ITS#7341, ITS#8391, ITS#8587

[openldap] / servers / slapd / saslauthz.c

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 135c242fe53a4bf33dfeabf7bd9ad116da99c2ad..8ef0e0e949bc5e48a8fc50be8cdca2649215bbe1 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2017 The OpenLDAP Foundation.
  * Portions Copyright 2000 Mark Adamson, Carnegie Mellon.
  * All rights reserved.
  *
@@ -1226,7 +1226,10 @@ is_dn:           bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 
 done:
        if( rc != LDAP_SUCCESS ) {
-               if( *filter ) filter_free_x( op, *filter );
+               if( *filter ) {
+                       filter_free_x( op, *filter, 1 );
+                       *filter = NULL;
+               }
                BER_BVZERO( base );
                BER_BVZERO( fstr );
        } else {
@@ -1665,7 +1668,7 @@ slap_sasl_match( Operation *opx, struct berval *rule,
 
        Debug( LDAP_DEBUG_TRACE,
           "===>slap_sasl_match: comparing DN %s to rule %s\n",
-               assertDN->bv_val, rule->bv_val, 0 );
+               assertDN->bv_len ? assertDN->bv_val : "(null)", rule->bv_val, 0 );
 
        /* NOTE: don't normalize rule if authz syntax is enabled */
        rc = slap_parseURI( opx, rule, &base, &op.o_req_ndn,
@@ -1699,7 +1702,7 @@ exact_match:
 
                        /* leave room for at least one char of attributeType,
                         * one for '=' and one for ',' */
-                       if ( d < STRLENOF( "x=,") ) {
+                       if ( d < (int) STRLENOF( "x=,") ) {
                                goto CONCLUDED;
                        }
 
@@ -1843,7 +1846,7 @@ exact_match:
 CONCLUDED:
        if( !BER_BVISNULL( &op.o_req_dn ) ) slap_sl_free( op.o_req_dn.bv_val, opx->o_tmpmemctx );
        if( !BER_BVISNULL( &op.o_req_ndn ) ) slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx );
-       if( op.ors_filter ) filter_free_x( opx, op.ors_filter );
+       if( op.ors_filter ) filter_free_x( opx, op.ors_filter, 1 );
        if( !BER_BVISNULL( &op.ors_filterstr ) ) ch_free( op.ors_filterstr.bv_val );
 
        Debug( LDAP_DEBUG_TRACE,
@@ -2005,7 +2008,7 @@ slap_sasl2dn(
        op.o_bd->be_search( &op, &rs );
        
 FINISHED:
-       if( !BER_BVISEMPTY( sasldn ) ) {
+       if( opx == opx->o_conn->c_sasl_bindop && !BER_BVISEMPTY( sasldn ) ) {
                opx->o_conn->c_authz_backend = op.o_bd;
        }
        if( !BER_BVISNULL( &op.o_req_dn ) ) {
@@ -2015,7 +2018,7 @@ FINISHED:
                slap_sl_free( op.o_req_ndn.bv_val, opx->o_tmpmemctx );
        }
        if( op.ors_filter ) {
-               filter_free_x( opx, op.ors_filter );
+               filter_free_x( opx, op.ors_filter, 1 );
        }
        if( !BER_BVISNULL( &op.ors_filterstr ) ) {
                ch_free( op.ors_filterstr.bv_val );
@@ -2038,11 +2041,16 @@ int slap_sasl_authorized( Operation *op,
        int rc = LDAP_INAPPROPRIATE_AUTH;
 
        /* User binding as anonymous */
-       if ( authzDN == NULL ) {
+       if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) {
                rc = LDAP_SUCCESS;
                goto DONE;
        }
 
+       /* User is anonymous */
+       if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) {
+               goto DONE;
+       }
+
        Debug( LDAP_DEBUG_TRACE,
           "==>slap_sasl_authorized: can %s become %s?\n",
                authcDN->bv_len ? authcDN->bv_val : "(null)",