X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbind.c;h=142bf0f7a95f4a74c9d1868a7a120c2d6ce23d95;hb=ffebea4a8b879db1a9dc23e2c2749d303b271d43;hp=b98683cf8f6f2d5952f08b48937821f108a16a72;hpb=0e2af54a3ffdeebe3901370683be56fcc53023b0;p=openldap

diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index b98683cf8f..142bf0f7a9 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -36,10 +36,11 @@ do_bind(
 	BerElement *ber = op->o_ber;
 	ber_int_t version;
 	ber_tag_t method;
-	char *mech = NULL;
+	struct berval mech = { 0, NULL };
 	struct berval dn = { 0, NULL };
 	struct berval pdn = { 0, NULL };
 	struct berval ndn = { 0, NULL };
+	struct berval edn = { 0, NULL };
 	ber_tag_t tag;
 	int	rc = LDAP_SUCCESS;
 	const char *text;
@@ -92,7 +93,7 @@ do_bind(
 	 *	}
 	 */
 
-	tag = ber_scanf( ber, "{iot" /*}*/, &version, &dn, &method );
+	tag = ber_scanf( ber, "{imt" /*}*/, &version, &dn, &method );
 
 	if ( tag == LBER_ERROR ) {
 #ifdef NEW_LOGGING
@@ -110,17 +111,17 @@ do_bind(
 	op->o_protocol = version;
 
 	if( method != LDAP_AUTH_SASL ) {
-		tag = ber_scanf( ber, /*{*/ "o}", &cred );
+		tag = ber_scanf( ber, /*{*/ "m}", &cred );
 
 	} else {
-		tag = ber_scanf( ber, "{a" /*}*/, &mech );
+		tag = ber_scanf( ber, "{o" /*}*/, &mech );
 
 		if ( tag != LBER_ERROR ) {
 			ber_len_t len;
 			tag = ber_peek_tag( ber, &len );
 
 			if ( tag == LDAP_TAG_LDAPCRED ) { 
-				tag = ber_scanf( ber, "o", &cred );
+				tag = ber_scanf( ber, "m", &cred );
 			} else {
 				tag = LDAP_TAG_LDAPCRED;
 				cred.bv_val = NULL;
@@ -170,10 +171,10 @@ do_bind(
 #ifdef NEW_LOGGING
 		LDAP_LOG(( "operation",	 LDAP_LEVEL_DETAIL1,
 			"do_sasl_bind: conn %d  dn (%s) mech %s\n", conn->c_connid,
-			pdn.bv_val, mech ));
+			pdn.bv_val, mech.bv_val ));
 #else
 		Debug( LDAP_DEBUG_TRACE, "do_sasl_bind: dn (%s) mech %s\n",
-			pdn.bv_val, mech, NULL );
+			pdn.bv_val, mech.bv_val, NULL );
 #endif
 
 	} else {
@@ -221,8 +222,16 @@ do_bind(
 	conn->c_protocol = version;
 	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
+	/* check for inappropriate controls */
+	if( get_manageDSAit( op ) == SLAP_CRITICAL_CONTROL ) {
+		send_ldap_result( conn, op,
+			rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION,
+			NULL, "manageDSAit control inappropriate",
+			NULL, NULL );
+		goto cleanup;
+	}
+
 	if ( method == LDAP_AUTH_SASL ) {
-		char *edn;
 		slap_ssf_t ssf = 0;
 
 		if ( version < LDAP_VERSION3 ) {
@@ -240,7 +249,7 @@ do_bind(
 			goto cleanup;
 		}
 
-		if( mech == NULL || *mech == '\0' ) {
+		if( mech.bv_len == 0 ) {
 #ifdef NEW_LOGGING
 			LDAP_LOG(( "operation", LDAP_LEVEL_INFO,
 				   "do_bind: conn %d  no SASL mechanism provided\n",
@@ -256,7 +265,7 @@ do_bind(
 		}
 
 		/* check restrictions */
-		rc = backend_check_restrictions( NULL, conn, op, mech, &text );
+		rc = backend_check_restrictions( NULL, conn, op, mech.bv_val, &text );
 		if( rc != LDAP_SUCCESS ) {
 			send_ldap_result( conn, op, rc,
 				NULL, text, NULL, NULL );
@@ -265,30 +274,31 @@ do_bind(
 
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 		if ( conn->c_sasl_bind_in_progress ) {
-			if((strcmp(conn->c_sasl_bind_mech, mech) != 0)) {
+			if((ber_bvcmp(&conn->c_sasl_bind_mech, &mech) != 0)) {
 				/* mechanism changed between bind steps */
 				slap_sasl_reset(conn);
 			}
 		} else {
 			conn->c_sasl_bind_mech = mech;
-			mech = NULL;
+			mech.bv_val = NULL;
+			mech.bv_len = 0;
 		}
 		ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
-		edn = NULL;
 		rc = slap_sasl_bind( conn, op,
 			&pdn, &ndn,
 			&cred, &edn, &ssf );
 
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 		if( rc == LDAP_SUCCESS ) {
-			conn->c_dn.bv_val = edn;
-			if( edn != NULL ) {
-				conn->c_dn.bv_len = strlen( edn );
-				dnNormalize2( NULL, &conn->c_dn, &conn->c_ndn );
+			conn->c_dn = edn;
+			if( edn.bv_len != 0 ) {
+				/* edn is always normalized already */
+				ber_dupbv( &conn->c_ndn, &conn->c_dn );
 			}
 			conn->c_authmech = conn->c_sasl_bind_mech;
-			conn->c_sasl_bind_mech = NULL;
+			conn->c_sasl_bind_mech.bv_val = NULL;
+			conn->c_sasl_bind_mech.bv_len = 0;
 			conn->c_sasl_bind_in_progress = 0;
 
 			conn->c_sasl_ssf = ssf;
@@ -306,9 +316,10 @@ do_bind(
 			conn->c_sasl_bind_in_progress = 1;
 
 		} else {
-			if ( conn->c_sasl_bind_mech ) {
-				free( conn->c_sasl_bind_mech );
-				conn->c_sasl_bind_mech = NULL;
+			if ( conn->c_sasl_bind_mech.bv_val ) {
+				free( conn->c_sasl_bind_mech.bv_val );
+				conn->c_sasl_bind_mech.bv_val = NULL;
+				conn->c_sasl_bind_mech.bv_len = 0;
 			}
 			conn->c_sasl_bind_in_progress = 0;
 		}
@@ -320,9 +331,10 @@ do_bind(
 		/* Not SASL, cancel any in-progress bind */
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 
-		if ( conn->c_sasl_bind_mech != NULL ) {
-			free(conn->c_sasl_bind_mech);
-			conn->c_sasl_bind_mech = NULL;
+		if ( conn->c_sasl_bind_mech.bv_val != NULL ) {
+			free(conn->c_sasl_bind_mech.bv_val);
+			conn->c_sasl_bind_mech.bv_val = NULL;
+			conn->c_sasl_bind_mech.bv_len = 0;
 		}
 		conn->c_sasl_bind_in_progress = 0;
 
@@ -355,7 +367,7 @@ do_bind(
 				text = "anonymous bind disallowed";
 
 			} else {
-				rc = backend_check_restrictions( NULL, conn, op, mech, &text );
+				rc = backend_check_restrictions( NULL, conn, op, mech.bv_val, &text );
 			}
 
 			/*
@@ -440,13 +452,13 @@ do_bind(
 
 	if ( (be = select_backend( &ndn, 0, 0 )) == NULL ) {
 		if ( default_referral ) {
-			BVarray ref = referral_rewrite( default_referral,
+			BerVarray ref = referral_rewrite( default_referral,
 				NULL, &pdn, LDAP_SCOPE_DEFAULT );
 
 			send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 				NULL, NULL, ref ? ref : default_referral, NULL );
 
-			bvarray_free( ref );
+			ber_bvarray_free( ref );
 
 		} else {
 			/* noSuchObject is not allowed to be returned by bind */
@@ -469,8 +481,6 @@ do_bind(
 
 	if ( be->be_bind ) {
 		int ret;
-		/* alias suffix */
-		struct berval edn = { 0, NULL };
 
 		/* deref suffix alias if appropriate */
 		suffix_alias( be, &ndn );
@@ -486,7 +496,7 @@ do_bind(
 			} else {
 				ber_dupbv( &conn->c_dn, &pdn );
 			}
-			conn->c_cdn = pdn.bv_val;
+			conn->c_cdn = pdn;
 			pdn.bv_val = NULL;
 			pdn.bv_len = 0;
 
@@ -503,11 +513,11 @@ do_bind(
 #ifdef NEW_LOGGING
 			LDAP_LOG(( "operation", LDAP_LEVEL_DETAIL1,
 				"do_bind: conn %d  v%d bind: \"%s\" to \"%s\" \n",
-				conn->c_connid, version, conn->c_cdn, conn->c_dn.bv_val ));
+				conn->c_connid, version, conn->c_cdn.bv_val, conn->c_dn.bv_val ));
 #else
 			Debug( LDAP_DEBUG_TRACE,
 				"do_bind: v%d bind: \"%s\" to \"%s\"\n",
-				version, conn->c_cdn, conn->c_dn.bv_val );
+				version, conn->c_cdn.bv_val, conn->c_dn.bv_val );
 #endif
 
 			ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
@@ -527,18 +537,14 @@ do_bind(
 	}
 
 cleanup:
-	free( dn.bv_val );
 	if( pdn.bv_val != NULL ) {
 		free( pdn.bv_val );
 	}
 	if( ndn.bv_val != NULL ) {
 		free( ndn.bv_val );
 	}
-	if ( mech != NULL ) {
-		free( mech );
-	}
-	if ( cred.bv_val != NULL ) {
-		free( cred.bv_val );
+	if ( mech.bv_val != NULL ) {
+		free( mech.bv_val );
 	}
 
 	return rc;