/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2005 The OpenLDAP Foundation.
+ * Copyright 1998-2006 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
{
int rc;
+ /* map SASL errors to LDAP API errors returned by:
+ * sasl_client_new()
+ * SASL_OK, SASL_NOMECH, SASL_NOMEM
+ * sasl_client_start()
+ * SASL_OK, SASL_NOMECH, SASL_NOMEM, SASL_INTERACT
+ * sasl_client_step()
+ * SASL_OK, SASL_INTERACT, SASL_BADPROT, SASL_BADSERV
+ */
+
switch (saslerr) {
case SASL_CONTINUE:
rc = LDAP_MORE_RESULTS_TO_RETURN;
case SASL_OK:
rc = LDAP_SUCCESS;
break;
- case SASL_FAIL:
- rc = LDAP_LOCAL_ERROR;
- break;
case SASL_NOMEM:
rc = LDAP_NO_MEMORY;
break;
case SASL_NOMECH:
rc = LDAP_AUTH_UNKNOWN;
break;
+ case SASL_BADPROT:
+ rc = LDAP_DECODING_ERROR;
+ break;
+ case SASL_BADSERV:
+ rc = LDAP_AUTH_UNKNOWN;
+ break;
+
+ /* other codes */
case SASL_BADAUTH:
rc = LDAP_AUTH_UNKNOWN;
break;
case SASL_NOAUTHZ:
rc = LDAP_PARAM_ERROR;
break;
+ case SASL_FAIL:
+ rc = LDAP_LOCAL_ERROR;
+ break;
case SASL_TOOWEAK:
case SASL_ENCRYPT:
rc = LDAP_AUTH_UNKNOWN;
return ld->ld_errno;
}
+ rc = 0;
+#ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex );
+#endif
ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd );
if ( sd == AC_SOCKET_INVALID ) {
/* not connected yet */
- int rc;
rc = ldap_open_defconn( ld );
- if( rc < 0 ) return ld->ld_errno;
- ber_sockbuf_ctrl( ld->ld_defconn->lconn_sb, LBER_SB_OPT_GET_FD, &sd );
+ if ( rc == 0 ) {
+ ber_sockbuf_ctrl( ld->ld_defconn->lconn_sb,
+ LBER_SB_OPT_GET_FD, &sd );
- if( sd == AC_SOCKET_INVALID ) {
- ld->ld_errno = LDAP_LOCAL_ERROR;
- return ld->ld_errno;
+ if( sd == AC_SOCKET_INVALID ) {
+ ld->ld_errno = LDAP_LOCAL_ERROR;
+ rc = ld->ld_errno;
+ }
}
}
+#ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex );
+#endif
+ if( rc != 0 ) return ld->ld_errno;
oldctx = ld->ld_defconn->lconn_sasl_authctx;
ld->ld_defconn->lconn_sasl_authctx = NULL;
}
- { char *saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, "localhost" );
- rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
- LDAP_FREE( saslhost );
+ {
+ char *saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
+ "localhost" );
+ rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
+ LDAP_FREE( saslhost );
}
if ( rc != LDAP_SUCCESS ) return rc;
#if !defined(_WIN32)
/* Check for local */
- if ( ldap_pvt_url_scheme2proto( ld->ld_defconn->lconn_server->lud_scheme ) == LDAP_PROTO_IPC ) {
+ if ( ldap_pvt_url_scheme2proto(
+ ld->ld_defconn->lconn_server->lud_scheme ) == LDAP_PROTO_IPC )
+ {
char authid[sizeof("gidNumber=4294967295+uidNumber=4294967295,"
"cn=peercred,cn=external,cn=auth")];
sprintf( authid, "gidNumber=%d+uidNumber=%d,"
"cn=peercred,cn=external,cn=auth",
(int) getegid(), (int) geteuid() );
- (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid, LDAP_PVT_SASL_LOCAL_SSF );
+ (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid,
+ LDAP_PVT_SASL_LOCAL_SSF );
}
#endif
scred = NULL;
- rc = ldap_sasl_bind_s( ld, dn, mech, &ccred, sctrls, cctrls, &scred );
+ rc = ldap_sasl_bind_s( ld, dn, mech, &ccred, sctrls, cctrls,
+ &scred );
if ( ccred.bv_val != NULL ) {
#if SASL_VERSION_MAJOR < 2
if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
if( scred ) {
- if ( scred->bv_len ) {
- /* and server provided us with data? */
- Debug( LDAP_DEBUG_TRACE,
- "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
- rc, saslrc, scred->bv_len );
- }
+ /* and server provided us with data? */
+ Debug( LDAP_DEBUG_TRACE,
+ "ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
+ rc, saslrc, scred ? scred->bv_len : -1 );
ber_bvfree( scred );
+ scred = NULL;
}
rc = ld->ld_errno;
goto done;
if( rc == LDAP_SUCCESS && saslrc == SASL_OK ) {
/* we're done, no need to step */
if( scred ) {
- if ( scred->bv_len ) {
- /* but server provided us with data! */
+ /* but we got additional data? */
+#define KLUDGE_FOR_MSAD
+#ifdef KLUDGE_FOR_MSAD
+ /*
+ * MSAD provides empty additional data in violation of LDAP
+ * technical specifications. As no existing SASL mechanism
+ * allows empty data with an outcome message, just ignore it
+ * for now. Hopefully MS will fix their bug before someone
+ * defines a mechanism with possibly empty additional data.
+ */
+ if( scred->bv_len == 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "ldap_int_sasl_bind: ignoring "
+ " bogus empty data provided with SASL outcome message.\n",
+ rc, saslrc, scred->bv_len );
+ ber_bvfree( scred );
+ } else
+#endif
+ {
Debug( LDAP_DEBUG_TRACE,
"ldap_int_sasl_bind: rc=%d sasl=%d len=%ld\n",
rc, saslrc, scred->bv_len );
+ rc = ld->ld_errno = LDAP_LOCAL_ERROR;
+ ber_bvfree( scred );
+ goto done;
}
- ber_bvfree( scred );
- rc = ld->ld_errno = LDAP_LOCAL_ERROR;
- goto done;
}
break;
}
do {
+ if( ! scred ) {
+ /* no data! */
+ Debug( LDAP_DEBUG_TRACE,
+ "ldap_int_sasl_bind: no data in step!\n",
+ 0, 0, 0 );
+ }
+
saslrc = sasl_client_step( ctx,
(scred == NULL) ? NULL : scred->bv_val,
(scred == NULL) ? 0 : scred->bv_len,
}
if( flags != LDAP_SASL_QUIET ) {
- saslrc = sasl_getprop( ctx, SASL_USERNAME, (SASL_CONST void **) &data );
+ saslrc = sasl_getprop( ctx, SASL_USERNAME,
+ (SASL_CONST void **) &data );
if( saslrc == SASL_OK && data && *data ) {
fprintf( stderr, "SASL username: %s\n", data );
}
#if SASL_VERSION_MAJOR < 2
- saslrc = sasl_getprop( ctx, SASL_REALM, (SASL_CONST void **) &data );
+ saslrc = sasl_getprop( ctx, SASL_REALM,
+ (SASL_CONST void **) &data );
if( saslrc == SASL_OK && data && *data ) {
fprintf( stderr, "SASL realm: %s\n", data );
}
}
if( ssf && *ssf ) {
- if( flags != LDAP_SASL_QUIET ) {
- fprintf( stderr, "SASL installing layers\n" );
- }
if ( ld->ld_defconn->lconn_sasl_sockctx ) {
oldctx = ld->ld_defconn->lconn_sasl_sockctx;
sasl_dispose( &oldctx );
}
ldap_pvt_sasl_install( ld->ld_defconn->lconn_sb, ctx );
ld->ld_defconn->lconn_sasl_sockctx = ctx;
+
+ if( flags != LDAP_SASL_QUIET ) {
+ fprintf( stderr, "SASL data security layer installed.\n" );
+ }
}
}
ld->ld_defconn->lconn_sasl_authctx = ctx;
sasl_security_properties_t *secprops )
{
int i, j, l;
- char **props = ldap_str2charray( in, "," );
+ char **props;
unsigned sflags = 0;
int got_sflags = 0;
sasl_ssf_t max_ssf = 0;
unsigned maxbufsize = 0;
int got_maxbufsize = 0;
- if( props == NULL || secprops == NULL ) {
+ if( secprops == NULL ) {
+ return LDAP_PARAM_ERROR;
+ }
+ props = ldap_str2charray( in, "," );
+ if( props == NULL ) {
return LDAP_PARAM_ERROR;
}
if ( strncasecmp( props[i], sprops[j].key.bv_val,
sprops[j].key.bv_len )) continue;
if ( sprops[j].ival ) {
- int v;
+ unsigned v;
char *next = NULL;
- if ( !isdigit( props[i][sprops[j].key.bv_len] )) continue;
+ if ( !isdigit( (unsigned char)props[i][sprops[j].key.bv_len] ))
+ continue;
v = strtoul( &props[i][sprops[j].key.bv_len], &next, 10 );
- if ( next == NULL || next[ 0 ] != '\0' ) continue;
+ if ( next == &props[i][sprops[j].key.bv_len] || next[0] != '\0' ) continue;
switch( sprops[j].ival ) {
case GOT_MINSSF:
min_ssf = v; got_min_ssf++; break;
break;
}
if ( BER_BVISNULL( &sprops[j].key )) {
+ ldap_charray_free( props );
return LDAP_NOT_SUPPORTED;
}
}
int
ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
{
- if ( ld == NULL )
+ if ( ld == NULL || arg == NULL )
return -1;
switch ( option ) {
projects / openldap / blobdiff