X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=45fe39a95c13143abc949a72fbe75783e3aca74d;hb=6387a3b6bfd835e3bf3075f0030a57739b82d995;hp=b9b23458d250445ea3c280dfdf0ae12436872f63;hpb=5a01db28e301fcd691f76ecf904e96ecf9a448b8;p=openldap diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index b9b23458d2..45fe39a95c 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -1,6 +1,6 @@ /* $OpenLDAP$ */ /* - * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -15,34 +15,28 @@ #include "slap.h" -#ifdef HAVE_CYRUS_SASL #include -#ifdef HAVE_SASL_SASL_H -#include -#else -#include -#endif - -#if SASL_VERSION_MAJOR >= 2 -#include -#include -#define SASL_CONST const -#else -#define SASL_CONST -#endif +#ifdef HAVE_CYRUS_SASL +# ifdef HAVE_SASL_SASL_H +# include +# else +# include +# endif + +# if SASL_VERSION_MAJOR >= 2 +# include +# define SASL_CONST const +# else +# define SASL_CONST +# endif -#include +static sasl_security_properties_t sasl_secprops; +#endif /* HAVE_CYRUS_SASL */ -#ifdef SLAPD_SPASSWD +#include "ldap_pvt.h" +#include "lber_pvt.h" #include -#endif - -/* Flags for telling slap_sasl_getdn() what type of identity is being passed */ -#define FLAG_GETDN_AUTHCID 2 -#define FLAG_GETDN_AUTHZID 4 - -static sasl_security_properties_t sasl_secprops; int slap_sasl_config( int cargc, char **cargv, char *line, const char *fname, int lineno ) @@ -52,11 +46,13 @@ int slap_sasl_config( int cargc, char **cargv, char *line, if ( cargc != 2 ) { #ifdef NEW_LOGGING LDAP_LOG( CONFIG, CRIT, - "%s: line %d: missing policy in \"sasl-authz-policy \" line\n", - fname, lineno, 0 ); + "%s: line %d: missing policy in" + " \"sasl-authz-policy \" line\n", + fname, lineno, 0 ); #else Debug( LDAP_DEBUG_ANY, - "%s: line %d: missing policy in \"sasl-authz-policy \" line\n", + "%s: line %d: missing policy in" + " \"sasl-authz-policy \" line\n", fname, lineno, 0 ); #endif @@ -80,18 +76,42 @@ int slap_sasl_config( int cargc, char **cargv, char *line, #endif return( 1 ); } - + } else if ( !strcasecmp( cargv[0], "sasl-regexp" ) + || !strcasecmp( cargv[0], "saslregexp" ) ) + { + int rc; + if ( cargc != 3 ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d: need 2 args in " + "\"saslregexp \"\n", + fname, lineno, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: need 2 args in " + "\"saslregexp \"\n", + fname, lineno, 0 ); +#endif + + return( 1 ); + } + rc = slap_sasl_regexp_config( cargv[1], cargv[2] ); + if ( rc ) { + return rc; + } + +#ifdef HAVE_CYRUS_SASL /* set SASL host */ } else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) { if ( cargc < 2 ) { #ifdef NEW_LOGGING LDAP_LOG( CONFIG, CRIT, - "%s: line %d: missing host in \"sasl-host \" line\n", - fname, lineno, 0 ); + "%s: line %d: missing host in \"sasl-host \" line\n", + fname, lineno, 0 ); #else Debug( LDAP_DEBUG_ANY, - "%s: line %d: missing host in \"sasl-host \" line\n", + "%s: line %d: missing host in \"sasl-host \" line\n", fname, lineno, 0 ); #endif @@ -101,8 +121,8 @@ int slap_sasl_config( int cargc, char **cargv, char *line, if ( global_host != NULL ) { #ifdef NEW_LOGGING LDAP_LOG( CONFIG, CRIT, - "%s: line %d: already set sasl-host!\n", - fname, lineno, 0 ); + "%s: line %d: already set sasl-host!\n", + fname, lineno, 0 ); #else Debug( LDAP_DEBUG_ANY, "%s: line %d: already set sasl-host!\n", @@ -119,12 +139,12 @@ int slap_sasl_config( int cargc, char **cargv, char *line, } else if ( strcasecmp( cargv[0], "sasl-realm" ) == 0 ) { if ( cargc < 2 ) { #ifdef NEW_LOGGING - LDAP_LOG( CONFIG, CRIT, - "%s: line %d: missing realm in \"sasl-realm \" line.\n", - fname, lineno, 0 ); + LDAP_LOG( CONFIG, CRIT, "%s: line %d: " + "missing realm in \"sasl-realm \" line.\n", + fname, lineno, 0 ); #else - Debug( LDAP_DEBUG_ANY, - "%s: line %d: missing realm in \"sasl-realm \" line\n", + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "missing realm in \"sasl-realm \" line.\n", fname, lineno, 0 ); #endif @@ -134,8 +154,8 @@ int slap_sasl_config( int cargc, char **cargv, char *line, if ( global_realm != NULL ) { #ifdef NEW_LOGGING LDAP_LOG( CONFIG, CRIT, - "%s: line %d: already set sasl-realm!\n", - fname, lineno, 0 ); + "%s: line %d: already set sasl-realm!\n", + fname, lineno, 0 ); #else Debug( LDAP_DEBUG_ANY, "%s: line %d: already set sasl-realm!\n", @@ -148,42 +168,18 @@ int slap_sasl_config( int cargc, char **cargv, char *line, global_realm = ch_strdup( cargv[1] ); } - } else if ( !strcasecmp( cargv[0], "sasl-regexp" ) - || !strcasecmp( cargv[0], "saslregexp" ) ) - { - int rc; - if ( cargc != 3 ) { -#ifdef NEW_LOGGING - LDAP_LOG( CONFIG, CRIT, - "%s: line %d: need 2 args in " - "\"saslregexp \"\n", - fname, lineno, 0 ); -#else - Debug( LDAP_DEBUG_ANY, - "%s: line %d: need 2 args in \"saslregexp \"\n", - fname, lineno, 0 ); -#endif - - return( 1 ); - } - rc = slap_sasl_regexp_config( cargv[1], cargv[2] ); - if ( rc ) { - return rc; - } - /* SASL security properties */ } else if ( strcasecmp( cargv[0], "sasl-secprops" ) == 0 ) { char *txt; if ( cargc < 2 ) { #ifdef NEW_LOGGING - LDAP_LOG( CONFIG, CRIT, - "%s: line %d: missing flags in " - "\"sasl-secprops \" line\n", - fname, lineno, 0 ); + LDAP_LOG( CONFIG, CRIT, "%s: line %d: " + "missing flags in \"sasl-secprops \" line\n", + fname, lineno, 0 ); #else - Debug( LDAP_DEBUG_ANY, - "%s: line %d: missing flags in \"sasl-secprops \" line\n", + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "missing flags in \"sasl-secprops \" line\n", fname, lineno, 0 ); #endif @@ -194,22 +190,25 @@ int slap_sasl_config( int cargc, char **cargv, char *line, if ( txt != NULL ) { #ifdef NEW_LOGGING LDAP_LOG( CONFIG, CRIT, - "%s: line %d sasl-secprops: %s\n", - fname, lineno, txt ); + "%s: line %d sasl-secprops: %s\n", + fname, lineno, txt ); #else Debug( LDAP_DEBUG_ANY, - "%s: line %d: sasl-secprops: %s\n", + "%s: line %d: sasl-secprops: %s\n", fname, lineno, txt ); #endif return 1; } +#endif /* HAVE_CYRUS_SASL */ } return LDAP_SUCCESS; } -static int +#ifdef HAVE_CYRUS_SASL + +int slap_sasl_log( void *context, int priority, @@ -289,181 +288,79 @@ slap_sasl_log( } -/* Take any sort of identity string and return a DN with the "dn:" prefix. The - string returned in *dn is in its own allocated memory, and must be free'd - by the calling process. - -Mark Adamson, Carnegie Mellon +#if SASL_VERSION_MAJOR >= 2 +static const char *slap_propnames[] = { + "*slapConn", "*authcDN", "*authzDN", NULL }; - The "dn:" prefix is no longer used anywhere inside slapd. It is only used - on strings passed in directly from SASL. - -Howard Chu, Symas Corp. -*/ +static Filter generic_filter = { LDAP_FILTER_PRESENT }; + +#define PROP_CONN 0 +#define PROP_AUTHC 1 +#define PROP_AUTHZ 2 -#define SET_DN 1 -#define SET_U 2 +typedef struct lookup_info { + int last; + int flags; + const struct propval *list; + sasl_server_params_t *sparams; +} lookup_info; -static struct berval ext_bv = { sizeof("EXTERNAL")-1, "EXTERNAL" }; +static slap_response sasl_ap_lookup, sasl_cb_checkpass; -int slap_sasl_getdn( Connection *conn, char *id, int len, - char *user_realm, struct berval *dn, int flags ) +static int +sasl_ap_lookup( Operation *op, SlapReply *rs ) { - char *c1; - int rc, is_dn = 0, do_norm = 1; - sasl_conn_t *ctx; - struct berval dn2; + BerVarray bv; + AttributeDescription *ad; + Attribute *a; + const char *text; + int rc, i; + slap_callback *tmp = op->o_callback; + lookup_info *sl = tmp->sc_private; -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_sasl_getdn: conn %d id=%s\n", - conn ? conn->c_connid : -1, id ? (*id ? id : "") : "NULL", 0 ); -#else - Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s\n", - id?(*id?id:""):"NULL",0,0 ); -#endif + if (rs->sr_type != REP_SEARCH) return 0; - dn->bv_val = NULL; - dn->bv_len = 0; + for( i = 0; i < sl->last; i++ ) { + const char *name = sl->list[i].name; - if ( id ) { - if ( len == 0 ) len = strlen( id ); + if ( name[0] == '*' ) { + if ( sl->flags & SASL_AUXPROP_AUTHZID ) continue; + name++; + } else if ( !(sl->flags & SASL_AUXPROP_AUTHZID ) ) + continue; - /* Blatantly anonymous ID */ - if ( len == sizeof("anonymous") - 1 && - !strcasecmp( id, "anonymous" ) ) { - return( LDAP_SUCCESS ); + if ( sl->list[i].values ) { + if ( !(sl->flags & SASL_AUXPROP_OVERRIDE) ) continue; } - } else { - len = 0; - } - - ctx = conn->c_sasl_context; - - /* An authcID needs to be converted to authzID form. Set the - * values directly into *dn; they will be normalized later. (and - * normalizing always makes a new copy.) An ID from a TLS certificate - * is already normalized, so copy it and skip normalization. - */ - if( flags & FLAG_GETDN_AUTHCID ) { -#ifdef HAVE_TLS - if( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len - && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) { - /* X.509 DN is already normalized */ - do_norm = 0; - is_dn = SET_DN; - ber_str2bv( id, len, 1, dn ); - - } else + ad = NULL; + rc = slap_str2ad( name, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, DETAIL1, + "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, + "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); #endif - { - /* convert to u: form */ - is_dn = SET_U; - dn->bv_val = id; - dn->bv_len = len; - } - } - if( !is_dn ) { - if( !strncasecmp( id, "u:", sizeof("u:")-1 )) { - is_dn = SET_U; - dn->bv_val = id+2; - dn->bv_len = len-2; - } else if ( !strncasecmp( id, "dn:", sizeof("dn:")-1) ) { - is_dn = SET_DN; - dn->bv_val = id+3; - dn->bv_len = len-3; - } - } - - /* No other possibilities from here */ - if( !is_dn ) { - dn->bv_val = NULL; - dn->bv_len = 0; - return( LDAP_INAPPROPRIATE_AUTH ); - } - - /* Username strings */ - if( is_dn == SET_U ) { - char *p, *realm; - len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1; - - /* username may have embedded realm name */ - if( realm = strchr( dn->bv_val, '@') ) { - *realm++ = '\0'; - len += sizeof(",cn=")-2; - } else if( user_realm && *user_realm ) { - len += strlen( user_realm ) + sizeof(",cn=")-1; - } - - if( conn->c_sasl_bind_mech.bv_len ) { - len += conn->c_sasl_bind_mech.bv_len + sizeof(",cn=")-1; + continue; } - - /* Build the new dn */ - c1 = dn->bv_val; - dn->bv_val = ch_malloc( len+1 ); - p = lutil_strcopy( dn->bv_val, "uid=" ); - p = lutil_strncopy( p, c1, dn->bv_len ); - - if( realm ) { - int rlen = dn->bv_len - ( realm - c1 ); - p = lutil_strcopy( p, ",cn=" ); - p = lutil_strncopy( p, realm, rlen ); - realm[-1] = '@'; - } else if( user_realm && *user_realm ) { - p = lutil_strcopy( p, ",cn=" ); - p = lutil_strcopy( p, user_realm ); + a = attr_find( rs->sr_entry->e_attrs, ad ); + if ( !a ) continue; + if ( ! access_allowed( op, rs->sr_entry, ad, NULL, ACL_AUTH, NULL ) ) { + continue; } - - if( conn->c_sasl_bind_mech.bv_len ) { - p = lutil_strcopy( p, ",cn=" ); - p = lutil_strcopy( p, conn->c_sasl_bind_mech.bv_val ); + if ( sl->list[i].values && ( sl->flags & SASL_AUXPROP_OVERRIDE ) ) { + sl->sparams->utils->prop_erase( sl->sparams->propctx, + sl->list[i].name ); } - p = lutil_strcopy( p, ",cn=auth" ); - dn->bv_len = p - dn->bv_val; - -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val, 0, 0 ); -#else - Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn->bv_val,0,0 ); -#endif - } - - /* All strings are in DN form now. Normalize if needed. */ - if ( do_norm ) { - rc = dnNormalize2( NULL, dn, &dn2 ); - - /* User DNs were constructed above and must be freed now */ - if ( is_dn == SET_U ) - ch_free( dn->bv_val ); - - if ( rc != LDAP_SUCCESS ) { - dn->bv_val = NULL; - dn->bv_len = 0; - return rc; + for ( bv = a->a_vals; bv->bv_val; bv++ ) { + sl->sparams->utils->prop_set( sl->sparams->propctx, + sl->list[i].name, bv->bv_val, bv->bv_len ); } - *dn = dn2; } - - /* Run thru regexp */ - slap_sasl2dn( conn, dn, &dn2 ); - if( dn2.bv_val ) { - ch_free( dn->bv_val ); - *dn = dn2; -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, ENTRY, - "slap_sasl_getdn: dn:id converted to %s.\n", dn->bv_val, 0, 0 ); -#else - Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", - dn->bv_val, 0, 0 ); -#endif - } - - return( LDAP_SUCCESS ); + return LDAP_SUCCESS; } -#if SASL_VERSION_MAJOR >= 2 -static const char *slap_propnames[] = { "*authcDN", "*authzDN", NULL }; - static void slap_auxprop_lookup( void *glob_context, @@ -472,29 +369,35 @@ slap_auxprop_lookup( const char *user, unsigned ulen) { - int rc, i, last; - struct berval dn; - const struct propval *list; - BerVarray vals, bv; - AttributeDescription *ad; - const char *text; - - list = sparams->utils->prop_get( sparams->propctx ); - - /* Find our DN first */ - for( i = 0, last = 0; list[i].name; i++ ) { - if ( list[i].name[0] == '*' ) { + Operation op = {0}; + int rc, i, doit=0; + Connection *conn = NULL; + lookup_info sl; + + sl.list = sparams->utils->prop_get( sparams->propctx ); + sl.sparams = sparams; + sl.flags = flags; + + /* Find our DN and conn first */ + for( i = 0, sl.last = 0; sl.list[i].name; i++ ) { + if ( sl.list[i].name[0] == '*' ) { + if ( !strcmp( sl.list[i].name, slap_propnames[PROP_CONN] ) ) { + if ( sl.list[i].values && sl.list[i].values[0] ) + AC_MEMCPY( &conn, sl.list[i].values[0], sizeof( conn ) ); + if ( !sl.last ) sl.last = i; + } if ( (flags & SASL_AUXPROP_AUTHZID) && - !strcmp( list[i].name, slap_propnames[1] ) ) { - if ( list[i].values && list[i].values[0] ) - AC_MEMCPY( &dn, list[i].values[0], sizeof( dn ) ); - if ( !last ) last = i; + !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHZ] ) ) { + + if ( sl.list[i].values && sl.list[i].values[0] ) + AC_MEMCPY( &op.o_req_ndn, sl.list[i].values[0], sizeof( struct berval ) ); + if ( !sl.last ) sl.last = i; break; } - if ( !strcmp( list[i].name, slap_propnames[0] ) ) { - if ( !last ) last = i; - if ( list[i].values && list[i].values[0] ) { - AC_MEMCPY( &dn, list[i].values[0], sizeof( dn ) ); + if ( !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHC] ) ) { + if ( !sl.last ) sl.last = i; + if ( sl.list[i].values && sl.list[i].values[0] ) { + AC_MEMCPY( &op.o_req_ndn, sl.list[i].values[0], sizeof( struct berval ) ); if ( !(flags & SASL_AUXPROP_AUTHZID) ) break; } @@ -502,9 +405,9 @@ slap_auxprop_lookup( } } - /* Now fetch the rest */ - for( i = 0; i < last; i++ ) { - const char *name = list[i].name; + /* Now see what else needs to be fetched */ + for( i = 0; i < sl.last; i++ ) { + const char *name = sl.list[i].name; if ( name[0] == '*' ) { if ( flags & SASL_AUXPROP_AUTHZID ) continue; @@ -512,30 +415,40 @@ slap_auxprop_lookup( } else if ( !(flags & SASL_AUXPROP_AUTHZID ) ) continue; - if ( list[i].values ) { + if ( sl.list[i].values ) { if ( !(flags & SASL_AUXPROP_OVERRIDE) ) continue; - sparams->utils->prop_erase( sparams->propctx, list[i].name ); } - ad = NULL; - rc = slap_str2ad( name, &ad, &text ); - if ( rc != LDAP_SUCCESS ) { -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, DETAIL1, - "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); -#else - Debug( LDAP_DEBUG_TRACE, - "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); -#endif - rc = slap_str2undef_ad( name, &ad, &text ); - if ( rc != LDAP_SUCCESS ) continue; - } - rc = backend_attribute( NULL,NULL,NULL,NULL, &dn, ad, &vals ); - if ( rc != LDAP_SUCCESS ) continue; - for ( bv = vals; bv->bv_val; bv++ ) { - sparams->utils->prop_set( sparams->propctx, list[i].name, - bv->bv_val, bv->bv_len ); + doit = 1; + } + + if (doit) { + slap_callback cb = { sasl_ap_lookup }; + + cb.sc_private = &sl; + + op.o_bd = select_backend( &op.o_req_ndn, 0, 1 ); + + if ( op.o_bd && op.o_bd->be_search ) { + SlapReply rs = {REP_RESULT}; + op.o_tag = LDAP_REQ_SEARCH; + op.o_protocol = LDAP_VERSION3; + op.o_ndn = conn->c_ndn; + op.o_callback = &cb; + op.o_time = slap_get_time(); + op.o_do_not_cache = 1; + op.o_is_auth_check = 1; + op.o_threadctx = conn->c_sasl_bindop->o_threadctx; + op.o_tmpmemctx = conn->c_sasl_bindop->o_tmpmemctx; + op.o_tmpmfuncs = conn->c_sasl_bindop->o_tmpmfuncs; + op.o_conn = conn; + op.o_connid = conn->c_connid; + op.ors_scope = LDAP_SCOPE_BASE; + op.ors_deref = LDAP_DEREF_NEVER; + op.ors_slimit = 1; + op.ors_filter = &generic_filter; + + op.o_bd->be_search( &op, &rs ); } - ber_bvarray_free( vals ); } } @@ -566,6 +479,37 @@ slap_auxprop_init( return SASL_OK; } +typedef struct checkpass_info { + int rc; + struct berval cred; +} checkpass_info; + +static int +sasl_cb_checkpass( Operation *op, SlapReply *rs ) +{ + slap_callback *tmp = op->o_callback; + checkpass_info *ci = tmp->sc_private; + Attribute *a; + struct berval *bv; + + if (rs->sr_type != REP_SEARCH) return 0; + + ci->rc = SASL_NOVERIFY; + + a = attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_userPassword ); + if ( !a ) return 0; + if ( ! access_allowed( op, rs->sr_entry, slap_schema.si_ad_userPassword, + NULL, ACL_AUTH, NULL ) ) return 0; + + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { + if ( !lutil_passwd( bv, &ci->cred, NULL ) ) { + ci->rc = SASL_OK; + break; + } + } + return 0; +} + static int slap_sasl_checkpass( sasl_conn_t *sconn, @@ -576,61 +520,68 @@ slap_sasl_checkpass( struct propctx *propctx) { Connection *conn = (Connection *)context; - struct berval dn, cred; + Operation op = {0}; int rc; - BerVarray vals, bv; + checkpass_info ci; - cred.bv_val = (char *)pass; - cred.bv_len = passlen; + ci.rc = SASL_NOUSER; /* SASL will fallback to its own mechanisms if we don't * find an answer here. */ - rc = slap_sasl_getdn( conn, (char *)username, 0, NULL, &dn, - FLAG_GETDN_AUTHCID ); + rc = slap_sasl_getdn( conn, NULL, (char *)username, 0, NULL, &op.o_req_ndn, + SLAP_GETDN_AUTHCID ); if ( rc != LDAP_SUCCESS ) { sasl_seterror( sconn, 0, ldap_err2string( rc ) ); return SASL_NOUSER; } - if ( dn.bv_len == 0 ) { + if ( op.o_req_ndn.bv_len == 0 ) { sasl_seterror( sconn, 0, "No password is associated with the Root DSE" ); - if ( dn.bv_val != NULL ) { - ch_free( dn.bv_val ); + if ( op.o_req_ndn.bv_val != NULL ) { + ch_free( op.o_req_ndn.bv_val ); } return SASL_NOUSER; } - rc = backend_attribute( NULL, NULL, NULL, NULL, &dn, - slap_schema.si_ad_userPassword, &vals); - if ( rc != LDAP_SUCCESS ) { - ch_free( dn.bv_val ); - sasl_seterror( sconn, 0, ldap_err2string( rc ) ); - return SASL_NOVERIFY; - } - - rc = SASL_NOVERIFY; - - if ( vals != NULL ) { - for ( bv = vals; bv->bv_val != NULL; bv++ ) { - if ( !lutil_passwd( bv, &cred, NULL ) ) { - rc = SASL_OK; - break; - } - } - ber_bvarray_free( vals ); + op.o_bd = select_backend( &op.o_req_ndn, 0, 1 ); + if ( op.o_bd && op.o_bd->be_search ) { + slap_callback cb = { sasl_cb_checkpass }; + SlapReply rs = {REP_RESULT}; + + ci.cred.bv_val = (char *)pass; + ci.cred.bv_len = passlen; + + cb.sc_private = &ci; + op.o_tag = LDAP_REQ_SEARCH; + op.o_protocol = LDAP_VERSION3; + op.o_ndn = conn->c_ndn; + op.o_callback = &cb; + op.o_time = slap_get_time(); + op.o_do_not_cache = 1; + op.o_is_auth_check = 1; + op.o_threadctx = conn->c_sasl_bindop->o_threadctx; + op.o_tmpmemctx = conn->c_sasl_bindop->o_tmpmemctx; + op.o_tmpmfuncs = conn->c_sasl_bindop->o_tmpmfuncs; + op.o_conn = conn; + op.o_connid = conn->c_connid; + op.ors_scope = LDAP_SCOPE_BASE; + op.ors_deref = LDAP_DEREF_NEVER; + op.ors_slimit = 1; + op.ors_filter = &generic_filter; + + op.o_bd->be_search( &op, &rs ); } - - if ( rc != SASL_OK ) { + if ( ci.rc != SASL_OK ) { sasl_seterror( sconn, 0, ldap_err2string( LDAP_INVALID_CREDENTIALS ) ); } - ch_free( dn.bv_val ); + ch_free( op.o_req_ndn.bv_val ); - return rc; + return ci.rc; } /* Convert a SASL authcid or authzid into a DN. Store the DN in an @@ -664,13 +615,13 @@ slap_sasl_canonicalize( LDAP_LOG( TRANSPORT, ENTRY, "slap_sasl_canonicalize: conn %d %s=\"%s\"\n", conn ? conn->c_connid : -1, - (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", in ? in : ""); + (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", + in ? in : ""); #else - Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: " - "%s=\"%s\"\n", - conn ? conn->c_connid : -1, - (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", - in ? in : "" ); + Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: %s=\"%s\"\n", + conn ? conn->c_connid : -1, + (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", + in ? in : ""); #endif /* If name is too big, just truncate. We don't care, we're @@ -685,29 +636,47 @@ slap_sasl_canonicalize( prop_request( props, slap_propnames ); if ( flags & SASL_CU_AUTHID ) - which = 0; + which = PROP_AUTHC; else - which = 1; + which = PROP_AUTHZ; + /* Need to store the Connection for auxprop_lookup */ + if ( !auxvals[PROP_CONN].values ) { + names[0] = slap_propnames[PROP_CONN]; + names[1] = NULL; + prop_set( props, names[0], (char *)&conn, sizeof( conn ) ); + } + /* Already been here? */ if ( auxvals[which].values ) goto done; - if ( flags == SASL_CU_AUTHZID ) { - /* If we got unqualified authzid's, they probably came from SASL - * itself just passing the authcid to us. Look inside the oparams - * structure to see if that's true. (HACK: the out_len pointer is - * the address of a member of a sasl_out_params_t structure...) + /* Normally we require an authzID to have a u: or dn: prefix. + * However, SASL frequently gives us an authzID that is just + * an exact copy of the authcID, without a prefix. We need to + * detect and allow this condition. If SASL calls canonicalize + * with SASL_CU_AUTHID|SASL_CU_AUTHZID this is a no-brainer. + * But if it's broken into two calls, we need to remember the + * authcID so that we can compare the authzID later. We store + * the authcID temporarily in conn->c_sasl_dn. We necessarily + * finish Canonicalizing before Authorizing, so there is no + * conflict with slap_sasl_authorize's use of this temp var. + * + * The SASL EXTERNAL mech is backwards from all the other mechs, + * it does authzID before the authcID. If we see that authzID + * has already been done, don't do anything special with authcID. */ - sasl_out_params_t dummy; - int offset = (void *)&dummy.ulen - (void *)&dummy.authid; - char **authid = (void *)out_len - offset; - if ( *authid && !strcmp( in, *authid ) ) - goto done; + if ( flags == SASL_CU_AUTHID && !auxvals[PROP_AUTHZ].values ) { + conn->c_sasl_dn.bv_val = (char *) in; + } else if ( flags == SASL_CU_AUTHZID && conn->c_sasl_dn.bv_val ) { + rc = strcmp( in, conn->c_sasl_dn.bv_val ); + conn->c_sasl_dn.bv_val = NULL; + /* They were equal, no work needed */ + if ( !rc ) goto done; } - rc = slap_sasl_getdn( conn, (char *)in, inlen, (char *)user_realm, &dn, - (flags & SASL_CU_AUTHID) ? FLAG_GETDN_AUTHCID : FLAG_GETDN_AUTHZID ); + rc = slap_sasl_getdn( conn, NULL, (char *)in, inlen, (char *)user_realm, &dn, + (flags & SASL_CU_AUTHID) ? SLAP_GETDN_AUTHCID : SLAP_GETDN_AUTHZID ); if ( rc != LDAP_SUCCESS ) { sasl_seterror( sconn, 0, ldap_err2string( rc ) ); return SASL_NOAUTHZ; @@ -721,14 +690,16 @@ slap_sasl_canonicalize( #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, ENTRY, "slap_sasl_canonicalize: conn %d %s=\"%s\"\n", - conn ? conn->c_connid : -1, names[0]+1, dn.bv_val ); + conn ? conn->c_connid : -1, names[0]+1, + dn.bv_val ? dn.bv_val : "" ); #else - Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: " - "%s=\"%s\"\n", - conn ? conn->c_connid : -1, - names[0]+1, dn.bv_val ); + Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: %s=\"%s\"\n", + conn ? conn->c_connid : -1, names[0]+1, + dn.bv_val ? dn.bv_val : "" ); #endif -done: AC_MEMCPY( out, in, inlen ); + +done: + AC_MEMCPY( out, in, inlen ); out[inlen] = '\0'; *out_len = inlen; @@ -768,19 +739,20 @@ slap_sasl_authorize( conn->c_sasl_dn.bv_len = 0; } - prop_getnames( props, slap_propnames, auxvals ); + /* Skip PROP_CONN */ + prop_getnames( props, slap_propnames+1, auxvals ); AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) ); /* Nothing to do if no authzID was given */ if ( !auxvals[1].name || !auxvals[1].values ) { conn->c_sasl_dn = authcDN; - return SASL_OK; + goto ok; } AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) ); - rc = slap_sasl_authorized( &authcDN, &authzDN ); + rc = slap_sasl_authorized( conn, &authcDN, &authzDN ); ch_free( authcDN.bv_val ); if ( rc != LDAP_SUCCESS ) { #ifdef NEW_LOGGING @@ -799,6 +771,13 @@ slap_sasl_authorize( } conn->c_sasl_dn = authzDN; +ok: + if (conn->c_sasl_bindop) { + Statslog( LDAP_DEBUG_STATS, + "conn=%lu op=%lu BIND authcid=\"%s\"\n", + conn->c_connid, conn->c_sasl_bindop->o_opid, + auth_identity, 0, 0); + } #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, ENTRY, @@ -861,7 +840,8 @@ slap_sasl_authorize( /* Convert the identities to DN's. If no authzid was given, client will be bound as the DN matching their username */ - rc = slap_sasl_getdn( conn, (char *)authcid, 0, realm, &authcDN, FLAG_GETDN_AUTHCID ); + rc = slap_sasl_getdn( conn, NULL, (char *)authcid, 0, realm, + &authcDN, SLAP_GETDN_AUTHCID ); if( rc != LDAP_SUCCESS ) { *errstr = ldap_err2string( rc ); return SASL_NOAUTHZ; @@ -877,17 +857,17 @@ slap_sasl_authorize( #endif conn->c_sasl_dn = authcDN; - *errstr = NULL; - return SASL_OK; + goto ok; } - rc = slap_sasl_getdn( conn, (char *)authzid, 0, realm, &authzDN, FLAG_GETDN_AUTHZID ); + rc = slap_sasl_getdn( conn, NULL, (char *)authzid, 0, realm, + &authzDN, SLAP_GETDN_AUTHZID ); if( rc != LDAP_SUCCESS ) { ch_free( authcDN.bv_val ); *errstr = ldap_err2string( rc ); return SASL_NOAUTHZ; } - rc = slap_sasl_authorized( &authcDN, &authzDN ); + rc = slap_sasl_authorized(conn, &authcDN, &authzDN ); ch_free( authcDN.bv_val ); if( rc ) { #ifdef NEW_LOGGING @@ -904,7 +884,9 @@ slap_sasl_authorize( ch_free( authzDN.bv_val ); return SASL_NOAUTHZ; } + conn->c_sasl_dn = authzDN; +ok: #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, RESULTS, "slap_sasl_authorize: conn %d authorization allowed\n", @@ -915,7 +897,13 @@ slap_sasl_authorize( (long) (conn ? conn->c_connid : -1), 0, 0 ); #endif - conn->c_sasl_dn = authzDN; + if (conn->c_sasl_bindop) { + Statslog( LDAP_DEBUG_STATS, + "conn=%lu op=%lu BIND authcid=\"%s\"\n", + conn->c_connid, conn->c_sasl_bindop->o_opid, + authcid, 0, 0); + } + *errstr = NULL; return SASL_OK; } @@ -958,7 +946,6 @@ slap_sasl_err2ldap( int saslerr ) } #endif - int slap_sasl_init( void ) { #ifdef HAVE_CYRUS_SASL @@ -968,11 +955,35 @@ int slap_sasl_init( void ) { SASL_CB_LIST_END, NULL, NULL } }; +#ifdef HAVE_SASL_VERSION +#define SASL_BUILD_VERSION ((SASL_VERSION_MAJOR << 24) |\ + (SASL_VERSION_MINOR << 16) | SASL_VERSION_STEP) + + sasl_version( NULL, &rc ); + if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) || + (rc & 0xffff) < SASL_VERSION_STEP) { + +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, INFO, + "slap_sasl_init: SASL version mismatch, got %x, wanted %x.\n", + rc, SASL_BUILD_VERSION, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "slap_sasl_init: SASL version mismatch, got %x, wanted %x.\n", + rc, SASL_BUILD_VERSION, 0 ); +#endif + return -1; + } +#endif + + /* SASL 2 does its own memory management internally */ +#if SASL_VERSION_MAJOR < 2 sasl_set_alloc( - ch_malloc, - ch_calloc, - ch_realloc, - ch_free ); + ber_memalloc, + ber_memcalloc, + ber_memrealloc, + ber_memfree ); +#endif sasl_set_mutex( ldap_pvt_sasl_mutex_new, @@ -981,6 +992,8 @@ int slap_sasl_init( void ) ldap_pvt_sasl_mutex_dispose ); #if SASL_VERSION_MAJOR >= 2 + generic_filter.f_desc = slap_schema.si_ad_objectClass; + sasl_auxprop_add_plugin( "slapd", slap_auxprop_init ); #endif /* should provide callbacks for logging */ @@ -994,6 +1007,10 @@ int slap_sasl_init( void ) Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n", 0, 0, 0 ); #endif +#if SASL_VERSION_MAJOR < 2 + /* A no-op used to make sure we linked with Cyrus 1.5 */ + sasl_client_auth( NULL, NULL, NULL, 0, NULL, NULL ); +#endif return -1; } @@ -1045,10 +1062,20 @@ int slap_sasl_open( Connection *conn ) session_callbacks = #if SASL_VERSION_MAJOR >= 2 - ch_calloc( 5, sizeof(sasl_callback_t)); + SLAP_CALLOC( 5, sizeof(sasl_callback_t)); +#else + SLAP_CALLOC( 3, sizeof(sasl_callback_t)); +#endif + if( session_callbacks == NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, ERR, + "slap_sasl_open: SLAP_MALLOC failed", 0, 0, 0 ); #else - ch_calloc( 3, sizeof(sasl_callback_t)); + Debug( LDAP_DEBUG_ANY, + "slap_sasl_open: SLAP_MALLOC failed", 0, 0, 0 ); #endif + return -1; + } conn->c_sasl_extra = session_callbacks; session_callbacks[cb=0].id = SASL_CB_LOG; @@ -1107,7 +1134,7 @@ int slap_sasl_open( Connection *conn ) } } sc = sasl_server_new( "ldap", global_host, global_realm, - iplocalport, ipremoteport, session_callbacks, 0, &ctx ); + iplocalport, ipremoteport, session_callbacks, SASL_SUCCESS_DATA, &ctx ); if ( iplocalport != NULL ) { ch_free( iplocalport ); } @@ -1244,7 +1271,7 @@ char ** slap_sasl_mechs( Connection *conn ) return NULL; } - mechs = str2charray( mechstr, "," ); + mechs = ldap_str2charray( mechstr, "," ); #if SASL_VERSION_MAJOR < 2 ch_free( mechstr ); @@ -1273,44 +1300,35 @@ int slap_sasl_close( Connection *conn ) return LDAP_SUCCESS; } -int slap_sasl_bind( - Connection *conn, - Operation *op, - struct berval *dn, - struct berval *ndn, - struct berval *cred, - struct berval *edn, - slap_ssf_t *ssfp ) +int slap_sasl_bind( Operation *op, SlapReply *rs ) { - int rc = 1; - #ifdef HAVE_CYRUS_SASL - sasl_conn_t *ctx = conn->c_sasl_context; + sasl_conn_t *ctx = op->o_conn->c_sasl_context; struct berval response; unsigned reslen = 0; - const char *errstr = NULL; int sc; #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, ENTRY, "sasl_bind: dn=\"%s\" mech=%s datalen=%ld\n", - dn->bv_len ? dn->bv_val : "", - conn->c_sasl_bind_in_progress ? "" : - conn->c_sasl_bind_mech.bv_val, - cred ? cred->bv_len : 0 ); + op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", + op->o_conn->c_sasl_bind_in_progress ? "" : + op->o_conn->c_sasl_bind_mech.bv_val, + op->orb_cred.bv_len ); #else Debug(LDAP_DEBUG_ARGS, "==> sasl_bind: dn=\"%s\" mech=%s datalen=%ld\n", - dn->bv_len ? dn->bv_val : "", - conn->c_sasl_bind_in_progress ? "":conn->c_sasl_bind_mech.bv_val, - cred ? cred->bv_len : 0 ); + op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", + op->o_conn->c_sasl_bind_in_progress ? "" : + op->o_conn->c_sasl_bind_mech.bv_val, + op->orb_cred.bv_len ); #endif if( ctx == NULL ) { - send_ldap_result( conn, op, LDAP_UNAVAILABLE, - NULL, "SASL unavailable on this session", NULL, NULL ); - return rc; + send_ldap_error( op, rs, LDAP_UNAVAILABLE, + "SASL unavailable on this session" ); + return rs->sr_err; } #if SASL_VERSION_MAJOR >= 2 @@ -1325,17 +1343,16 @@ int slap_sasl_bind( sasl_server_step( ctx, cred, clen, resp, rlen, err ) #endif - if ( !conn->c_sasl_bind_in_progress ) { + if ( !op->o_conn->c_sasl_bind_in_progress ) { sc = START( ctx, - conn->c_sasl_bind_mech.bv_val, - cred->bv_len ? cred->bv_val : "", - cred->bv_len, - (SASL_CONST char **)&response.bv_val, &reslen, &errstr ); + op->o_conn->c_sasl_bind_mech.bv_val, + op->orb_cred.bv_val, op->orb_cred.bv_len, + (SASL_CONST char **)&response.bv_val, &reslen, &rs->sr_text ); } else { sc = STEP( ctx, - cred->bv_val, cred->bv_len, - (SASL_CONST char **)&response.bv_val, &reslen, &errstr ); + op->orb_cred.bv_val, op->orb_cred.bv_len, + (SASL_CONST char **)&response.bv_val, &reslen, &rs->sr_text ); } response.bv_len = reslen; @@ -1343,35 +1360,35 @@ int slap_sasl_bind( if ( sc == SASL_OK ) { sasl_ssf_t *ssf = NULL; - *edn = conn->c_sasl_dn; - conn->c_sasl_dn.bv_val = NULL; - conn->c_sasl_dn.bv_len = 0; + op->orb_edn = op->o_conn->c_sasl_dn; + op->o_conn->c_sasl_dn.bv_val = NULL; + op->o_conn->c_sasl_dn.bv_len = 0; - rc = LDAP_SUCCESS; + rs->sr_err = LDAP_SUCCESS; (void) sasl_getprop( ctx, SASL_SSF, (void *)&ssf ); - *ssfp = ssf ? *ssf : 0; + op->orb_ssf = ssf ? *ssf : 0; - if( *ssfp ) { - ldap_pvt_thread_mutex_lock( &conn->c_mutex ); - conn->c_sasl_layers++; - ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + if( op->orb_ssf ) { + ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); + op->o_conn->c_sasl_layers++; + ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); } - send_ldap_sasl( conn, op, rc, - NULL, NULL, NULL, NULL, - response.bv_len ? &response : NULL ); + if (response.bv_len) rs->sr_sasldata = &response; + send_ldap_sasl( op, rs ); } else if ( sc == SASL_CONTINUE ) { - send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS, - NULL, NULL, NULL, NULL, &response ); + rs->sr_err = LDAP_SASL_BIND_IN_PROGRESS, + rs->sr_sasldata = &response; + send_ldap_sasl( op, rs ); } else { #if SASL_VERSION_MAJOR >= 2 - errstr = sasl_errdetail( ctx ); + rs->sr_text = sasl_errdetail( ctx ); #endif - send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), - NULL, errstr, NULL, NULL ); + rs->sr_err = slap_sasl_err2ldap( sc ), + send_ldap_result( op, rs ); } #if SASL_VERSION_MAJOR < 2 @@ -1381,18 +1398,18 @@ int slap_sasl_bind( #endif #ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, RESULTS, "slap_sasl_bind: rc=%d\n", rc, 0, 0 ); + LDAP_LOG( TRANSPORT, RESULTS, "slap_sasl_bind: rc=%d\n", rs->sr_err, 0, 0 ); #else - Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0); + Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rs->sr_err, 0, 0); #endif #else - send_ldap_result( conn, op, rc = LDAP_UNAVAILABLE, - NULL, "SASL not supported", NULL, NULL ); + send_ldap_error( op, rs, LDAP_UNAVAILABLE, + "SASL not supported" ); #endif - return rc; + return rs->sr_err; } char* slap_sasl_secprops( const char *in ) @@ -1408,30 +1425,20 @@ char* slap_sasl_secprops( const char *in ) #ifdef HAVE_CYRUS_SASL int -slap_sasl_setpass( - Connection *conn, - Operation *op, - const char *reqoid, - struct berval *reqdata, - char **rspoid, - struct berval **rspdata, - LDAPControl *** rspctrls, - const char **text ) +slap_sasl_setpass( Operation *op, SlapReply *rs ) { - int rc; struct berval id = { 0, NULL }; /* needs to come from connection */ struct berval new = { 0, NULL }; struct berval old = { 0, NULL }; - assert( reqoid != NULL ); - assert( strcmp( LDAP_EXOP_MODIFY_PASSWD, reqoid ) == 0 ); + assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 ); - rc = sasl_getprop( conn->c_sasl_context, SASL_USERNAME, + rs->sr_err = sasl_getprop( op->o_conn->c_sasl_context, SASL_USERNAME, (SASL_CONST void **)&id.bv_val ); - if( rc != SASL_OK ) { - *text = "unable to retrieve SASL username"; - rc = LDAP_OTHER; + if( rs->sr_err != SASL_OK ) { + rs->sr_text = "unable to retrieve SASL username"; + rs->sr_err = LDAP_OTHER; goto done; } @@ -1444,10 +1451,10 @@ slap_sasl_setpass( id.bv_val ? id.bv_val : "", 0, 0 ); #endif - rc = slap_passwd_parse( reqdata, - NULL, &old, &new, text ); + rs->sr_err = slap_passwd_parse( op->ore_reqdata, + NULL, &old, &new, &rs->sr_text ); - if( rc != LDAP_SUCCESS ) { + if( rs->sr_err != LDAP_SUCCESS ) { goto done; } @@ -1455,27 +1462,27 @@ slap_sasl_setpass( slap_passwd_generate(&new); if( new.bv_len == 0 ) { - *text = "password generation failed."; - rc = LDAP_OTHER; + rs->sr_text = "password generation failed."; + rs->sr_err = LDAP_OTHER; goto done; } - *rspdata = slap_passwd_return( &new ); + rs->sr_rspdata = slap_passwd_return( &new ); } #if SASL_VERSION_MAJOR < 2 - rc = sasl_setpass( conn->c_sasl_context, - id.bv_val, new.bv_val, new.bv_len, 0, text ); + rs->sr_err = sasl_setpass( op->o_conn->c_sasl_context, + id.bv_val, new.bv_val, new.bv_len, 0, &rs->sr_text ); #else - rc = sasl_setpass( conn->c_sasl_context, id.bv_val, + rs->sr_err = sasl_setpass( op->o_conn->c_sasl_context, id.bv_val, new.bv_val, new.bv_len, old.bv_val, old.bv_len, 0 ); - if( rc != SASL_OK ) { - *text = sasl_errdetail( conn->c_sasl_context ); + if( rs->sr_err != SASL_OK ) { + rs->sr_text = sasl_errdetail( op->o_conn->c_sasl_context ); } #endif - switch(rc) { + switch(rs->sr_err) { case SASL_OK: - rc = LDAP_SUCCESS; + rs->sr_err = LDAP_SUCCESS; break; case SASL_NOCHANGE: @@ -1485,10 +1492,198 @@ slap_sasl_setpass( case SASL_FAIL: case SASL_BADPARAM: default: - rc = LDAP_OTHER; + rs->sr_err = LDAP_OTHER; } done: - return rc; + return rs->sr_err; } +#endif /* HAVE_CYRUS_SASL */ + +/* Take any sort of identity string and return a DN with the "dn:" prefix. The + string returned in *dn is in its own allocated memory, and must be free'd + by the calling process. + -Mark Adamson, Carnegie Mellon + + The "dn:" prefix is no longer used anywhere inside slapd. It is only used + on strings passed in directly from SASL. + -Howard Chu, Symas Corp. +*/ + +#define SET_NONE 0 +#define SET_DN 1 +#define SET_U 2 + +static struct berval ext_bv = BER_BVC( "EXTERNAL" ); + +int slap_sasl_getdn( Connection *conn, Operation *op, char *id, int len, + char *user_realm, struct berval *dn, int flags ) +{ + char *c1; + int rc, is_dn = SET_NONE, do_norm = 1; + struct berval dn2; + +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, ENTRY, + "slap_sasl_getdn: conn %d id=%s [len=%d]\n", + conn ? conn->c_connid : -1, id ? (*id ? id : "") : "NULL", len ); +#else + Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s [len=%d]\n", + id ? ( *id ? id : "" ) : "NULL", len, 0 ); +#endif + + if ( !op ) { + op = conn->c_sasl_bindop; + } + + dn->bv_val = NULL; + dn->bv_len = 0; + + if ( id ) { + if ( len == 0 ) len = strlen( id ); + + /* Blatantly anonymous ID */ + if ( len == sizeof("anonymous") - 1 && + !strcasecmp( id, "anonymous" ) ) { + return( LDAP_SUCCESS ); + } + } else { + len = 0; + } + + /* An authcID needs to be converted to authzID form. Set the + * values directly into *dn; they will be normalized later. (and + * normalizing always makes a new copy.) An ID from a TLS certificate + * is already normalized, so copy it and skip normalization. + */ + if( flags & SLAP_GETDN_AUTHCID ) { + if( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len && + strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) + { + /* EXTERNAL DNs are already normalized */ + do_norm = 0; + is_dn = SET_DN; + ber_str2bv_x( id, len, 1, dn, op->o_tmpmemctx ); + + } else { + /* convert to u: form */ + is_dn = SET_U; + dn->bv_val = id; + dn->bv_len = len; + } + } + if( is_dn == SET_NONE ) { + if( !strncasecmp( id, "u:", sizeof("u:")-1 )) { + is_dn = SET_U; + dn->bv_val = id+2; + dn->bv_len = len-2; + } else if ( !strncasecmp( id, "dn:", sizeof("dn:")-1) ) { + is_dn = SET_DN; + dn->bv_val = id+3; + dn->bv_len = len-3; + } + } + + /* No other possibilities from here */ + if( is_dn == SET_NONE ) { + dn->bv_val = NULL; + dn->bv_len = 0; + return( LDAP_INAPPROPRIATE_AUTH ); + } + + /* Username strings */ + if( is_dn == SET_U ) { + char *p, *realm; + len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1; + + /* username may have embedded realm name */ + if( ( realm = strchr( dn->bv_val, '@') ) ) { + *realm++ = '\0'; + len += sizeof(",cn=")-2; + } else if( user_realm && *user_realm ) { + len += strlen( user_realm ) + sizeof(",cn=")-1; + } + + if( conn->c_sasl_bind_mech.bv_len ) { + len += conn->c_sasl_bind_mech.bv_len + sizeof(",cn=")-1; + } + + /* Build the new dn */ + c1 = dn->bv_val; + dn->bv_val = sl_malloc( len+1, op->o_tmpmemctx ); + if( dn->bv_val == NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, ERR, + "slap_sasl_getdn: SLAP_MALLOC failed", 0, 0, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "slap_sasl_getdn: SLAP_MALLOC failed", 0, 0, 0 ); #endif + return LDAP_OTHER; + } + p = lutil_strcopy( dn->bv_val, "uid=" ); + p = lutil_strncopy( p, c1, dn->bv_len ); + + if( realm ) { + int rlen = dn->bv_len - ( realm - c1 ); + p = lutil_strcopy( p, ",cn=" ); + p = lutil_strncopy( p, realm, rlen ); + realm[-1] = '@'; + } else if( user_realm && *user_realm ) { + p = lutil_strcopy( p, ",cn=" ); + p = lutil_strcopy( p, user_realm ); + } + + if( conn->c_sasl_bind_mech.bv_len ) { + p = lutil_strcopy( p, ",cn=" ); + p = lutil_strcopy( p, conn->c_sasl_bind_mech.bv_val ); + } + p = lutil_strcopy( p, ",cn=auth" ); + dn->bv_len = p - dn->bv_val; + +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, ENTRY, + "slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val, 0, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn->bv_val,0,0 ); +#endif + } else { + + /* Dup the DN in any case, so we don't risk + * leaks or dangling pointers later, + * and the DN value is '\0' terminated */ + ber_dupbv_x( &dn2, dn, op->o_tmpmemctx ); + dn->bv_val = dn2.bv_val; + } + + /* All strings are in DN form now. Normalize if needed. */ + if ( do_norm ) { + rc = dnNormalize2( NULL, dn, &dn2, op->o_tmpmemctx ); + + /* User DNs were constructed above and must be freed now */ + sl_free( dn->bv_val, op->o_tmpmemctx ); + + if ( rc != LDAP_SUCCESS ) { + dn->bv_val = NULL; + dn->bv_len = 0; + return rc; + } + *dn = dn2; + } + + /* Run thru regexp */ + slap_sasl2dn( op, dn, &dn2 ); + if( dn2.bv_val ) { + sl_free( dn->bv_val, op->o_tmpmemctx ); + *dn = dn2; +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, ENTRY, + "slap_sasl_getdn: dn:id converted to %s.\n", dn->bv_val, 0, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", + dn->bv_val, 0, 0 ); +#endif + } + + return( LDAP_SUCCESS ); +}