+ char *c1;
+ int rc, len, is_dn = 0;
+ sasl_conn_t *ctx;
+ struct berval dn2;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_getdn: conn %d id=%s\n",
+ conn ? conn->c_connid : -1,
+ id ? (*id ? id : "<empty>") : "NULL" ));
+#else
+ Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s\n",
+ id?(*id?id:"<empty>"):"NULL",0,0 );
+#endif
+
+ dn->bv_val = NULL;
+ dn->bv_len = 0;
+
+ /* Blatantly anonymous ID */
+ if( id &&
+ ( id[sizeof( "anonymous" )-1] == '\0'
+ || id[sizeof( "anonymous" )-1] == '@' ) &&
+ !strncasecmp( id, "anonymous", sizeof( "anonymous" )-1) ) {
+ return( LDAP_SUCCESS );
+ }
+ ctx = conn->c_sasl_context;
+ len = strlen( id );
+
+ /* An authcID needs to be converted to authzID form */
+ if( flags & FLAG_GETDN_AUTHCID ) {
+ if( sasl_external_x509dn_convert
+ && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
+ && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 )
+ && id[0] == '/' )
+ {
+ /* check SASL external for X.509 style DN and */
+ /* convert to dn:<dn> form */
+ dn->bv_val = ldap_dcedn2dn( id );
+ dn->bv_len = strlen(dn->bv_val);
+ is_dn = SET_DN;
+
+ } else {
+ /* convert to u:<username> form */
+ ber_str2bv( id, len, 1, dn );
+ is_dn = SET_U;
+ }
+ }
+ if( !is_dn ) {
+ if( !strncasecmp( id, "u:", sizeof("u:")-1 )) {
+ is_dn = SET_U;
+ ber_str2bv( id+2, len-2, 1, dn );
+ } else if ( !strncasecmp( id, "dn:", sizeof("dn:")-1) ) {
+ is_dn = SET_DN;
+ ber_str2bv( id+3, len-3, 1, dn );
+ }
+ }
+
+ /* An authzID must be properly prefixed */
+ if( (flags & FLAG_GETDN_AUTHZID) && !is_dn ) {
+ free( dn->bv_val );
+ dn->bv_val = NULL;
+ dn->bv_len = 0;
+ return( LDAP_INAPPROPRIATE_AUTH );
+ }
+
+ /* Username strings */
+ if( is_dn == SET_U ) {
+ char *p;
+ len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1;
+
+ if( user_realm && *user_realm ) {
+ len += strlen( user_realm ) + sizeof(",cn=")-1;
+ }
+
+ if( conn->c_sasl_bind_mech.bv_len ) {
+ len += conn->c_sasl_bind_mech.bv_len + sizeof(",cn=")-1;
+ }
+
+ /* Build the new dn */
+ c1 = dn->bv_val;
+ dn->bv_val = ch_malloc( len );
+ p = slap_strcopy( dn->bv_val, "uid=" );
+ p = slap_strcopy( p, c1 );
+ ch_free( c1 );
+
+ if( user_realm ) {
+ p = slap_strcopy( p, ",cn=" );
+ p = slap_strcopy( p, user_realm );
+ }
+ if( conn->c_sasl_bind_mech.bv_len ) {
+ p = slap_strcopy( p, ",cn=" );
+ p = slap_strcopy( p, conn->c_sasl_bind_mech.bv_val );
+ }
+ p = slap_strcopy( p, ",cn=auth" );
+ dn->bv_len = p - dn->bv_val;
+ is_dn = SET_DN;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn->bv_val,0,0 );
+#endif
+ }
+
+ /* DN strings that are a cn=auth identity to run through regexp */
+ if( is_dn == SET_DN && ( ( flags & FLAG_GETDN_FINAL ) == 0 ) )
+ {
+ slap_sasl2dn( dn, &dn2 );
+ if( dn2.bv_val ) {
+ ch_free( dn->bv_val );
+ *dn = dn2;
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_getdn: dn:id converted to %s.\n", dn->bv_val ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n",
+ dn->bv_val, 0, 0 );
+#endif
+ }
+ }
+
+ if( flags & FLAG_GETDN_FINAL ) {
+ /* omit "dn:" prefix */
+ is_dn = 0;
+ } else {
+ rc = dnNormalize2( NULL, dn, &dn2 );
+ free(dn->bv_val);
+ if ( rc != LDAP_SUCCESS ) {
+ *dn = slap_empty_bv;
+ return rc;
+ }
+ *dn = dn2;
+ }
+
+ /* Attach the "dn:" prefix if needed */
+ if ( is_dn == SET_DN ) {
+ c1 = ch_malloc( dn->bv_len + sizeof("dn:") );
+ strcpy( c1, "dn:" );
+ strcpy( c1 + 3, dn->bv_val );
+ free( dn->bv_val );
+ dn->bv_val = c1;
+ dn->bv_len += 3;
+ }
+
+ return( LDAP_SUCCESS );
+}
+
+#if SASL_VERSION_MAJOR >= 2
+static int
+slap_sasl_checkpass(
+ sasl_conn_t *sconn,
+ void *context,
+ const char *username,
+ const char *pass,
+ unsigned passlen,
+ struct propctx *propctx)
+{
+ Connection *conn = (Connection *)context;
+ struct berval dn, cred;
+ int rc;
+ BerVarray vals, bv;
+
+ cred.bv_val = (char *)pass;
+ cred.bv_len = passlen;
+
+ /* XXX can we do both steps at once? */
+ rc = slap_sasl_getdn( conn, (char *)username, NULL, &dn,
+ FLAG_GETDN_AUTHCID | FLAG_GETDN_FINAL );
+ if ( rc != LDAP_SUCCESS ) {
+ sasl_seterror( sconn, 0, ldap_err2string( rc ) );
+ return SASL_NOUSER;
+ }
+
+ if ( dn.bv_len == 0 ) {
+ sasl_seterror( sconn, 0,
+ "No password is associated with the Root DSE" );
+ if ( dn.bv_val != NULL ) {
+ ch_free( dn.bv_val );
+ }
+ return SASL_NOUSER;
+ }
+
+ rc = backend_attribute( NULL, NULL, NULL, NULL, &dn,
+ slap_schema.si_ad_userPassword, &vals);
+ if ( rc != LDAP_SUCCESS ) {
+ ch_free( dn.bv_val );
+ sasl_seterror( sconn, 0, ldap_err2string( rc ) );
+ return SASL_NOVERIFY;
+ }
+
+ rc = SASL_NOVERIFY;
+
+ if ( vals != NULL ) {
+ for ( bv = vals; bv->bv_val != NULL; bv++ ) {
+ if ( !lutil_passwd( bv, &cred, NULL ) ) {
+ rc = SASL_OK;
+ break;
+ }
+ }
+ ber_bvarray_free( vals );
+ }
+
+ if ( rc != SASL_OK ) {
+ sasl_seterror( sconn, 0,
+ ldap_err2string( LDAP_INVALID_CREDENTIALS ) );
+ }
+
+ ch_free( dn.bv_val );
+
+ return rc;