X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=a5f9d6718f6a3de5b39074b3c3faf540a4af6e62;hb=d520cd607d452fe4809d86f37b299ee7665d0f12;hp=557fa439b340833e827b4bf23966b16cc56c9c68;hpb=fda3d6260e25f1d0b9c035b0d520b2c9d0f22e49;p=openldap

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 557fa439b3..a5f9d6718f 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -116,7 +116,7 @@ int slap_sasl_config( int cargc, char **cargv, char *line,
 				return( 1 );
 			}
 
-			if ( SLAPD_GLOBAL(host) != NULL ) {
+			if ( global_host != NULL ) {
 				Debug( LDAP_DEBUG_ANY,
 					"%s: line %d: already set sasl-host!\n",
 					fname, lineno, 0 );
@@ -124,7 +124,7 @@ int slap_sasl_config( int cargc, char **cargv, char *line,
 				return 1;
 
 			} else {
-				SLAPD_GLOBAL(host) = ch_strdup( cargv[1] );
+				global_host = ch_strdup( cargv[1] );
 			}
 
 		/* set SASL realm */
@@ -137,7 +137,7 @@ int slap_sasl_config( int cargc, char **cargv, char *line,
 				return( 1 );
 			}
 
-			if ( SLAPD_GLOBAL(realm) != NULL ) {
+			if ( global_realm != NULL ) {
 				Debug( LDAP_DEBUG_ANY,
 					"%s: line %d: already set sasl-realm!\n",
 					fname, lineno, 0 );
@@ -145,7 +145,7 @@ int slap_sasl_config( int cargc, char **cargv, char *line,
 				return 1;
 
 			} else {
-				SLAPD_GLOBAL(realm) = ch_strdup( cargv[1] );
+				global_realm = ch_strdup( cargv[1] );
 			}
 
 		/* SASL security properties */
@@ -398,18 +398,13 @@ slap_auxprop_lookup(
 
 		if ( op.o_bd && op.o_bd->be_search ) {
 			SlapReply rs = {REP_RESULT};
+			op.o_hdr = conn->c_sasl_bindop->o_hdr;
 			op.o_tag = LDAP_REQ_SEARCH;
-			op.o_protocol = LDAP_VERSION3;
 			op.o_ndn = conn->c_ndn;
 			op.o_callback = &cb;
 			op.o_time = slap_get_time();
 			op.o_do_not_cache = 1;
 			op.o_is_auth_check = 1;
-			op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
-			op.o_tmpmemctx = conn->c_sasl_bindop->o_tmpmemctx;
-			op.o_tmpmfuncs = conn->c_sasl_bindop->o_tmpmfuncs;
-			op.o_conn = conn;
-			op.o_connid = conn->c_connid;
 			op.o_req_dn = op.o_req_ndn;
 			op.ors_scope = LDAP_SCOPE_BASE;
 			op.ors_deref = LDAP_DEREF_NEVER;
@@ -496,33 +491,33 @@ slap_auxprop_store(
 	}
 	*modtail = NULL;
 
-	rc = slap_mods_check( modlist, 0, &text, textbuf, textlen, NULL );
+	rc = slap_mods_check( modlist, &text, textbuf, textlen, NULL );
 
 	if ( rc == LDAP_SUCCESS ) {
-		rc = slap_mods_opattrs( &op, modlist, modtail, &text, textbuf,
-			textlen, 1 );
-	}
-
-	if ( rc == LDAP_SUCCESS ) {
-		op.o_tag = LDAP_REQ_MODIFY;
-		op.o_protocol = LDAP_VERSION3;
-		op.o_ndn = op.o_req_ndn;
-		op.o_callback = &cb;
-		op.o_time = slap_get_time();
-		op.o_do_not_cache = 1;
-		op.o_is_auth_check = 1;
-		op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
-		op.o_tmpmemctx = conn->c_sasl_bindop->o_tmpmemctx;
-		op.o_tmpmfuncs = conn->c_sasl_bindop->o_tmpmfuncs;
-		op.o_conn = conn;
-		op.o_connid = conn->c_connid;
-		op.o_req_dn = op.o_req_ndn;
-		op.orm_modlist = modlist;
-
-		rc = op.o_bd->be_modify( &op, &rs );
+		rc = slap_mods_no_update_check( modlist, &text,
+				textbuf, textlen );
+
+		if ( rc == LDAP_SUCCESS ) {
+			rc = slap_mods_opattrs( &op, modlist, modtail,
+					&text, textbuf, textlen, 1 );
+
+			if ( rc == LDAP_SUCCESS ) {
+				op.o_hdr = conn->c_sasl_bindop->o_hdr;
+				op.o_tag = LDAP_REQ_MODIFY;
+				op.o_ndn = op.o_req_ndn;
+				op.o_callback = &cb;
+				op.o_time = slap_get_time();
+				op.o_do_not_cache = 1;
+				op.o_is_auth_check = 1;
+				op.o_req_dn = op.o_req_ndn;
+				op.orm_modlist = modlist;
+
+				rc = op.o_bd->be_modify( &op, &rs );
+			}
+		}
 	}
 	slap_mods_free( modlist );
-	return rc ? SASL_FAIL : SASL_OK;
+	return rc != LDAP_SUCCESS ? SASL_FAIL : SASL_OK;
 }
 #endif /* SASL_VERSION_FULL >= 2.1.16 */
 
@@ -908,10 +903,9 @@ int slap_sasl_init( void )
 		char version[sizeof("xxx.xxx.xxxxx")];
 		sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
 			rc & 0xffff );
-		Debug( LDAP_DEBUG_ANY,
-		"slap_sasl_init: SASL library version mismatch:"
-		" expected " SASL_VERSION_STRING ","
-		" got %s\n", version, 0, 0 );
+		Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:"
+			" expected " SASL_VERSION_STRING ","
+			" got %s\n", version, 0, 0 );
 		return -1;
 	}
 #endif
@@ -934,14 +928,19 @@ int slap_sasl_init( void )
 #if SASL_VERSION_MAJOR >= 2
 	generic_filter.f_desc = slap_schema.si_ad_objectClass;
 
-	sasl_auxprop_add_plugin( "slapd", slap_auxprop_init );
+	rc = sasl_auxprop_add_plugin( "slapd", slap_auxprop_init );
+	if( rc != SASL_OK ) {
+		Debug( LDAP_DEBUG_ANY, "slap_sasl_init: auxprop add plugin failed\n",
+			0, 0, 0 );
+		return -1;
+	}
 #endif
 	/* should provide callbacks for logging */
 	/* server name should be configurable */
 	rc = sasl_server_init( server_callbacks, "slapd" );
 
 	if( rc != SASL_OK ) {
-		Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n",
+		Debug( LDAP_DEBUG_ANY, "slap_sasl_init: server init failed\n",
 			0, 0, 0 );
 #if SASL_VERSION_MAJOR < 2
 		/* A no-op used to make sure we linked with Cyrus 1.5 */
@@ -969,8 +968,8 @@ int slap_sasl_destroy( void )
 #ifdef HAVE_CYRUS_SASL
 	sasl_done();
 #endif
-	free( SLAPD_GLOBAL(host) );
-	SLAPD_GLOBAL(host) = NULL;
+	free( global_host );
+	global_host = NULL;
 
 	return 0;
 }
@@ -1029,8 +1028,8 @@ int slap_sasl_open( Connection *conn, int reopen )
 
 	conn->c_sasl_layers = 0;
 
-	if( SLAPD_GLOBAL(host) == NULL ) {
-		SLAPD_GLOBAL(host) = ldap_pvt_get_fqdn( NULL );
+	if( global_host == NULL ) {
+		global_host = ldap_pvt_get_fqdn( NULL );
 	}
 
 	/* create new SASL context */
@@ -1061,7 +1060,7 @@ int slap_sasl_open( Connection *conn, int reopen )
 			*p = ';';
 		}
 	}
-	sc = sasl_server_new( "ldap", SLAPD_GLOBAL(host), SLAPD_GLOBAL(realm),
+	sc = sasl_server_new( "ldap", global_host, global_realm,
 		iplocalport, ipremoteport, session_callbacks, SASL_SUCCESS_DATA, &ctx );
 	if ( iplocalport != NULL ) {
 		ch_free( iplocalport );
@@ -1070,7 +1069,7 @@ int slap_sasl_open( Connection *conn, int reopen )
 		ch_free( ipremoteport );
 	}
 #else
-	sc = sasl_server_new( "ldap", SLAPD_GLOBAL(host), SLAPD_GLOBAL(realm),
+	sc = sasl_server_new( "ldap", global_host, global_realm,
 		session_callbacks, SASL_SECURITY_LAYER, &ctx );
 #endif
 
@@ -1606,44 +1605,63 @@ int slap_sasl_getdn( Connection *conn, Operation *op, struct berval *id,
 
 	/* Username strings */
 	if( is_dn == SET_U ) {
-		char		*p;
-		struct berval	realm = BER_BVNULL, c1 = *dn;
-		ber_len_t	len;
-
-		len = dn->bv_len + STRLENOF( "uid=" ) + STRLENOF( ",cn=auth" );
-
-		if( user_realm && *user_realm ) {
-			ber_str2bv( user_realm, 0, 0, &realm );
- 			len += realm.bv_len + STRLENOF( ",cn=" );
+		/* ITS#3419: values may need escape */
+		LDAPRDN		DN[ 5 ];
+		LDAPAVA 	*RDNs[ 4 ][ 2 ];
+		LDAPAVA 	AVAs[ 4 ];
+		int		irdn;
+
+		irdn = 0;
+		DN[ irdn ] = RDNs[ irdn ];
+		RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+		AVAs[ irdn ].la_attr = slap_schema.si_ad_uid->ad_cname;
+		AVAs[ irdn ].la_value = *dn;
+		AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+		AVAs[ irdn ].la_private = NULL;
+		RDNs[ irdn ][ 1 ] = NULL;
+
+		if ( user_realm && *user_realm ) {
+			irdn++;
+			DN[ irdn ] = RDNs[ irdn ];
+			RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+			AVAs[ irdn ].la_attr = slap_schema.si_ad_cn->ad_cname;
+			ber_str2bv( user_realm, 0, 0, &AVAs[ irdn ].la_value );
+			AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+			AVAs[ irdn ].la_private = NULL;
+			RDNs[ irdn ][ 1 ] = NULL;
 		}
 
-		if( mech->bv_len ) {
-			len += mech->bv_len + STRLENOF( ",cn=" );
+		if ( !BER_BVISNULL( mech ) ) {
+			irdn++;
+			DN[ irdn ] = RDNs[ irdn ];
+			RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+			AVAs[ irdn ].la_attr = slap_schema.si_ad_cn->ad_cname;
+			AVAs[ irdn ].la_value = *mech;
+			AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+			AVAs[ irdn ].la_private = NULL;
+			RDNs[ irdn ][ 1 ] = NULL;
 		}
 
-		/* Build the new dn */
-		dn->bv_val = slap_sl_malloc( len + 1, op->o_tmpmemctx );
-		if( dn->bv_val == NULL ) {
-			Debug( LDAP_DEBUG_ANY, 
-				"slap_sasl_getdn: SLAP_MALLOC failed", 0, 0, 0 );
-			return LDAP_OTHER;
-		}
-		p = lutil_strcopy( dn->bv_val, "uid=" );
-		p = lutil_strncopy( p, c1.bv_val, c1.bv_len );
+		irdn++;
+		DN[ irdn ] = RDNs[ irdn ];
+		RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+		AVAs[ irdn ].la_attr = slap_schema.si_ad_cn->ad_cname;
+		BER_BVSTR( &AVAs[ irdn ].la_value, "auth" );
+		AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+		AVAs[ irdn ].la_private = NULL;
+		RDNs[ irdn ][ 1 ] = NULL;
 
-		if( realm.bv_len ) {
-			p = lutil_strcopy( p, ",cn=" );
-			p = lutil_strncopy( p, realm.bv_val, realm.bv_len );
-		}
+		irdn++;
+		DN[ irdn ] = NULL;
 
-		if( mech->bv_len ) {
-			p = lutil_strcopy( p, ",cn=" );
-			p = lutil_strcopy( p, mech->bv_val );
+		rc = ldap_dn2bv_x( DN, dn, LDAP_DN_FORMAT_LDAPV3, op->o_tmpmemctx );
+		if ( rc != LDAP_SUCCESS ) {
+			BER_BVZERO( dn );
+			return rc;
 		}
-		p = lutil_strcopy( p, ",cn=auth" );
-		dn->bv_len = p - dn->bv_val;
 
 		Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 );
+
 	} else {
 		
 		/* Dup the DN in any case, so we don't risk