+ return rs->sr_err;
+}
+#endif /* HAVE_CYRUS_SASL */
+
+/* Take any sort of identity string and return a DN with the "dn:" prefix. The
+ * string returned in *dn is in its own allocated memory, and must be free'd
+ * by the calling process. -Mark Adamson, Carnegie Mellon
+ *
+ * The "dn:" prefix is no longer used anywhere inside slapd. It is only used
+ * on strings passed in directly from SASL. -Howard Chu, Symas Corp.
+ */
+
+#define SET_NONE 0
+#define SET_DN 1
+#define SET_U 2
+
+int slap_sasl_getdn( Connection *conn, Operation *op, struct berval *id,
+ char *user_realm, struct berval *dn, int flags )
+{
+ int rc, is_dn = SET_NONE, do_norm = 1;
+ struct berval dn2, *mech;
+
+ assert( conn );
+ assert( id );
+
+ Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: conn %d id=%s [len=%d]\n",
+ conn->c_connid,
+ BER_BVISNULL( id ) ? "NULL" : ( BER_BVISEMPTY( id ) ? "<empty>" : id->bv_val ),
+ BER_BVISNULL( id ) ? 0 : ( BER_BVISEMPTY( id ) ? 0 : id->bv_len ) );
+
+ if ( !op ) {
+ op = conn->c_sasl_bindop;
+ }
+
+ BER_BVZERO( dn );
+
+ if ( !BER_BVISNULL( id ) ) {
+ /* Blatantly anonymous ID */
+ static struct berval bv_anonymous = BER_BVC( "anonymous" );
+
+ if ( ber_bvstrcasecmp( id, &bv_anonymous ) == 0 ) {
+ return( LDAP_SUCCESS );
+ }
+
+ } else {
+ /* FIXME: if empty, should we stop? */
+ BER_BVSTR( id, "" );
+ }
+
+ if ( !BER_BVISEMPTY( &conn->c_sasl_bind_mech ) ) {
+ mech = &conn->c_sasl_bind_mech;
+ } else {
+ mech = &conn->c_authmech;
+ }
+
+ /* An authcID needs to be converted to authzID form. Set the
+ * values directly into *dn; they will be normalized later. (and
+ * normalizing always makes a new copy.) An ID from a TLS certificate
+ * is already normalized, so copy it and skip normalization.
+ */
+ if( flags & SLAP_GETDN_AUTHCID ) {
+ if( bvmatch( mech, &ext_bv )) {
+ /* EXTERNAL DNs are already normalized */
+ assert( !BER_BVISNULL( id ) );
+
+ do_norm = 0;
+ is_dn = SET_DN;
+ ber_dupbv_x( dn, id, op->o_tmpmemctx );
+
+ } else {
+ /* convert to u:<username> form */
+ is_dn = SET_U;
+ *dn = *id;
+ }
+ }
+
+ if( is_dn == SET_NONE ) {
+ if( !strncasecmp( id->bv_val, "u:", STRLENOF( "u:" ) ) ) {
+ is_dn = SET_U;
+ dn->bv_val = id->bv_val + STRLENOF( "u:" );
+ dn->bv_len = id->bv_len - STRLENOF( "u:" );
+
+ } else if ( !strncasecmp( id->bv_val, "dn:", STRLENOF( "dn:" ) ) ) {
+ is_dn = SET_DN;
+ dn->bv_val = id->bv_val + STRLENOF( "dn:" );
+ dn->bv_len = id->bv_len - STRLENOF( "dn:" );
+ }
+ }
+
+ /* No other possibilities from here */
+ if( is_dn == SET_NONE ) {
+ BER_BVZERO( dn );
+ return( LDAP_INAPPROPRIATE_AUTH );
+ }
+
+ /* Username strings */
+ if( is_dn == SET_U ) {
+ char *p;
+ struct berval realm = BER_BVNULL, c1 = *dn;
+ ber_len_t len;
+
+ len = dn->bv_len + STRLENOF( "uid=" ) + STRLENOF( ",cn=auth" );
+
+ if( user_realm && *user_realm ) {
+ ber_str2bv( user_realm, 0, 0, &realm );
+ len += realm.bv_len + STRLENOF( ",cn=" );
+ }
+
+ if( mech->bv_len ) {
+ len += mech->bv_len + STRLENOF( ",cn=" );
+ }
+
+ /* Build the new dn */
+ dn->bv_val = slap_sl_malloc( len + 1, op->o_tmpmemctx );
+ if( dn->bv_val == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+ "slap_sasl_getdn: SLAP_MALLOC failed", 0, 0, 0 );
+ return LDAP_OTHER;
+ }
+ p = lutil_strcopy( dn->bv_val, "uid=" );
+ p = lutil_strncopy( p, c1.bv_val, c1.bv_len );
+
+ if( realm.bv_len ) {
+ p = lutil_strcopy( p, ",cn=" );
+ p = lutil_strncopy( p, realm.bv_val, realm.bv_len );
+ }
+
+ if( mech->bv_len ) {
+ p = lutil_strcopy( p, ",cn=" );
+ p = lutil_strcopy( p, mech->bv_val );
+ }
+ p = lutil_strcopy( p, ",cn=auth" );
+ dn->bv_len = p - dn->bv_val;
+
+ Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 );
+ } else {
+
+ /* Dup the DN in any case, so we don't risk
+ * leaks or dangling pointers later,
+ * and the DN value is '\0' terminated */
+ ber_dupbv_x( &dn2, dn, op->o_tmpmemctx );
+ dn->bv_val = dn2.bv_val;
+ }
+
+ /* All strings are in DN form now. Normalize if needed. */
+ if ( do_norm ) {
+ rc = dnNormalize( 0, NULL, NULL, dn, &dn2, op->o_tmpmemctx );
+
+ /* User DNs were constructed above and must be freed now */
+ slap_sl_free( dn->bv_val, op->o_tmpmemctx );
+
+ if ( rc != LDAP_SUCCESS ) {
+ BER_BVZERO( dn );
+ return rc;
+ }
+ *dn = dn2;
+ }
+
+ /* Run thru regexp */
+ slap_sasl2dn( op, dn, &dn2, flags );
+ if( !BER_BVISNULL( &dn2 ) ) {
+ slap_sl_free( dn->bv_val, op->o_tmpmemctx );
+ *dn = dn2;
+ Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n",
+ dn->bv_val, 0, 0 );
+ }
+
+ return( LDAP_SUCCESS );