+static int
+slap_sasl_authorize(
+ sasl_conn_t *sconn,
+ void *context,
+ const char *requested_user,
+ unsigned rlen,
+ const char *auth_identity,
+ unsigned alen,
+ const char *def_realm,
+ unsigned urlen,
+ struct propctx *propctx)
+{
+ Connection *conn = (Connection *)context;
+ struct berval authcDN, authzDN;
+ int rc;
+
+ authcDN.bv_val = (char *)auth_identity;
+ authcDN.bv_len = alen;
+
+ authzDN.bv_val = (char *)requested_user;
+ authzDN.bv_len = rlen;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_authorize: conn %d authcDN=\"%s\" authzDN=\"%s\"\n",
+ conn ? conn->c_connid : -1, authcDN.bv_val, authzDN.bv_val));
+#else
+ Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: "
+ "authcDN=\"%s\" authzDN=\"%s\"\n",
+ conn ? conn->c_connid : -1, authcDN.bv_val, authzDN.bv_val );
+#endif
+
+ rc = slap_sasl_authorized( &authcDN, &authzDN );
+ if ( rc != LDAP_SUCCESS ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_INFO,
+ "slap_sasl_authorize: conn %ld authorization disallowed (%d)\n",
+ (long)(conn ? conn->c_connid : -1), rc ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+ " authorization disallowed (%d)\n",
+ (long) (conn ? conn->c_connid : -1), rc, 0 );
+#endif
+
+ sasl_seterror( sconn, 0, "not authorized" );
+ return SASL_NOAUTHZ;
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_authorize: conn %d authorization allowed\n",
+ (long)(conn ? conn->c_connid : -1 ) ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+ " authorization allowed\n",
+ (long) (conn ? conn->c_connid : -1), 0, 0 );
+#endif
+
+ return SASL_OK;
+}
+#else
+static int
+slap_sasl_authorize(
+ void *context,
+ const char *authcid,
+ const char *authzid,
+ const char **user,
+ const char **errstr)
+{
+ struct berval authcDN, authzDN;
+ int rc;
+ Connection *conn = context;
+ char *realm;
+
+ *user = NULL;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_authorize: conn %d authcid=\"%s\" authzid=\"%s\"\n",
+ conn ? conn->c_connid : -1,
+ authcid ? authcid : "<empty>",
+ authzid ? authzid : "<empty>" ));
+#else
+ Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: "
+ "authcid=\"%s\" authzid=\"%s\"\n",
+ (long) (conn ? conn->c_connid : -1),
+ authcid ? authcid : "<empty>",
+ authzid ? authzid : "<empty>" );
+#endif
+
+ /* Figure out how much data we have for the dn */
+ rc = sasl_getprop( conn->c_sasl_context, SASL_REALM, (void **)&realm );
+ if( rc != SASL_OK && rc != SASL_NOTDONE ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ERR,
+ "slap_sasl_authorize: getprop(REALM) failed.\n" ));
+#else
+ Debug(LDAP_DEBUG_TRACE,
+ "authorize: getprop(REALM) failed!\n", 0,0,0);
+#endif
+ *errstr = "Could not extract realm";
+ return SASL_NOAUTHZ;
+ }
+
+ /* Convert the identities to DN's. If no authzid was given, client will
+ be bound as the DN matching their username */
+ rc = slap_sasl_getdn( conn, (char *)authcid, realm, &authcDN, FLAG_GETDN_AUTHCID );
+ if( rc != LDAP_SUCCESS ) {
+ *errstr = ldap_err2string( rc );
+ return SASL_NOAUTHZ;
+ }
+ if( ( authzid == NULL ) || !strcmp( authcid,authzid ) ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_authorize: conn %d Using authcDN=%s\n",
+ conn ? conn->c_connid : -1, authcDN.bv_val ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+ "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 );
+#endif
+
+ *user = authcDN.bv_val;
+ *errstr = NULL;
+ return SASL_OK;
+ }
+ rc = slap_sasl_getdn( conn, (char *)authzid, realm, &authzDN, FLAG_GETDN_AUTHZID );
+ if( rc != LDAP_SUCCESS ) {
+ ch_free( authcDN.bv_val );
+ *errstr = ldap_err2string( rc );
+ return SASL_NOAUTHZ;
+ }
+
+ rc = slap_sasl_authorized( &authcDN, &authzDN );
+ if( rc ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_INFO,
+ "slap_sasl_authorize: conn %ld authorization disallowed (%d)\n",
+ (long)(conn ? conn->c_connid : -1), rc ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+ " authorization disallowed (%d)\n",
+ (long) (conn ? conn->c_connid : -1), rc, 0 );
+#endif
+
+ *errstr = "not authorized";
+ ch_free( authcDN.bv_val );
+ ch_free( authzDN.bv_val );
+ return SASL_NOAUTHZ;
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
+ "slap_sasl_authorize: conn %d authorization allowed\n",
+ (long)(conn ? conn->c_connid : -1 ) ));
+#else
+ Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
+ " authorization allowed\n",
+ (long) (conn ? conn->c_connid : -1), 0, 0 );
+#endif
+
+
+ ch_free( authcDN.bv_val );
+ *user = authzDN.bv_val;
+ *errstr = NULL;
+ return SASL_OK;
+}
+#endif /* SASL_VERSION_MAJOR >= 2 */
+