X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Fsasl.c;h=04f12d5b27598017c3e5b73d5bdb780dfbc11ee7;hb=0fcf37ca6fa6d9abb1752f5d00b52d945b34f03a;hp=28e36768b39b3db712ae912332def7a931ae3a57;hpb=ab7c49096057d17c929ff3681edf41f07a29e782;p=openldap
diff --git a/libraries/libldap/sasl.c b/libraries/libldap/sasl.c
index 28e36768b3..04f12d5b27 100644
--- a/libraries/libldap/sasl.c
+++ b/libraries/libldap/sasl.c
@@ -1,7 +1,19 @@
/* $OpenLDAP$ */
-/*
- * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+/* This work is part of OpenLDAP Software .
+ *
+ * Copyright 1998-2003 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * .
+ */
+/* Portions Copyright (C) The Internet Society (1997)
+ * ASN.1 fragments are from RFC 2251; see RFC for full legal notices.
*/
/*
@@ -10,7 +22,7 @@
* name DistinguishedName, -- who
* authentication CHOICE {
* simple [0] OCTET STRING -- passwd
-#ifdef HAVE_KERBEROS
+#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
* krbv42ldap [1] OCTET STRING
* krbv42dsa [2] OCTET STRING
#endif
@@ -30,20 +42,22 @@
#include
#include
+#include
#include
#include
+#include
#include "ldap-int.h"
-
/*
- * ldap_sasl_bind - bind to the ldap server (and X.500). The dn, mechanism, and
- * credentials of the entry to which to bind are supplied. The message id
- * of the request initiated is provided upon successful (LDAP_SUCCESS) return.
+ * ldap_sasl_bind - bind to the ldap server (and X.500).
+ * The dn (usually NULL), mechanism, and credentials are provided.
+ * The message id of the request initiated is provided upon successful
+ * (LDAP_SUCCESS) return.
*
* Example:
- * ldap_sasl_bind( ld, "cn=manager, o=university of michigan, c=us",
- * "mechanism", "secret", NULL, NULL, &msgid )
+ * ldap_sasl_bind( ld, NULL, "mechanism",
+ * cred, NULL, NULL, &msgid )
*/
int
@@ -58,20 +72,24 @@ ldap_sasl_bind(
{
BerElement *ber;
int rc;
+ ber_int_t id;
+#ifdef NEW_LOGGING
+ LDAP_LOG ( TRANSPORT, ENTRY, "ldap_sasl_bind\n", 0, 0, 0 );
+#else
Debug( LDAP_DEBUG_TRACE, "ldap_sasl_bind\n", 0, 0, 0 );
+#endif
assert( ld != NULL );
assert( LDAP_VALID( ld ) );
assert( msgidp != NULL );
- if( msgidp == NULL ) {
- ld->ld_errno = LDAP_PARAM_ERROR;
- return ld->ld_errno;
- }
+ /* check client controls */
+ rc = ldap_int_client_controls( ld, cctrls );
+ if( rc != LDAP_SUCCESS ) return rc;
if( mechanism == LDAP_SASL_SIMPLE ) {
- if( dn == NULL && cred != NULL ) {
+ if( dn == NULL && cred != NULL && cred->bv_len ) {
/* use default binddn */
dn = ld->ld_defbinddn;
}
@@ -91,26 +109,27 @@ ldap_sasl_bind(
return ld->ld_errno;
}
- assert( BER_VALID( ber ) );
+ assert( LBER_VALID( ber ) );
+ LDAP_NEXT_MSGID( ld, id );
if( mechanism == LDAP_SASL_SIMPLE ) {
/* simple bind */
- rc = ber_printf( ber, "{it{istO}" /*}*/,
- ++ld->ld_msgid, LDAP_REQ_BIND,
+ rc = ber_printf( ber, "{it{istON}" /*}*/,
+ id, LDAP_REQ_BIND,
ld->ld_version, dn, LDAP_AUTH_SIMPLE,
cred );
- } else if ( cred == NULL ) {
+ } else if ( cred == NULL || cred->bv_val == NULL ) {
/* SASL bind w/o creditials */
- rc = ber_printf( ber, "{it{ist{s}}" /*}*/,
- ++ld->ld_msgid, LDAP_REQ_BIND,
+ rc = ber_printf( ber, "{it{ist{sN}N}" /*}*/,
+ id, LDAP_REQ_BIND,
ld->ld_version, dn, LDAP_AUTH_SASL,
mechanism );
} else {
/* SASL bind w/ creditials */
- rc = ber_printf( ber, "{it{ist{sO}}" /*}*/,
- ++ld->ld_msgid, LDAP_REQ_BIND,
+ rc = ber_printf( ber, "{it{ist{sON}N}" /*}*/,
+ id, LDAP_REQ_BIND,
ld->ld_version, dn, LDAP_AUTH_SASL,
mechanism, cred );
}
@@ -127,20 +146,15 @@ ldap_sasl_bind(
return ld->ld_errno;
}
- if ( ber_printf( ber, /*{*/ "}" ) == -1 ) {
+ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) {
ld->ld_errno = LDAP_ENCODING_ERROR;
ber_free( ber, 1 );
return ld->ld_errno;
}
-#ifndef LDAP_NOCACHE
- if ( ld->ld_cache != NULL ) {
- ldap_flush_cache( ld );
- }
-#endif /* !LDAP_NOCACHE */
/* send the message */
- *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber );
+ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id );
if(*msgidp < 0)
return ld->ld_errno;
@@ -148,16 +162,6 @@ ldap_sasl_bind(
return LDAP_SUCCESS;
}
-/*
- * ldap_sasl_bind_s - bind to the ldap server (and X.500) using simple
- * authentication. The dn and password of the entry to which to bind are
- * supplied. LDAP_SUCCESS is returned upon success, the ldap error code
- * otherwise.
- *
- * Example:
- * ldap_sasl_bind_s( ld, "cn=manager, o=university of michigan, c=us",
- * "mechanism", "secret", NULL, NULL, &servercred )
- */
int
ldap_sasl_bind_s(
@@ -173,7 +177,11 @@ ldap_sasl_bind_s(
LDAPMessage *result;
struct berval *scredp = NULL;
+#ifdef NEW_LOGGING
+ LDAP_LOG ( TRANSPORT, ENTRY, "ldap_sasl_bind_s\n", 0, 0, 0 );
+#else
Debug( LDAP_DEBUG_TRACE, "ldap_sasl_bind_s\n", 0, 0, 0 );
+#endif
/* do a quick !LDAPv3 check... ldap_sasl_bind will do the rest. */
if( servercredp != NULL ) {
@@ -190,6 +198,12 @@ ldap_sasl_bind_s(
return( rc );
}
+#ifdef LDAP_CONNECTIONLESS
+ if (LDAP_IS_UDP(ld)) {
+ return( rc );
+ }
+#endif
+
if ( ldap_result( ld, msgid, 1, NULL, &result ) == -1 ) {
return( ld->ld_errno ); /* ldap_result sets ld_errno */
}
@@ -200,19 +214,21 @@ ldap_sasl_bind_s(
rc = ldap_parse_sasl_bind_result( ld, result, &scredp, 0 );
}
- if( rc != LDAP_SUCCESS ) {
+ if ( rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS ) {
ldap_msgfree( result );
return( rc );
}
rc = ldap_result2error( ld, result, 1 );
- if( rc == LDAP_SUCCESS ) {
+ if ( rc == LDAP_SUCCESS || rc == LDAP_SASL_BIND_IN_PROGRESS ) {
if( servercredp != NULL ) {
*servercredp = scredp;
+ scredp = NULL;
}
+ }
- } else if (scredp != NULL ) {
+ if ( scredp != NULL ) {
ber_bvfree(scredp);
}
@@ -221,18 +237,18 @@ ldap_sasl_bind_s(
/*
- * Parse BindResponse:
- *
- * BindResponse ::= [APPLICATION 1] SEQUENCE {
- * COMPONENTS OF LDAPResult,
- * serverSaslCreds [7] OCTET STRING OPTIONAL }
- *
- * LDAPResult ::= SEQUENCE {
- * resultCode ENUMERATED,
- * matchedDN LDAPDN,
- * errorMessage LDAPString,
- * referral [3] Referral OPTIONAL }
- */
+* Parse BindResponse:
+*
+* BindResponse ::= [APPLICATION 1] SEQUENCE {
+* COMPONENTS OF LDAPResult,
+* serverSaslCreds [7] OCTET STRING OPTIONAL }
+*
+* LDAPResult ::= SEQUENCE {
+* resultCode ENUMERATED,
+* matchedDN LDAPDN,
+* errorMessage LDAPString,
+* referral [3] Referral OPTIONAL }
+*/
int
ldap_parse_sasl_bind_result(
@@ -247,16 +263,16 @@ ldap_parse_sasl_bind_result(
ber_tag_t tag;
BerElement *ber;
+#ifdef NEW_LOGGING
+ LDAP_LOG ( TRANSPORT, ENTRY, "ldap_parse_sasl_bind_result\n", 0, 0, 0 );
+#else
Debug( LDAP_DEBUG_TRACE, "ldap_parse_sasl_bind_result\n", 0, 0, 0 );
+#endif
assert( ld != NULL );
assert( LDAP_VALID( ld ) );
assert( res != NULL );
- if ( ld == NULL || res == NULL ) {
- return LDAP_PARAM_ERROR;
- }
-
if( servercredp != NULL ) {
if( ld->ld_version < LDAP_VERSION2 ) {
return LDAP_NOT_SUPPORTED;
@@ -350,3 +366,143 @@ ldap_parse_sasl_bind_result(
return( ld->ld_errno );
}
+
+int
+ldap_pvt_sasl_getmechs ( LDAP *ld, char **pmechlist )
+{
+ /* we need to query the server for supported mechs anyway */
+ LDAPMessage *res, *e;
+ char *attrs[] = { "supportedSASLMechanisms", NULL };
+ char **values, *mechlist;
+ int rc;
+
+#ifdef NEW_LOGGING
+ LDAP_LOG ( TRANSPORT, ENTRY, "ldap_pvt_sasl_getmech\n", 0, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_TRACE, "ldap_pvt_sasl_getmech\n", 0, 0, 0 );
+#endif
+
+ rc = ldap_search_s( ld, "", LDAP_SCOPE_BASE,
+ NULL, attrs, 0, &res );
+
+ if ( rc != LDAP_SUCCESS ) {
+ return ld->ld_errno;
+ }
+
+ e = ldap_first_entry( ld, res );
+ if ( e == NULL ) {
+ ldap_msgfree( res );
+ if ( ld->ld_errno == LDAP_SUCCESS ) {
+ ld->ld_errno = LDAP_NO_SUCH_OBJECT;
+ }
+ return ld->ld_errno;
+ }
+
+ values = ldap_get_values( ld, e, "supportedSASLMechanisms" );
+ if ( values == NULL ) {
+ ldap_msgfree( res );
+ ld->ld_errno = LDAP_NO_SUCH_ATTRIBUTE;
+ return ld->ld_errno;
+ }
+
+ mechlist = ldap_charray2str( values, " " );
+ if ( mechlist == NULL ) {
+ LDAP_VFREE( values );
+ ldap_msgfree( res );
+ ld->ld_errno = LDAP_NO_MEMORY;
+ return ld->ld_errno;
+ }
+
+ LDAP_VFREE( values );
+ ldap_msgfree( res );
+
+ *pmechlist = mechlist;
+
+ return LDAP_SUCCESS;
+}
+
+/*
+ * ldap_sasl_interactive_bind_s - interactive SASL authentication
+ *
+ * This routine uses interactive callbacks.
+ *
+ * LDAP_SUCCESS is returned upon success, the ldap error code
+ * otherwise.
+ */
+int
+ldap_sasl_interactive_bind_s(
+ LDAP *ld,
+ LDAP_CONST char *dn, /* usually NULL */
+ LDAP_CONST char *mechs,
+ LDAPControl **serverControls,
+ LDAPControl **clientControls,
+ unsigned flags,
+ LDAP_SASL_INTERACT_PROC *interact,
+ void *defaults )
+{
+ int rc;
+ char *smechs = NULL;
+
+#if defined( LDAP_R_COMPILE ) && defined( HAVE_CYRUS_SASL )
+ ldap_pvt_thread_mutex_lock( &ldap_int_sasl_mutex );
+#endif
+#ifdef LDAP_CONNECTIONLESS
+ if( LDAP_IS_UDP(ld) ) {
+ /* Just force it to simple bind, silly to make the user
+ * ask all the time. No, we don't ever actually bind, but I'll
+ * let the final bind handler take care of saving the cdn.
+ */
+ rc = ldap_simple_bind( ld, dn, NULL );
+ rc = rc < 0 ? rc : 0;
+ goto done;
+ } else
+#endif
+
+#ifdef HAVE_CYRUS_SASL
+ if( mechs == NULL || *mechs == '\0' ) {
+ mechs = ld->ld_options.ldo_def_sasl_mech;
+ }
+#endif
+
+ if( mechs == NULL || *mechs == '\0' ) {
+ rc = ldap_pvt_sasl_getmechs( ld, &smechs );
+ if( rc != LDAP_SUCCESS ) {
+ goto done;
+ }
+
+#ifdef NEW_LOGGING
+ LDAP_LOG ( TRANSPORT, DETAIL1,
+ "ldap_sasl_interactive_bind_s: server supports: %s\n",
+ smechs, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_TRACE,
+ "ldap_sasl_interactive_bind_s: server supports: %s\n",
+ smechs, 0, 0 );
+#endif
+
+ mechs = smechs;
+
+ } else {
+#ifdef NEW_LOGGING
+ LDAP_LOG ( TRANSPORT, DETAIL1,
+ "ldap_sasl_interactive_bind_s: user selected: %s\n",
+ mechs, 0, 0 );
+#else
+ Debug( LDAP_DEBUG_TRACE,
+ "ldap_sasl_interactive_bind_s: user selected: %s\n",
+ mechs, 0, 0 );
+#endif
+ }
+
+ rc = ldap_int_sasl_bind( ld, dn, mechs,
+ serverControls, clientControls,
+ flags, interact, defaults );
+
+done:
+#if defined( LDAP_R_COMPILE ) && defined( HAVE_CYRUS_SASL )
+ ldap_pvt_thread_mutex_unlock( &ldap_int_sasl_mutex );
+#endif
+ if ( smechs ) LDAP_FREE( smechs );
+
+ return rc;
+}