X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=13088088afe0de9f69dfad6fecea924867969f29;hb=804490a8b12a94a19e7c1a8710a7d8a2fb7d5477;hp=803898e259ba09bd6467c3c92ab5caedfb7f2fee;hpb=1dea5905c61a41e522fe1a374e31706d6b20cf83;p=openldap diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 803898e259..13088088af 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -26,6 +26,7 @@ #if SASL_VERSION_MAJOR >= 2 #include +#include #define SASL_CONST const #else #define SASL_CONST @@ -43,6 +44,171 @@ static sasl_security_properties_t sasl_secprops; +int slap_sasl_config( int cargc, char **cargv, char *line, + const char *fname, int lineno ) +{ + /* set SASL proxy authorization policy */ + if ( strcasecmp( cargv[0], "sasl-authz-policy" ) == 0 ) { + if ( cargc != 2 ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + "%s: line %d: missing policy in \"sasl-authz-policy \" line\n", + fname, lineno )); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing policy in \"sasl-authz-policy \" line\n", + fname, lineno, 0 ); +#endif + + return( 1 ); + } + if ( slap_sasl_setpolicy( cargv[1] ) ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + "%s: line %d: unable " + "to parse value \"%s\" " + "in \"sasl-authz-policy " + "\" line.\n", + fname, lineno, cargv[1] )); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unable " + "to parse value \"%s\" " + "in \"sasl-authz-policy " + "\" line\n", + fname, lineno, cargv[1] ); +#endif + return( 1 ); + } + + + /* set SASL host */ + } else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) { + if ( cargc < 2 ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + "%s: line %d: missing host in \"sasl-host \" line\n", + fname, lineno )); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing host in \"sasl-host \" line\n", + fname, lineno, 0 ); +#endif + + return( 1 ); + } + + if ( global_host != NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + "%s: line %d: already set sasl-host!\n", + fname, lineno )); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: already set sasl-host!\n", + fname, lineno, 0 ); +#endif + + return 1; + + } else { + global_host = ch_strdup( cargv[1] ); + } + + /* set SASL realm */ + } else if ( strcasecmp( cargv[0], "sasl-realm" ) == 0 ) { + if ( cargc < 2 ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + "%s: line %d: missing realm in \"sasl-realm \" line.\n", + fname, lineno )); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing realm in \"sasl-realm \" line\n", + fname, lineno, 0 ); +#endif + + return( 1 ); + } + + if ( global_realm != NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + "%s: line %d: already set sasl-realm!\n", + fname, lineno )); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: already set sasl-realm!\n", + fname, lineno, 0 ); +#endif + + return 1; + + } else { + global_realm = ch_strdup( cargv[1] ); + } + + } else if ( !strcasecmp( cargv[0], "sasl-regexp" ) + || !strcasecmp( cargv[0], "saslregexp" ) ) + { + int rc; + if ( cargc != 3 ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + "%s: line %d: need 2 args in " + "\"saslregexp \"\n", + fname, lineno )); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: need 2 args in \"saslregexp \"\n", + fname, lineno, 0 ); +#endif + + return( 1 ); + } + rc = slap_sasl_regexp_config( cargv[1], cargv[2] ); + if ( rc ) { + return rc; + } + + /* SASL security properties */ + } else if ( strcasecmp( cargv[0], "sasl-secprops" ) == 0 ) { + char *txt; + + if ( cargc < 2 ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + "%s: line %d: missing flags in " + "\"sasl-secprops \" line\n", + fname, lineno )); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing flags in \"sasl-secprops \" line\n", + fname, lineno, 0 ); +#endif + + return 1; + } + + txt = slap_sasl_secprops( cargv[1] ); + if ( txt != NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + "%s: line %d sasl-secprops: %s\n", + fname, lineno, txt )); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: sasl-secprops: %s\n", + fname, lineno, txt ); +#endif + + return 1; + } + } + + return LDAP_SUCCESS; +} + static int slap_sasl_log( void *context, @@ -161,48 +327,57 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, dn->bv_val = NULL; dn->bv_len = 0; - /* Blatantly anonymous ID */ - if( id && - ( id[sizeof( "anonymous" )-1] == '\0' - || id[sizeof( "anonymous" )-1] == '@' ) && - !strncasecmp( id, "anonymous", sizeof( "anonymous" )-1) ) { - return( LDAP_SUCCESS ); + if ( id ) { + if ( len == 0 ) len = strlen( id ); + + /* Blatantly anonymous ID */ + if ( len == sizeof("anonymous") - 1 && + !strcasecmp( id, "anonymous" ) ) { + return( LDAP_SUCCESS ); + } + } else { + len = 0; } + ctx = conn->c_sasl_context; - if ( len == 0 ) len = strlen( id ); - /* An authcID needs to be converted to authzID form */ + /* An authcID needs to be converted to authzID form. Set the + * values directly into *dn; they will be normalized later. (and + * normalizing always makes a new copy.) An ID from a TLS certificate + * is already normalized, so copy it and skip normalization. + */ if( flags & FLAG_GETDN_AUTHCID ) { - if( sasl_external_x509dn_convert - && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len - && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) - && id[0] == '/' ) - { - /* check SASL external for X.509 style DN and */ - /* convert to dn: form, result is normalized */ - dnDCEnormalize( id, dn ); +#ifdef HAVE_TLS + if( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len + && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) { + /* X.509 DN is already normalized */ do_norm = 0; is_dn = SET_DN; + ber_str2bv( id, len, 1, dn ); - } else { + } else +#endif + { /* convert to u: form */ - ber_str2bv( id, len, 1, dn ); is_dn = SET_U; + dn->bv_val = id; + dn->bv_len = len; } } if( !is_dn ) { if( !strncasecmp( id, "u:", sizeof("u:")-1 )) { is_dn = SET_U; - ber_str2bv( id+2, len-2, 1, dn ); + dn->bv_val = id+2; + dn->bv_len = len-2; } else if ( !strncasecmp( id, "dn:", sizeof("dn:")-1) ) { is_dn = SET_DN; - ber_str2bv( id+3, len-3, 1, dn ); + dn->bv_val = id+3; + dn->bv_len = len-3; } } - /* An authzID must be properly prefixed */ - if( (flags & FLAG_GETDN_AUTHZID) && !is_dn ) { - free( dn->bv_val ); + /* No other possibilities from here */ + if( !is_dn ) { dn->bv_val = NULL; dn->bv_len = 0; return( LDAP_INAPPROPRIATE_AUTH ); @@ -210,10 +385,14 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, /* Username strings */ if( is_dn == SET_U ) { - char *p; + char *p, *realm; len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1; - if( user_realm && *user_realm ) { + /* username may have embedded realm name */ + if( realm = strchr( dn->bv_val, '@') ) { + *realm++ = '\0'; + len += sizeof(",cn=")-2; + } else if( user_realm && *user_realm ) { len += strlen( user_realm ) + sizeof(",cn=")-1; } @@ -225,20 +404,24 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, c1 = dn->bv_val; dn->bv_val = ch_malloc( len+1 ); p = slap_strcopy( dn->bv_val, "uid=" ); - p = slap_strcopy( p, c1 ); - ch_free( c1 ); + p = slap_strncopy( p, c1, dn->bv_len ); - if( user_realm && *user_realm ) { + if( realm ) { + int rlen = dn->bv_len - ( realm - c1 ); + p = slap_strcopy( p, ",cn=" ); + p = slap_strncopy( p, realm, rlen ); + realm[-1] = '@'; + } else if( user_realm && *user_realm ) { p = slap_strcopy( p, ",cn=" ); p = slap_strcopy( p, user_realm ); } + if( conn->c_sasl_bind_mech.bv_len ) { p = slap_strcopy( p, ",cn=" ); p = slap_strcopy( p, conn->c_sasl_bind_mech.bv_val ); } p = slap_strcopy( p, ",cn=auth" ); dn->bv_len = p - dn->bv_val; - is_dn = SET_DN; #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, @@ -248,38 +431,144 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, #endif } - /* DN strings that are a cn=auth identity to run through regexp */ - if( is_dn == SET_DN ) - { - slap_sasl2dn( dn, &dn2 ); - if( dn2.bv_val ) { + /* All strings are in DN form now. Normalize if needed. */ + if ( do_norm ) { + rc = dnNormalize2( NULL, dn, &dn2 ); + + /* User DNs were constructed above and must be freed now */ + if ( is_dn == SET_U ) ch_free( dn->bv_val ); - *dn = dn2; - do_norm = 0; /* slap_sasl2dn normalizes */ + + if ( rc != LDAP_SUCCESS ) { + dn->bv_val = NULL; + dn->bv_len = 0; + return rc; + } + *dn = dn2; + } + + /* Run thru regexp */ + slap_sasl2dn( conn, dn, &dn2 ); + if( dn2.bv_val ) { + ch_free( dn->bv_val ); + *dn = dn2; #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_getdn: dn:id converted to %s.\n", dn->bv_val )); + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_getdn: dn:id converted to %s.\n", dn->bv_val )); #else - Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", - dn->bv_val, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", + dn->bv_val, 0, 0 ); #endif + } + + return( LDAP_SUCCESS ); +} + +#if SASL_VERSION_MAJOR >= 2 +static const char *slap_propnames[] = { "*authcDN", "*authzDN", NULL }; + +static void +slap_auxprop_lookup( + void *glob_context, + sasl_server_params_t *sparams, + unsigned flags, + const char *user, + unsigned ulen) +{ + int rc, i, last; + struct berval dn; + const struct propval *list; + BerVarray vals, bv; + AttributeDescription *ad; + const char *text; + + list = sparams->utils->prop_get( sparams->propctx ); + + /* Find our DN first */ + for( i = 0, last = 0; list[i].name; i++ ) { + if ( list[i].name[0] == '*' ) { + if ( (flags & SASL_AUXPROP_AUTHZID) && + !strcmp( list[i].name, slap_propnames[1] ) ) { + if ( list[i].values && list[i].values[0] ) + AC_MEMCPY( &dn, list[i].values[0], sizeof( dn ) ); + if ( !last ) last = i; + break; + } + if ( !strcmp( list[i].name, slap_propnames[0] ) ) { + if ( !last ) last = i; + if ( list[i].values && list[i].values[0] ) { + AC_MEMCPY( &dn, list[i].values[0], sizeof( dn ) ); + if ( !(flags & SASL_AUXPROP_AUTHZID) ) + break; + } + } } } - if ( do_norm ) { - rc = dnNormalize2( NULL, dn, &dn2 ); - free(dn->bv_val); + /* Now fetch the rest */ + for( i = 0; i < last; i++ ) { + const char *name = list[i].name; + + if ( name[0] == '*' ) { + if ( flags & SASL_AUXPROP_AUTHZID ) continue; + name++; + } else if ( !(flags & SASL_AUXPROP_AUTHZID ) ) + continue; + + if ( list[i].values ) { + if ( !(flags & SASL_AUXPROP_OVERRIDE) ) continue; + sparams->utils->prop_erase( sparams->propctx, list[i].name ); + } + ad = NULL; + rc = slap_str2ad( name, &ad, &text ); if ( rc != LDAP_SUCCESS ) { - *dn = slap_empty_bv; - return rc; +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_DETAIL1, + "slap_auxprop: str2ad(%s): %s\n", name, text )); +#else + Debug( LDAP_DEBUG_TRACE, + "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); +#endif + rc = slap_str2undef_ad( name, &ad, &text ); + if ( rc != LDAP_SUCCESS ) continue; } - *dn = dn2; + rc = backend_attribute( NULL,NULL,NULL,NULL, &dn, ad, &vals ); + if ( rc != LDAP_SUCCESS ) continue; + for ( bv = vals; bv->bv_val; bv++ ) { + sparams->utils->prop_set( sparams->propctx, list[i].name, + bv->bv_val, bv->bv_len ); + } + ber_bvarray_free( vals ); } +} - return( LDAP_SUCCESS ); +static sasl_auxprop_plug_t slap_auxprop_plugin = { + 0, /* Features */ + 0, /* spare */ + NULL, /* glob_context */ + NULL, /* auxprop_free */ + slap_auxprop_lookup, + "slapd", /* name */ + NULL /* spare */ +}; + +static int +slap_auxprop_init( + const sasl_utils_t *utils, + int max_version, + int *out_version, + sasl_auxprop_plug_t **plug, + const char *plugname) +{ + if ( !out_version | !plug ) return SASL_BADPARAM; + + if ( max_version < SASL_AUXPROP_PLUG_VERSION ) return SASL_BADVERS; + + *out_version = SASL_AUXPROP_PLUG_VERSION; + *plug = &slap_auxprop_plugin; + return SASL_OK; } -#if SASL_VERSION_MAJOR >= 2 static int slap_sasl_checkpass( sasl_conn_t *sconn, @@ -347,7 +636,12 @@ slap_sasl_checkpass( return rc; } -#if 0 /* CANON isn't for what you think it does. */ +/* Convert a SASL authcid or authzid into a DN. Store the DN in an + * auxiliary property, so that we can refer to it in sasl_authorize + * without interfering with anything else. Also, the SASL username + * buffer is constrained to 256 characters, and our DNs could be + * much longer (totally arbitrary length)... + */ static int slap_sasl_canonicalize( sasl_conn_t *sconn, @@ -361,8 +655,11 @@ slap_sasl_canonicalize( unsigned *out_len) { Connection *conn = (Connection *)context; + struct propctx *props = sasl_auxprop_getctx( sconn ); + struct propval auxvals[3]; struct berval dn; - int rc; + int rc, which; + const char *names[2]; *out_len = 0; @@ -370,53 +667,79 @@ slap_sasl_canonicalize( LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, "slap_sasl_canonicalize: conn %d %s=\"%s\"\n", conn ? conn->c_connid : -1, - (flags == SASL_CU_AUTHID) ? "authcid" : "authzid", + (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", in ? in : "" )); #else Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: " "%s=\"%s\"\n", conn ? conn->c_connid : -1, - (flags == SASL_CU_AUTHID) ? "authcid" : "authzid", + (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", in ? in : "" ); #endif + /* If name is too big, just truncate. We don't care, we're + * using DNs, not the usernames. + */ + if ( inlen > out_max ) + inlen = out_max-1; + + /* See if we need to add request, can only do it once */ + prop_getnames( props, slap_propnames, auxvals ); + if ( !auxvals[0].name ) + prop_request( props, slap_propnames ); + + if ( flags & SASL_CU_AUTHID ) + which = 0; + else + which = 1; + + /* Already been here? */ + if ( auxvals[which].values ) + goto done; + + if ( flags == SASL_CU_AUTHZID ) { + /* If we got unqualified authzid's, they probably came from SASL + * itself just passing the authcid to us. Look inside the oparams + * structure to see if that's true. (HACK: the out_len pointer is + * the address of a member of a sasl_out_params_t structure...) + */ + sasl_out_params_t dummy; + int offset = (void *)&dummy.ulen - (void *)&dummy.authid; + char **authid = (void *)out_len - offset; + if ( *authid && !strcmp( in, *authid ) ) + goto done; + } + rc = slap_sasl_getdn( conn, (char *)in, inlen, (char *)user_realm, &dn, - (flags == SASL_CU_AUTHID) ? FLAG_GETDN_AUTHCID : FLAG_GETDN_AUTHZID ); + (flags & SASL_CU_AUTHID) ? FLAG_GETDN_AUTHCID : FLAG_GETDN_AUTHZID ); if ( rc != LDAP_SUCCESS ) { sasl_seterror( sconn, 0, ldap_err2string( rc ) ); return SASL_NOAUTHZ; } - if ( out_max < dn.bv_len ) { - return SASL_BUFOVER; - } - - AC_MEMCPY( out, dn.bv_val, dn.bv_len ); - out[dn.bv_len] = '\0'; - - *out_len = dn.bv_len; - - ch_free( dn.bv_val ); + names[0] = slap_propnames[which]; + names[1] = NULL; + prop_set( props, names[0], (char *)&dn, sizeof( dn ) ); + #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, "slap_sasl_canonicalize: conn %d %s=\"%s\"\n", conn ? conn->c_connid : -1, - (flags == SASL_CU_AUTHID) ? "authcDN" : "authzDN", - out )); + names[0]+1, dn.bv_val )); #else Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: " "%s=\"%s\"\n", conn ? conn->c_connid : -1, - (flags == SASL_CU_AUTHID) ? "authcDN" : "authzDN", - out ); + names[0]+1, dn.bv_val ); #endif +done: AC_MEMCPY( out, in, inlen ); + out[inlen] = '\0'; + + *out_len = inlen; return SASL_OK; } -#endif - -#define CANON_BUF_SIZE 256 /* from saslint.h */ static int slap_sasl_authorize( @@ -428,12 +751,12 @@ slap_sasl_authorize( unsigned alen, const char *def_realm, unsigned urlen, - struct propctx *propctx) + struct propctx *props) { Connection *conn = (Connection *)context; + struct propval auxvals[3]; struct berval authcDN, authzDN; - char *realm; - int rc, equal = 1, ext = 0; + int rc; #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, @@ -444,68 +767,26 @@ slap_sasl_authorize( "authcid=\"%s\" authzid=\"%s\"\n", conn ? conn->c_connid : -1, auth_identity, requested_user ); #endif - - if ( requested_user ) - equal = !strcmp( auth_identity, requested_user ); - - /* If using SASL-EXTERNAL, don't modify the ID in any way */ - if ( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len - && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) - && auth_identity[0] == '/' ) { - ext = 1; - realm = NULL; - } else { - /* Else look for an embedded realm in the name */ - realm = strchr( auth_identity, '@' ); - if ( realm ) *realm++ = '\0'; + if ( conn->c_sasl_dn.bv_val ) { + ch_free( conn->c_sasl_dn.bv_val ); + conn->c_sasl_dn.bv_val = NULL; + conn->c_sasl_dn.bv_len = 0; } - rc = slap_sasl_getdn( conn, auth_identity, alen, realm ? realm : (char *)def_realm, - &authcDN, FLAG_GETDN_AUTHCID ); - if ( realm ) - realm[-1] = '@'; - - if ( rc != LDAP_SUCCESS ) { - sasl_seterror( sconn, 0, ldap_err2string( rc ) ); - return SASL_NOAUTHZ; - } - - if ( equal ) { - if ( authcDN.bv_len > CANON_BUF_SIZE ) { - free( authcDN.bv_val ); - return SASL_BUFOVER; - } - AC_MEMCPY( requested_user, authcDN.bv_val, authcDN.bv_len ); + prop_getnames( props, slap_propnames, auxvals ); + + AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) ); + /* Nothing to do if no authzID was given */ + if ( !auxvals[1].name || !auxvals[1].values ) { + conn->c_sasl_dn = authcDN; return SASL_OK; } - - if ( ext ) { - realm = NULL; - } else { - realm = strchr( requested_user, '@' ); - if ( realm ) *realm++ = '\0'; - } - - rc = slap_sasl_getdn( conn, requested_user, rlen, realm ? realm : (char *)def_realm, - &authzDN, FLAG_GETDN_AUTHZID ); - if ( realm ) - realm[-1] = '@'; - - if ( rc != LDAP_SUCCESS ) { - free( authcDN.bv_val ); - sasl_seterror( sconn, 0, ldap_err2string( rc ) ); - return SASL_NOAUTHZ; - } - - if (authzDN.bv_len > CANON_BUF_SIZE) { - free( authcDN.bv_val ); - free( authzDN.bv_val ); - return SASL_BUFOVER; - } + + AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) ); rc = slap_sasl_authorized( &authcDN, &authzDN ); - free( authcDN.bv_val ); + ch_free( authcDN.bv_val ); if ( rc != LDAP_SUCCESS ) { #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, @@ -518,11 +799,11 @@ slap_sasl_authorize( #endif sasl_seterror( sconn, 0, "not authorized" ); - free( authzDN.bv_val ); + ch_free( authzDN.bv_val ); return SASL_NOAUTHZ; } - AC_MEMCPY( requested_user, authzDN.bv_val, authzDN.bv_len ); - free( authzDN.bv_val ); + + conn->c_sasl_dn = authzDN; #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, @@ -533,7 +814,6 @@ slap_sasl_authorize( " authorization allowed\n", (long) (conn ? conn->c_connid : -1), 0, 0 ); #endif - return SASL_OK; } #else @@ -546,11 +826,16 @@ slap_sasl_authorize( const char **errstr) { struct berval authcDN, authzDN; - int rc, ext = 0; + int rc; Connection *conn = context; - char *realm, *xrealm; + char *realm; *user = NULL; + if ( conn->c_sasl_dn.bv_val ) { + ch_free( conn->c_sasl_dn.bv_val ); + conn->c_sasl_dn.bv_val = NULL; + conn->c_sasl_dn.bv_len = 0; + } #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, @@ -582,17 +867,7 @@ slap_sasl_authorize( /* Convert the identities to DN's. If no authzid was given, client will be bound as the DN matching their username */ - if ( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len - && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) - && authcid[0] == '/' ) { - ext = 1; - xrealm = NULL; - } else { - xrealm = strchr( authcid, '@' ); - if ( xrealm ) *xrealm++ = '\0'; - } - rc = slap_sasl_getdn( conn, (char *)authcid, 0, xrealm ? xrealm : realm, &authcDN, FLAG_GETDN_AUTHCID ); - if ( xrealm ) xrealm[-1] = '@'; + rc = slap_sasl_getdn( conn, (char *)authcid, 0, realm, &authcDN, FLAG_GETDN_AUTHCID ); if( rc != LDAP_SUCCESS ) { *errstr = ldap_err2string( rc ); return SASL_NOAUTHZ; @@ -607,18 +882,11 @@ slap_sasl_authorize( "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 ); #endif - *user = authcDN.bv_val; + conn->c_sasl_dn = authcDN; *errstr = NULL; return SASL_OK; } - if ( ext ) { - xrealm = NULL; - } else { - xrealm = strchr( authzid, '@' ); - if ( xrealm ) *xrealm++ = '\0'; - } - rc = slap_sasl_getdn( conn, (char *)authzid, 0, xrealm ? xrealm : realm, &authzDN, FLAG_GETDN_AUTHZID ); - if ( xrealm ) xrealm[-1] = '@'; + rc = slap_sasl_getdn( conn, (char *)authzid, 0, realm, &authzDN, FLAG_GETDN_AUTHZID ); if( rc != LDAP_SUCCESS ) { ch_free( authcDN.bv_val ); *errstr = ldap_err2string( rc ); @@ -626,6 +894,7 @@ slap_sasl_authorize( } rc = slap_sasl_authorized( &authcDN, &authzDN ); + ch_free( authcDN.bv_val ); if( rc ) { #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, @@ -638,7 +907,6 @@ slap_sasl_authorize( #endif *errstr = "not authorized"; - ch_free( authcDN.bv_val ); ch_free( authzDN.bv_val ); return SASL_NOAUTHZ; } @@ -653,9 +921,7 @@ slap_sasl_authorize( (long) (conn ? conn->c_connid : -1), 0, 0 ); #endif - - ch_free( authcDN.bv_val ); - *user = authzDN.bv_val; + conn->c_sasl_dn = authzDN; *errstr = NULL; return SASL_OK; } @@ -720,6 +986,9 @@ int slap_sasl_init( void ) ldap_pvt_sasl_mutex_unlock, ldap_pvt_sasl_mutex_dispose ); +#if SASL_VERSION_MAJOR >= 2 + sasl_auxprop_add_plugin( "slapd", slap_auxprop_init ); +#endif /* should provide callbacks for logging */ /* server name should be configurable */ rc = sasl_server_init( server_callbacks, "slapd" ); @@ -799,11 +1068,9 @@ int slap_sasl_open( Connection *conn ) session_callbacks[cb++].context = conn; #if SASL_VERSION_MAJOR >= 2 -#if 0 /* CANON isn't for what you think it does. */ session_callbacks[cb].id = SASL_CB_CANON_USER; session_callbacks[cb].proc = &slap_sasl_canonicalize; session_callbacks[cb++].context = conn; -#endif /* XXXX: this should be conditional */ session_callbacks[cb].id = SASL_CB_SERVER_USERDB_CHECKPASS; @@ -1082,50 +1349,27 @@ int slap_sasl_bind( response.bv_len = reslen; if ( sc == SASL_OK ) { - char *username = NULL; - char *realm = NULL; + sasl_ssf_t *ssf = NULL; -#if SASL_VERSION_MAJOR >= 2 - sc = sasl_getprop( ctx, SASL_DEFUSERREALM, (const void **)&realm ); -#else - sc = sasl_getprop( ctx, SASL_REALM, (void **)&realm ); -#endif - sc = sasl_getprop( ctx, - SASL_USERNAME, (SASL_CONST void **)&username ); + *edn = conn->c_sasl_dn; + conn->c_sasl_dn.bv_val = NULL; + conn->c_sasl_dn.bv_len = 0; - if ( sc != SASL_OK ) { -#ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, - "slap_sasl_bind: getprop(USERNAME) failed: %d\n", sc )); -#else - Debug(LDAP_DEBUG_TRACE, - "slap_sasl_bind: getprop(USERNAME) failed!\n", - 0, 0, 0); -#endif + rc = LDAP_SUCCESS; + (void) sasl_getprop( ctx, SASL_SSF, (void *)&ssf ); + *ssfp = ssf ? *ssf : 0; - send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), - NULL, "no SASL username", NULL, NULL ); - - } else { - rc = LDAP_SUCCESS; - ber_str2bv( username, 0, 1, edn ); - - sasl_ssf_t *ssf = NULL; - (void) sasl_getprop( ctx, SASL_SSF, (void *)&ssf ); - *ssfp = ssf ? *ssf : 0; - - if( *ssfp ) { - ldap_pvt_thread_mutex_lock( &conn->c_mutex ); - conn->c_sasl_layers++; - ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); - } - - send_ldap_sasl( conn, op, rc, - NULL, NULL, NULL, NULL, - response.bv_len ? &response : NULL ); + if( *ssfp ) { + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + conn->c_sasl_layers++; + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); } + send_ldap_sasl( conn, op, rc, + NULL, NULL, NULL, NULL, + response.bv_len ? &response : NULL ); + } else if ( sc == SASL_CONTINUE ) { send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS, NULL, NULL, NULL, NULL, &response ); @@ -1170,3 +1414,90 @@ char* slap_sasl_secprops( const char *in ) return "SASL not supported"; #endif } + +#ifdef HAVE_CYRUS_SASL +int +slap_sasl_setpass( + Connection *conn, + Operation *op, + const char *reqoid, + struct berval *reqdata, + char **rspoid, + struct berval **rspdata, + LDAPControl *** rspctrls, + const char **text ) +{ + int rc; + struct berval id = { 0, NULL }; /* needs to come from connection */ + struct berval new = { 0, NULL }; + struct berval old = { 0, NULL }; + + assert( reqoid != NULL ); + assert( strcmp( LDAP_EXOP_MODIFY_PASSWD, reqoid ) == 0 ); + + rc = sasl_getprop( conn->c_sasl_context, SASL_USERNAME, + (SASL_CONST void **)&id.bv_val ); + + if( rc != SASL_OK ) { + *text = "unable to retrieve SASL username"; + rc = LDAP_OTHER; + goto done; + } + +#ifdef NEW_LOGGING + LDAP_LOG(( "backend", LDAP_LEVEL_ENTRY, + "slap_sasl_setpass: \"%s\"\n", + id.bv_val ? id.bv_val : "" )); +#else + Debug( LDAP_DEBUG_ARGS, "==> ldbm_back_exop_passwd: \"%s\"\n", + id.bv_val ? id.bv_val : "", 0, 0 ); +#endif + + rc = slap_passwd_parse( reqdata, + NULL, &old, &new, text ); + + if( rc != LDAP_SUCCESS ) { + goto done; + } + + if( new.bv_len == 0 ) { + slap_passwd_generate(&new); + + if( new.bv_len == 0 ) { + *text = "password generation failed."; + rc = LDAP_OTHER; + goto done; + } + + *rspdata = slap_passwd_return( &new ); + } + +#if SASL_VERSION_MAJOR < 2 + rc = sasl_setpass( conn->c_sasl_context, + id.bv_val, new.bv_val, new.bv_len, 0, text ); +#else + rc = sasl_setpass( conn->c_sasl_context, id.bv_val, + old.bv_val, old.bv_len, new.bv_val, new.bv_len, 0 ); + if( rc != SASL_OK ) { + *text = sasl_errdetail( conn->c_sasl_context ); + } +#endif + switch(rc) { + case SASL_OK: + rc = LDAP_SUCCESS; + break; + + case SASL_NOCHANGE: + case SASL_NOMECH: + case SASL_DISABLED: + case SASL_PWLOCK: + case SASL_FAIL: + case SASL_BADPARAM: + default: + rc = LDAP_OTHER; + } + +done: + return rc; +} +#endif