+static const char *slap_propnames[] = {
+ "*slapConn", "*authcDN", "*authzDN", NULL };
+
+static Filter *generic_filter;
+
+#define PROP_CONN 0
+#define PROP_AUTHC 1
+#define PROP_AUTHZ 2
+
+typedef struct lookup_info {
+ int last;
+ int flags;
+ const struct propval *list;
+ sasl_server_params_t *sparams;
+} lookup_info;
+
+static int
+sasl_ap_lookup(
+ BackendDB *be,
+ Connection *conn,
+ Operation *op,
+ Entry *e,
+ AttributeName *an,
+ int attrsonly,
+ LDAPControl **ctrls )
+{
+ BerVarray bv;
+ AttributeDescription *ad;
+ Attribute *a;
+ const char *text;
+ int rc, i;
+ slap_callback *tmp = op->o_callback;
+ lookup_info *sl = tmp->sc_private;
+
+ for( i = 0; i < sl->last; i++ ) {
+ const char *name = sl->list[i].name;
+
+ if ( name[0] == '*' ) {
+ if ( sl->flags & SASL_AUXPROP_AUTHZID ) continue;
+ name++;
+ } else if ( !(sl->flags & SASL_AUXPROP_AUTHZID ) )
+ continue;
+
+ if ( sl->list[i].values ) {
+ if ( !(sl->flags & SASL_AUXPROP_OVERRIDE) ) continue;
+ }
+ ad = NULL;
+ rc = slap_str2ad( name, &ad, &text );
+ if ( rc != LDAP_SUCCESS ) {
+#ifdef NEW_LOGGING
+ LDAP_LOG( TRANSPORT, DETAIL1,
+ "slap_auxprop: str2ad(%s): %s\n", name, text, 0 );
+#else
+ Debug( LDAP_DEBUG_TRACE,
+ "slap_auxprop: str2ad(%s): %s\n", name, text, 0 );
+#endif
+ continue;
+ }
+ a = attr_find( e->e_attrs, ad );
+ if ( !a ) continue;
+ if ( ! access_allowed( be, conn, op, e, ad, NULL, ACL_AUTH, NULL ) )
+ continue;
+ if ( sl->list[i].values && ( sl->flags & SASL_AUXPROP_OVERRIDE ) )
+ sl->sparams->utils->prop_erase( sl->sparams->propctx, sl->list[i].name );
+ for ( bv = a->a_vals; bv->bv_val; bv++ ) {
+ sl->sparams->utils->prop_set( sl->sparams->propctx, sl->list[i].name,
+ bv->bv_val, bv->bv_len );
+ }
+ }
+ return LDAP_SUCCESS;
+}
+
+static void
+slap_auxprop_lookup(
+ void *glob_context,
+ sasl_server_params_t *sparams,
+ unsigned flags,
+ const char *user,
+ unsigned ulen)
+{
+ int rc, i, doit=0;
+ struct berval dn;
+ Connection *conn = NULL;
+ lookup_info sl;
+
+ sl.list = sparams->utils->prop_get( sparams->propctx );
+ sl.sparams = sparams;
+ sl.flags = flags;
+
+ /* Find our DN and conn first */
+ for( i = 0, sl.last = 0; sl.list[i].name; i++ ) {
+ if ( sl.list[i].name[0] == '*' ) {
+ if ( !strcmp( sl.list[i].name, slap_propnames[PROP_CONN] ) ) {
+ if ( sl.list[i].values && sl.list[i].values[0] )
+ AC_MEMCPY( &conn, sl.list[i].values[0], sizeof( conn ) );
+ if ( !sl.last ) sl.last = i;
+ }
+ if ( (flags & SASL_AUXPROP_AUTHZID) &&
+ !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHZ] ) ) {
+
+ if ( sl.list[i].values && sl.list[i].values[0] )
+ AC_MEMCPY( &dn, sl.list[i].values[0], sizeof( dn ) );
+ if ( !sl.last ) sl.last = i;
+ break;
+ }
+ if ( !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHC] ) ) {
+ if ( !sl.last ) sl.last = i;
+ if ( sl.list[i].values && sl.list[i].values[0] ) {
+ AC_MEMCPY( &dn, sl.list[i].values[0], sizeof( dn ) );
+ if ( !(flags & SASL_AUXPROP_AUTHZID) )
+ break;
+ }
+ }
+ }
+ }
+
+ /* Now see what else needs to be fetched */
+ for( i = 0; i < sl.last; i++ ) {
+ const char *name = sl.list[i].name;
+
+ if ( name[0] == '*' ) {
+ if ( flags & SASL_AUXPROP_AUTHZID ) continue;
+ name++;
+ } else if ( !(flags & SASL_AUXPROP_AUTHZID ) )
+ continue;
+
+ if ( sl.list[i].values ) {
+ if ( !(flags & SASL_AUXPROP_OVERRIDE) ) continue;
+ }
+ doit = 1;
+ }
+
+ if (doit) {
+ Backend *be;
+ Operation op = {0};
+ slap_callback cb = { slap_cb_null_response,
+ slap_cb_null_sresult, sasl_ap_lookup, NULL };
+
+ cb.sc_private = &sl;
+
+ be = select_backend( &dn, 0, 1 );
+
+ if ( be && be->be_search ) {
+ op.o_tag = LDAP_REQ_SEARCH;
+ op.o_protocol = LDAP_VERSION3;
+ op.o_ndn = conn->c_ndn;
+ op.o_callback = &cb;
+ op.o_time = slap_get_time();
+ op.o_do_not_cache = 1;
+ op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
+
+ (*be->be_search)( be, conn, &op, NULL, &dn,
+ LDAP_SCOPE_BASE, LDAP_DEREF_NEVER, 1, 0,
+ generic_filter, NULL, NULL, 0 );
+ }
+ }
+}
+
+static sasl_auxprop_plug_t slap_auxprop_plugin = {
+ 0, /* Features */
+ 0, /* spare */
+ NULL, /* glob_context */
+ NULL, /* auxprop_free */
+ slap_auxprop_lookup,
+ "slapd", /* name */
+ NULL /* spare */
+};
+
+static int
+slap_auxprop_init(
+ const sasl_utils_t *utils,
+ int max_version,
+ int *out_version,
+ sasl_auxprop_plug_t **plug,
+ const char *plugname)
+{
+ if ( !out_version | !plug ) return SASL_BADPARAM;
+
+ if ( max_version < SASL_AUXPROP_PLUG_VERSION ) return SASL_BADVERS;
+
+ *out_version = SASL_AUXPROP_PLUG_VERSION;
+ *plug = &slap_auxprop_plugin;
+ return SASL_OK;
+}
+
+typedef struct checkpass_info {
+ int rc;
+ struct berval cred;
+} checkpass_info;
+
+static int
+sasl_cb_checkpass(
+ BackendDB *be,
+ Connection *conn,
+ Operation *op,
+ Entry *e,
+ AttributeName *an,
+ int attrsonly,
+ LDAPControl **ctrls )
+{
+ slap_callback *tmp = op->o_callback;
+ checkpass_info *ci = tmp->sc_private;
+ Attribute *a;
+ struct berval *bv;
+
+ ci->rc = SASL_NOVERIFY;
+
+ a = attr_find( e->e_attrs, slap_schema.si_ad_userPassword );
+ if ( !a ) return 0;
+ if ( ! access_allowed( be, conn, op, e, slap_schema.si_ad_userPassword,
+ NULL, ACL_AUTH, NULL ) ) return 0;
+
+ for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
+ if ( !lutil_passwd( bv, &ci->cred, NULL ) ) {
+ ci->rc = SASL_OK;
+ break;
+ }
+ }
+ return 0;
+}
+