X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbind.c;h=15055120b4e5ca95d24336b916bfb50a5e83a81b;hb=62139b6ef3634529c6d1ff726c337e685ea38cf8;hp=072f812abd42ec2b1af6d990f91164a82048a774;hpb=ec46a2f33a602c5603f1cf6415b183f6ff0939d5;p=openldap

diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c
index 072f812abd..15055120b4 100644
--- a/servers/slapd/bind.c
+++ b/servers/slapd/bind.c
@@ -36,10 +36,11 @@ do_bind(
 	BerElement *ber = op->o_ber;
 	ber_int_t version;
 	ber_tag_t method;
-	char *mech = NULL;
+	struct berval mech = { 0, NULL };
 	struct berval dn = { 0, NULL };
 	struct berval pdn = { 0, NULL };
 	struct berval ndn = { 0, NULL };
+	struct berval edn = { 0, NULL };
 	ber_tag_t tag;
 	int	rc = LDAP_SUCCESS;
 	const char *text;
@@ -113,7 +114,7 @@ do_bind(
 		tag = ber_scanf( ber, /*{*/ "m}", &cred );
 
 	} else {
-		tag = ber_scanf( ber, "{a" /*}*/, &mech );
+		tag = ber_scanf( ber, "{o" /*}*/, &mech );
 
 		if ( tag != LBER_ERROR ) {
 			ber_len_t len;
@@ -170,10 +171,10 @@ do_bind(
 #ifdef NEW_LOGGING
 		LDAP_LOG(( "operation",	 LDAP_LEVEL_DETAIL1,
 			"do_sasl_bind: conn %d  dn (%s) mech %s\n", conn->c_connid,
-			pdn.bv_val, mech ));
+			pdn.bv_val, mech.bv_val ));
 #else
 		Debug( LDAP_DEBUG_TRACE, "do_sasl_bind: dn (%s) mech %s\n",
-			pdn.bv_val, mech, NULL );
+			pdn.bv_val, mech.bv_val, NULL );
 #endif
 
 	} else {
@@ -190,7 +191,7 @@ do_bind(
 #endif
 	}
 
-	Statslog( LDAP_DEBUG_STATS, "conn=%ld op=%d BIND dn=\"%s\" method=%ld\n",
+	Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu BIND dn=\"%s\" method=%ld\n",
 	    op->o_connid, op->o_opid, pdn.bv_val, (unsigned long) method, 0 );
 
 	if ( version < LDAP_VERSION_MIN || version > LDAP_VERSION_MAX ) {
@@ -231,7 +232,6 @@ do_bind(
 	}
 
 	if ( method == LDAP_AUTH_SASL ) {
-		char *edn;
 		slap_ssf_t ssf = 0;
 
 		if ( version < LDAP_VERSION3 ) {
@@ -249,7 +249,7 @@ do_bind(
 			goto cleanup;
 		}
 
-		if( mech == NULL || mech[0] == '\0' ) {
+		if( mech.bv_len == 0 ) {
 #ifdef NEW_LOGGING
 			LDAP_LOG(( "operation", LDAP_LEVEL_INFO,
 				   "do_bind: conn %d  no SASL mechanism provided\n",
@@ -265,7 +265,7 @@ do_bind(
 		}
 
 		/* check restrictions */
-		rc = backend_check_restrictions( NULL, conn, op, mech, &text );
+		rc = backend_check_restrictions( NULL, conn, op, &mech, &text );
 		if( rc != LDAP_SUCCESS ) {
 			send_ldap_result( conn, op, rc,
 				NULL, text, NULL, NULL );
@@ -274,30 +274,31 @@ do_bind(
 
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 		if ( conn->c_sasl_bind_in_progress ) {
-			if((strcmp(conn->c_sasl_bind_mech, mech) != 0)) {
+			if((ber_bvcmp(&conn->c_sasl_bind_mech, &mech) != 0)) {
 				/* mechanism changed between bind steps */
 				slap_sasl_reset(conn);
 			}
 		} else {
 			conn->c_sasl_bind_mech = mech;
-			mech = NULL;
+			mech.bv_val = NULL;
+			mech.bv_len = 0;
 		}
 		ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
 
-		edn = NULL;
 		rc = slap_sasl_bind( conn, op,
 			&pdn, &ndn,
 			&cred, &edn, &ssf );
 
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 		if( rc == LDAP_SUCCESS ) {
-			conn->c_dn.bv_val = edn;
-			if( edn != NULL ) {
-				conn->c_dn.bv_len = strlen( edn );
-				dnNormalize2( NULL, &conn->c_dn, &conn->c_ndn );
+			conn->c_dn = edn;
+			if( edn.bv_len != 0 ) {
+				/* edn is always normalized already */
+				ber_dupbv( &conn->c_ndn, &conn->c_dn );
 			}
 			conn->c_authmech = conn->c_sasl_bind_mech;
-			conn->c_sasl_bind_mech = NULL;
+			conn->c_sasl_bind_mech.bv_val = NULL;
+			conn->c_sasl_bind_mech.bv_len = 0;
 			conn->c_sasl_bind_in_progress = 0;
 
 			conn->c_sasl_ssf = ssf;
@@ -315,9 +316,10 @@ do_bind(
 			conn->c_sasl_bind_in_progress = 1;
 
 		} else {
-			if ( conn->c_sasl_bind_mech ) {
-				free( conn->c_sasl_bind_mech );
-				conn->c_sasl_bind_mech = NULL;
+			if ( conn->c_sasl_bind_mech.bv_val ) {
+				free( conn->c_sasl_bind_mech.bv_val );
+				conn->c_sasl_bind_mech.bv_val = NULL;
+				conn->c_sasl_bind_mech.bv_len = 0;
 			}
 			conn->c_sasl_bind_in_progress = 0;
 		}
@@ -329,9 +331,10 @@ do_bind(
 		/* Not SASL, cancel any in-progress bind */
 		ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 
-		if ( conn->c_sasl_bind_mech != NULL ) {
-			free(conn->c_sasl_bind_mech);
-			conn->c_sasl_bind_mech = NULL;
+		if ( conn->c_sasl_bind_mech.bv_val != NULL ) {
+			free(conn->c_sasl_bind_mech.bv_val);
+			conn->c_sasl_bind_mech.bv_val = NULL;
+			conn->c_sasl_bind_mech.bv_len = 0;
 		}
 		conn->c_sasl_bind_in_progress = 0;
 
@@ -364,7 +367,8 @@ do_bind(
 				text = "anonymous bind disallowed";
 
 			} else {
-				rc = backend_check_restrictions( NULL, conn, op, mech, &text );
+				rc = backend_check_restrictions( NULL, conn, op,
+					&mech, &text );
 			}
 
 			/*
@@ -398,6 +402,27 @@ do_bind(
 			Debug( LDAP_DEBUG_TRACE,
 				"do_bind: v%d simple bind(%s) disallowed\n",
 				version, ndn.bv_val, 0 );
+#endif
+			goto cleanup;
+
+		} else if (( global_disallows & SLAP_DISALLOW_BIND_SIMPLE_UNPROTECTED )
+			&& ( op->o_ssf < global_ssf_set.sss_ssf ))
+		{
+			rc = LDAP_CONFIDENTIALITY_REQUIRED;
+			text = "unwilling to perform simple authentication "
+				"without confidentilty protection";
+
+			send_ldap_result( conn, op, rc,
+				NULL, text, NULL, NULL );
+
+#ifdef NEW_LOGGING
+			LDAP_LOG(( "operation", LDAP_LEVEL_INFO, "do_bind: conn %d  "
+				"v%d unprotected simple bind(%s) disallowed\n",
+				conn->c_connid, version, ndn.bv_val ));
+#else
+			Debug( LDAP_DEBUG_TRACE,
+				"do_bind: v%d unprotected simple bind(%s) disallowed\n",
+				version, ndn.bv_val, 0 );
 #endif
 			goto cleanup;
 		}
@@ -449,13 +474,13 @@ do_bind(
 
 	if ( (be = select_backend( &ndn, 0, 0 )) == NULL ) {
 		if ( default_referral ) {
-			BVarray ref = referral_rewrite( default_referral,
+			BerVarray ref = referral_rewrite( default_referral,
 				NULL, &pdn, LDAP_SCOPE_DEFAULT );
 
 			send_ldap_result( conn, op, rc = LDAP_REFERRAL,
 				NULL, NULL, ref ? ref : default_referral, NULL );
 
-			bvarray_free( ref );
+			ber_bvarray_free( ref );
 
 		} else {
 			/* noSuchObject is not allowed to be returned by bind */
@@ -474,12 +499,8 @@ do_bind(
 		goto cleanup;
 	}
 
-	conn->c_authz_backend = be;
-
 	if ( be->be_bind ) {
 		int ret;
-		/* alias suffix */
-		struct berval edn = { 0, NULL };
 
 		/* deref suffix alias if appropriate */
 		suffix_alias( be, &ndn );
@@ -490,14 +511,17 @@ do_bind(
 		if ( ret == 0 ) {
 			ldap_pvt_thread_mutex_lock( &conn->c_mutex );
 
+			if( conn->c_authz_backend == NULL ) {
+				conn->c_authz_backend = be;
+			}
+
 			if(edn.bv_len) {
 				conn->c_dn = edn;
 			} else {
-				ber_dupbv( &conn->c_dn, &pdn );
+				conn->c_dn = pdn;
+				pdn.bv_val = NULL;
+				pdn.bv_len = 0;
 			}
-			conn->c_cdn = pdn;
-			pdn.bv_val = NULL;
-			pdn.bv_len = 0;
 
 			conn->c_ndn = ndn;
 			ndn.bv_val = NULL;
@@ -512,11 +536,11 @@ do_bind(
 #ifdef NEW_LOGGING
 			LDAP_LOG(( "operation", LDAP_LEVEL_DETAIL1,
 				"do_bind: conn %d  v%d bind: \"%s\" to \"%s\" \n",
-				conn->c_connid, version, conn->c_cdn.bv_val, conn->c_dn.bv_val ));
+				conn->c_connid, version, dn.bv_val, conn->c_dn.bv_val ));
 #else
 			Debug( LDAP_DEBUG_TRACE,
 				"do_bind: v%d bind: \"%s\" to \"%s\"\n",
-				version, conn->c_cdn.bv_val, conn->c_dn.bv_val );
+				version, dn.bv_val, conn->c_dn.bv_val );
 #endif
 
 			ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
@@ -542,8 +566,8 @@ cleanup:
 	if( ndn.bv_val != NULL ) {
 		free( ndn.bv_val );
 	}
-	if ( mech != NULL ) {
-		free( mech );
+	if ( mech.bv_val != NULL ) {
+		free( mech.bv_val );
 	}
 
 	return rc;