X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=484300bf6f36b8ce81345060d555cd2c57bc9b49;hb=4361a942abb69d6b3dbae637cddb4055080fe6fa;hp=394c0a087130104e7061f95d9e95aee1f71a6356;hpb=7dcb68f6fa4bcdb3fbd883d9149ec4c23713d1c9;p=openldap diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 394c0a0871..484300bf6f 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -1,7 +1,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2005 The OpenLDAP Foundation. + * Copyright 1998-2006 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -150,10 +150,10 @@ static const char *slap_propnames[] = { static Filter generic_filter = { LDAP_FILTER_PRESENT, { 0 }, NULL }; static struct berval generic_filterstr = BER_BVC("(objectclass=*)"); -#define PROP_CONN 0 -#define PROP_AUTHC 1 -#define PROP_AUTHZ 2 -#define PROP_COUNT 3 /* Number of properties we used */ +#define SLAP_SASL_PROP_CONN 0 +#define SLAP_SASL_PROP_AUTHC 1 +#define SLAP_SASL_PROP_AUTHZ 2 +#define SLAP_SASL_PROP_COUNT 3 /* Number of properties we used */ typedef struct lookup_info { int flags; @@ -173,8 +173,7 @@ sasl_ap_lookup( Operation *op, SlapReply *rs ) Attribute *a; const char *text; int rc, i; - slap_callback *tmp = op->o_callback; - lookup_info *sl = tmp->sc_private; + lookup_info *sl = (lookup_info *)op->o_callback->sc_private; if (rs->sr_type != REP_SEARCH) return 0; @@ -185,7 +184,7 @@ sasl_ap_lookup( Operation *op, SlapReply *rs ) if ( sl->flags & SASL_AUXPROP_AUTHZID ) continue; /* Skip our private properties */ if ( !strcmp( name, slap_propnames[0] )) { - i += PROP_COUNT-1; + i += SLAP_SASL_PROP_COUNT - 1; continue; } name++; @@ -222,9 +221,9 @@ sasl_ap_lookup( Operation *op, SlapReply *rs ) for ( bv = a->a_vals; bv->bv_val; bv++ ) { /* ITS#3846 don't give hashed passwords to SASL */ if ( ad == slap_schema.si_ad_userPassword && - bv->bv_val[0] == '{' ) { - rc = lutil_passwd_scheme( bv->bv_val ); - if ( rc ) { + bv->bv_val[0] == '{' /*}*/ ) + { + if ( lutil_passwd_scheme( bv->bv_val ) ) { /* If it's not a recognized scheme, just assume it's * a cleartext password that happened to include brackets. * @@ -234,11 +233,10 @@ sasl_ap_lookup( Operation *op, SlapReply *rs ) * past the scheme name, skip this value. */ #ifdef SLAPD_CLEARTEXT - if ( !strncasecmp( bv->bv_val, sc_cleartext.bv_val, - sc_cleartext.bv_len )) { + if ( !ber_bvstrcasecmp( bv, &sc_cleartext ) ) { struct berval cbv; cbv.bv_len = bv->bv_len - sc_cleartext.bv_len; - if ( cbv.bv_len ) { + if ( cbv.bv_len > 0 ) { cbv.bv_val = bv->bv_val + sc_cleartext.bv_len; sl->sparams->utils->prop_set( sl->sparams->propctx, sl->list[i].name, cbv.bv_val, cbv.bv_len ); @@ -275,19 +273,19 @@ slap_auxprop_lookup( /* Find our DN and conn first */ for( i = 0; sl.list[i].name; i++ ) { if ( sl.list[i].name[0] == '*' ) { - if ( !strcmp( sl.list[i].name, slap_propnames[PROP_CONN] ) ) { + if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_CONN] ) ) { if ( sl.list[i].values && sl.list[i].values[0] ) AC_MEMCPY( &conn, sl.list[i].values[0], sizeof( conn ) ); continue; } if ( (flags & SASL_AUXPROP_AUTHZID) && - !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHZ] ) ) { + !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHZ] ) ) { if ( sl.list[i].values && sl.list[i].values[0] ) AC_MEMCPY( &op.o_req_ndn, sl.list[i].values[0], sizeof( struct berval ) ); break; } - if ( !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHC] ) ) { + if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) { if ( sl.list[i].values && sl.list[i].values[0] ) { AC_MEMCPY( &op.o_req_ndn, sl.list[i].values[0], sizeof( struct berval ) ); if ( !(flags & SASL_AUXPROP_AUTHZID) ) @@ -305,7 +303,7 @@ slap_auxprop_lookup( if ( flags & SASL_AUXPROP_AUTHZID ) continue; /* Skip our private properties */ if ( !strcmp( name, slap_propnames[0] )) { - i += PROP_COUNT-1; + i += SLAP_SASL_PROP_COUNT - 1; continue; } name++; @@ -372,6 +370,7 @@ slap_auxprop_lookup( SlapReply rs = {REP_RESULT}; op.o_hdr = conn->c_sasl_bindop->o_hdr; op.o_tag = LDAP_REQ_SEARCH; + op.o_dn = conn->c_ndn; op.o_ndn = conn->c_ndn; op.o_callback = &cb; slap_op_time( &op.o_time, &op.o_tincr ); @@ -423,12 +422,12 @@ slap_auxprop_store( /* Find our DN and conn first */ for( i = 0; pr[i].name; i++ ) { if ( pr[i].name[0] == '*' ) { - if ( !strcmp( pr[i].name, slap_propnames[PROP_CONN] ) ) { + if ( !strcmp( pr[i].name, slap_propnames[SLAP_SASL_PROP_CONN] ) ) { if ( pr[i].values && pr[i].values[0] ) AC_MEMCPY( &conn, pr[i].values[0], sizeof( conn ) ); continue; } - if ( !strcmp( pr[i].name, slap_propnames[PROP_AUTHC] ) ) { + if ( !strcmp( pr[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) { if ( pr[i].values && pr[i].values[0] ) { AC_MEMCPY( &op.o_req_ndn, pr[i].values[0], sizeof( struct berval ) ); } @@ -542,7 +541,7 @@ slap_sasl_canonicalize( { Connection *conn = (Connection *)context; struct propctx *props = sasl_auxprop_getctx( sconn ); - struct propval auxvals[3]; + struct propval auxvals[ SLAP_SASL_PROP_COUNT ] = { { 0 } }; struct berval dn; int rc, which; const char *names[2]; @@ -575,13 +574,13 @@ slap_sasl_canonicalize( prop_request( props, slap_propnames ); if ( flags & SASL_CU_AUTHID ) - which = PROP_AUTHC; + which = SLAP_SASL_PROP_AUTHC; else - which = PROP_AUTHZ; + which = SLAP_SASL_PROP_AUTHZ; /* Need to store the Connection for auxprop_lookup */ - if ( !auxvals[PROP_CONN].values ) { - names[0] = slap_propnames[PROP_CONN]; + if ( !auxvals[SLAP_SASL_PROP_CONN].values ) { + names[0] = slap_propnames[SLAP_SASL_PROP_CONN]; names[1] = NULL; prop_set( props, names[0], (char *)&conn, sizeof( conn ) ); } @@ -605,7 +604,7 @@ slap_sasl_canonicalize( * it does authzID before the authcID. If we see that authzID * has already been done, don't do anything special with authcID. */ - if ( flags == SASL_CU_AUTHID && !auxvals[PROP_AUTHZ].values ) { + if ( flags == SASL_CU_AUTHID && !auxvals[SLAP_SASL_PROP_AUTHZ].values ) { conn->c_sasl_dn.bv_val = (char *) in; } else if ( flags == SASL_CU_AUTHZID && conn->c_sasl_dn.bv_val ) { rc = strcmp( in, conn->c_sasl_dn.bv_val ); @@ -654,7 +653,11 @@ slap_sasl_authorize( struct propctx *props) { Connection *conn = (Connection *)context; - struct propval auxvals[3]; + /* actually: + * (SLAP_SASL_PROP_COUNT - 1) because we skip "conn", + * + 1 for NULL termination? + */ + struct propval auxvals[ SLAP_SASL_PROP_COUNT ] = { { 0 } }; struct berval authcDN, authzDN = BER_BVNULL; int rc; @@ -670,7 +673,7 @@ slap_sasl_authorize( BER_BVZERO( &conn->c_sasl_dn ); } - /* Skip PROP_CONN */ + /* Skip SLAP_SASL_PROP_CONN */ prop_getnames( props, slap_propnames+1, auxvals ); /* Should not happen */ @@ -833,6 +836,18 @@ slap_sasl_err2ldap( int saslerr ) { int rc; + /* map SASL errors to LDAP resultCode returned by: + * sasl_server_new() + * SASL_OK, SASL_NOMEM + * sasl_server_step() + * SASL_OK, SASL_CONTINUE, SASL_TRANS, SASL_BADPARAM, SASL_BADPROT, + * ... + * sasl_server_start() + * + SASL_NOMECH + * sasl_setprop() + * SASL_OK, SASL_BADPARAM + */ + switch (saslerr) { case SASL_OK: rc = LDAP_SUCCESS; @@ -841,8 +856,6 @@ slap_sasl_err2ldap( int saslerr ) rc = LDAP_SASL_BIND_IN_PROGRESS; break; case SASL_FAIL: - rc = LDAP_OTHER; - break; case SASL_NOMEM: rc = LDAP_OTHER; break; @@ -850,6 +863,9 @@ slap_sasl_err2ldap( int saslerr ) rc = LDAP_AUTH_METHOD_NOT_SUPPORTED; break; case SASL_BADAUTH: + case SASL_NOUSER: + case SASL_TRANS: + case SASL_EXPIRED: rc = LDAP_INVALID_CREDENTIALS; break; case SASL_NOAUTHZ: @@ -859,6 +875,13 @@ slap_sasl_err2ldap( int saslerr ) case SASL_ENCRYPT: rc = LDAP_INAPPROPRIATE_AUTH; break; + case SASL_UNAVAIL: + case SASL_TRYAGAIN: + rc = LDAP_UNAVAILABLE; + break; + case SASL_DISABLED: + rc = LDAP_UNWILLING_TO_PERFORM; + break; default: rc = LDAP_OTHER; break; @@ -1427,6 +1450,9 @@ int slap_sasl_bind( Operation *op, SlapReply *rs ) } } else if ( sc == SASL_CONTINUE ) { rs->sr_err = LDAP_SASL_BIND_IN_PROGRESS, +#if SASL_VERSION_MAJOR >= 2 + rs->sr_text = sasl_errdetail( ctx ); +#endif rs->sr_sasldata = &response; send_ldap_sasl( op, rs ); @@ -1439,9 +1465,7 @@ int slap_sasl_bind( Operation *op, SlapReply *rs ) } #if SASL_VERSION_MAJOR < 2 - if( response.bv_len ) { - ch_free( response.bv_val ); - } + if( response.bv_len ) ch_free( response.bv_val ); #endif Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rs->sr_err, 0, 0);