Fix prev commit

[openldap] / servers / slapd / sasl.c

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index e266b0e4063b18ea9e8e7b6090a2d01aa2c1175a..61d9234a1d22c155ba3795669f7c7793d1a56010 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -773,6 +773,14 @@ slap_sasl_canonicalize(
        if ( inlen > out_max )
                inlen = out_max-1;
 
+       /* This is a Simple Bind using SPASSWD. That means the in-directory
+        * userPassword of the Binding user already points at SASL, so it
+        * cannot be used to actually satisfy a password comparison. Just
+        * ignore it, some other mech will process it.
+        */
+       if ( !conn->c_sasl_bindop ||
+               conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL ) goto done;
+
        /* See if we need to add request, can only do it once */
        prop_getnames( props, slap_propnames, auxvals );
        if ( !auxvals[0].name )
@@ -867,6 +875,10 @@ slap_sasl_authorize(
        struct berval authcDN, authzDN;
        int rc;
 
+       /* Simple Binds don't support proxy authorization, ignore it */
+       if ( !conn->c_sasl_bindop ||
+               conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL ) return SASL_OK;
+
 #ifdef NEW_LOGGING
        LDAP_LOG( TRANSPORT, ENTRY, 
                "slap_sasl_authorize: conn %d authcid=\"%s\" authzid=\"%s\"\n",
@@ -885,6 +897,12 @@ slap_sasl_authorize(
        /* Skip PROP_CONN */
        prop_getnames( props, slap_propnames+1, auxvals );
        
+       /* Should not happen */
+       if ( !auxvals[0].values ) {
+               sasl_seterror( sconn, 0, "invalid authcid" );
+               return SASL_NOAUTHZ;
+       }
+
        AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) );
 
        /* Nothing to do if no authzID was given */