X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=bf068e85c1d3b59f76cd296700deec480a8bf76e;hb=38383fca41d73745ea086c57946dfe2b8c7d7115;hp=a5f9d6718f6a3de5b39074b3c3faf540a4af6e62;hpb=dc0eacd40b625258355eea866d62188e5aa7ce3b;p=openldap

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index a5f9d6718f..bf068e85c1 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -64,116 +64,6 @@ typedef struct sasl_ctx {
 
 static struct berval ext_bv = BER_BVC( "EXTERNAL" );
 
-int slap_sasl_config( int cargc, char **cargv, char *line,
-	const char *fname, int lineno )
-{
-		/* set SASL proxy authorization policy */
-		if ( !strcasecmp( cargv[0], "authz-policy" ) ||
-			!strcasecmp( cargv[0], "sasl-authz-policy" ))
-		{
-			if ( cargc != 2 ) {
-				Debug( LDAP_DEBUG_ANY,
-					"%s: line %d: missing policy in"
-					" \"%s <policy>\" line\n",
-				    cargv[0], fname, lineno );
-
-				return( 1 );
-			}
-			if ( slap_sasl_setpolicy( cargv[1] ) ) {
-				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-					"unable to parse value \"%s\" in \"authz-policy "
-					"<policy>\" line.\n",
-					fname, lineno, cargv[1] );
-				return( 1 );
-			}
-
-		} else if ( !strcasecmp( cargv[0], "authz-regexp" ) || 
-			!strcasecmp( cargv[0], "sasl-regexp" ) ||
-			!strcasecmp( cargv[0], "saslregexp" ) )
-		{
-			int rc;
-			if ( cargc != 3 ) {
-				Debug( LDAP_DEBUG_ANY, 
-					"%s: line %d: need 2 args in "
-					"\"authz-regexp <match> <replace>\"\n",
-					fname, lineno, 0 );
-
-				return( 1 );
-			}
-			rc = slap_sasl_regexp_config( cargv[1], cargv[2] );
-			if ( rc ) {
-				return rc;
-			}
-
-#ifdef HAVE_CYRUS_SASL
-		/* set SASL host */
-		} else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) {
-			if ( cargc < 2 ) {
-				Debug( LDAP_DEBUG_ANY,
-	    			"%s: line %d: missing host in \"sasl-host <host>\" line\n",
-				    fname, lineno, 0 );
-
-				return( 1 );
-			}
-
-			if ( global_host != NULL ) {
-				Debug( LDAP_DEBUG_ANY,
-					"%s: line %d: already set sasl-host!\n",
-					fname, lineno, 0 );
-
-				return 1;
-
-			} else {
-				global_host = ch_strdup( cargv[1] );
-			}
-
-		/* set SASL realm */
-		} else if ( strcasecmp( cargv[0], "sasl-realm" ) == 0 ) {
-			if ( cargc < 2 ) {
-				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-					"missing realm in \"sasl-realm <realm>\" line.\n",
-				    fname, lineno, 0 );
-
-				return( 1 );
-			}
-
-			if ( global_realm != NULL ) {
-				Debug( LDAP_DEBUG_ANY,
-					"%s: line %d: already set sasl-realm!\n",
-					fname, lineno, 0 );
-
-				return 1;
-
-			} else {
-				global_realm = ch_strdup( cargv[1] );
-			}
-
-		/* SASL security properties */
-		} else if ( strcasecmp( cargv[0], "sasl-secprops" ) == 0 ) {
-			char *txt;
-
-			if ( cargc < 2 ) {
-				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-					"missing flags in \"sasl-secprops <properties>\" line\n",
-				    fname, lineno, 0 );
-
-				return 1;
-			}
-
-			txt = slap_sasl_secprops( cargv[1] );
-			if ( txt != NULL ) {
-				Debug( LDAP_DEBUG_ANY,
-					"%s: line %d: sasl-secprops: %s\n",
-				    fname, lineno, txt );
-
-				return 1;
-			}
-#endif /* HAVE_CYRUS_SASL */
-	    }
-
-	    return LDAP_SUCCESS;
-}
-
 #ifdef HAVE_CYRUS_SASL
 
 int
@@ -878,7 +768,66 @@ slap_sasl_err2ldap( int saslerr )
 
 	return rc;
 }
-#endif
+
+#ifdef SLAPD_SPASSWD
+
+static struct berval sasl_pwscheme = BER_BVC("{SASL}");
+
+static int chk_sasl(
+	const struct berval *sc,
+	const struct berval * passwd,
+	const struct berval * cred,
+	const char **text )
+{
+	unsigned int i;
+	int rtn;
+	void *ctx, *sconn = NULL;
+
+	for( i=0; i<cred->bv_len; i++) {
+		if(cred->bv_val[i] == '\0') {
+			return LUTIL_PASSWD_ERR;	/* NUL character in password */
+		}
+	}
+
+	if( cred->bv_val[i] != '\0' ) {
+		return LUTIL_PASSWD_ERR;	/* cred must behave like a string */
+	}
+
+	for( i=0; i<passwd->bv_len; i++) {
+		if(passwd->bv_val[i] == '\0') {
+			return LUTIL_PASSWD_ERR;	/* NUL character in password */
+		}
+	}
+
+	if( passwd->bv_val[i] != '\0' ) {
+		return LUTIL_PASSWD_ERR;	/* passwd must behave like a string */
+	}
+
+	rtn = LUTIL_PASSWD_ERR;
+
+	ctx = ldap_pvt_thread_pool_context();
+	ldap_pvt_thread_pool_getkey( ctx, slap_sasl_bind, &sconn, NULL );
+
+	if( sconn != NULL ) {
+		int sc;
+# if SASL_VERSION_MAJOR < 2
+		sc = sasl_checkpass( sconn,
+			passwd->bv_val, passwd->bv_len,
+			cred->bv_val, cred->bv_len,
+			text );
+# else
+		sc = sasl_checkpass( sconn,
+			passwd->bv_val, passwd->bv_len,
+			cred->bv_val, cred->bv_len );
+# endif
+		rtn = ( sc != SASL_OK ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
+	}
+
+	return rtn;
+}
+#endif /* SLAPD_SPASSWD */
+
+#endif /* HAVE_CYRUS_SASL */
 
 int slap_sasl_init( void )
 {
@@ -950,6 +899,10 @@ int slap_sasl_init( void )
 		return -1;
 	}
 
+#ifdef SLAPD_SPASSWD
+	lutil_passwd_add( &sasl_pwscheme, chk_sasl, NULL );
+#endif
+
 	Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n",
 		0, 0, 0 );
 
@@ -1441,6 +1394,13 @@ char* slap_sasl_secprops( const char *in )
 #endif
 }
 
+void slap_sasl_secprops_unparse( struct berval *bv )
+{
+#ifdef HAVE_CYRUS_SASL
+	ldap_pvt_sasl_secprops_unparse( &sasl_secprops, bv );
+#endif
+}
+
 #ifdef HAVE_CYRUS_SASL
 int
 slap_sasl_setpass( Operation *op, SlapReply *rs )