/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 1998-2004 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
(SASL_VERSION_MINOR << 8) | SASL_VERSION_STEP)
static sasl_security_properties_t sasl_secprops;
-#else
+#elif defined( SLAP_BUILTIN_SASL )
/*
* built-in SASL implementation
* only supports EXTERNAL
sasl_auxprop_plug_t **plug,
const char *plugname)
{
- if ( !out_version | !plug ) return SASL_BADPARAM;
+ if ( !out_version || !plug ) return SASL_BADPARAM;
if ( max_version < SASL_AUXPROP_PLUG_VERSION ) return SASL_BADVERS;
a = attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_userPassword );
if ( !a ) return 0;
if ( ! access_allowed( op, rs->sr_entry, slap_schema.si_ad_userPassword,
- NULL, ACL_AUTH, NULL ) ) return 0;
+ NULL, ACL_AUTH, NULL ) )
+ {
+ return 0;
+ }
for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
if ( !lutil_passwd( bv, &ci->cred, NULL, &rs->sr_text ) ) {
if ( inlen > out_max )
inlen = out_max-1;
+ /* This is a Simple Bind using SPASSWD. That means the in-directory
+ * userPassword of the Binding user already points at SASL, so it
+ * cannot be used to actually satisfy a password comparison. Just
+ * ignore it, some other mech will process it.
+ */
+ if ( !conn->c_sasl_bindop ||
+ conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL ) goto done;
+
/* See if we need to add request, can only do it once */
prop_getnames( props, slap_propnames, auxvals );
if ( !auxvals[0].name )
struct berval authcDN, authzDN;
int rc;
+ /* Simple Binds don't support proxy authorization, ignore it */
+ if ( !conn->c_sasl_bindop ||
+ conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL ) return SASL_OK;
+
#ifdef NEW_LOGGING
LDAP_LOG( TRANSPORT, ENTRY,
"slap_sasl_authorize: conn %d authcid=\"%s\" authzid=\"%s\"\n",
/* Skip PROP_CONN */
prop_getnames( props, slap_propnames+1, auxvals );
+ /* Should not happen */
+ if ( !auxvals[0].values ) {
+ sasl_seterror( sconn, 0, "invalid authcid" );
+ return SASL_NOAUTHZ;
+ }
+
AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) );
/* Nothing to do if no authzID was given */
sc = slap_sasl_err2ldap( sc );
-#else
+#elif defined(SLAP_BUILTIN_SASL)
/* built-in SASL implementation */
SASL_CTX *ctx = (SASL_CTX *) SLAP_MALLOC(sizeof(SASL_CTX));
if( ctx == NULL ) return -1;
if ( sc != SASL_OK ) {
return LDAP_OTHER;
}
-#else
+#elif defined(SLAP_BUILTIN_SASL)
/* built-in SASL implementation */
SASL_CTX *ctx = conn->c_sasl_authctx;
if ( ctx == NULL ) return LDAP_UNAVAILABLE;
ch_free( mechstr );
#endif
}
-#else
+#elif defined(SLAP_BUILTIN_SASL)
/* builtin SASL implementation */
SASL_CTX *ctx = conn->c_sasl_authctx;
if ( ctx != NULL && ctx->sc_external_id.bv_val ) {
free( conn->c_sasl_extra );
conn->c_sasl_extra = NULL;
-#else
+#elif defined(SLAP_BUILTIN_SASL)
SASL_CTX *ctx = conn->c_sasl_authctx;
if( ctx ) {
if( ctx->sc_external_id.bv_val ) {
Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rs->sr_err, 0, 0);
#endif
-
-#else
+#elif defined(SLAP_BUILTIN_SASL)
/* built-in SASL implementation */
SASL_CTX *ctx = op->o_conn->c_sasl_authctx;
send_ldap_error( op, rs, LDAP_AUTH_METHOD_NOT_SUPPORTED,
"requested SASL mechanism not supported" );
}
+#else
+ send_ldap_error( op, rs, LDAP_AUTH_METHOD_NOT_SUPPORTED,
+ "SASL not supported" );
#endif
return rs->sr_err;
len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1;
-#if 0
- /* username may have embedded realm name */
- /* FIXME:
- * userids can legally have embedded '@' chars;
- * the realm should be set by those mechanisms
- * that support it by means of the user_realm
- * variable
- */
- if( ( realm.bv_val = strrchr( dn->bv_val, '@') ) ) {
- char *r = realm.bv_val;
-
- realm.bv_val++;
- realm.bv_len = dn->bv_len - ( realm.bv_val - dn->bv_val );
- len += sizeof( ",cn=" ) - 2;
- c1.bv_len -= realm.bv_len + 1;
-
- if ( strchr( dn->bv_val, '@') == r ) {
- /* FIXME: ambiguity, is it the realm
- * or something else? */
- }
-
- } else
-#endif
if( user_realm && *user_realm ) {
realm.bv_val = user_realm;
realm.bv_len = strlen( user_realm );