+ void *glob_context,
+ sasl_server_params_t *sparams,
+ unsigned flags,
+ const char *user,
+ unsigned ulen)