X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=bf068e85c1d3b59f76cd296700deec480a8bf76e;hb=b8bf38cd5bbf9d6bb26262bd5f78bd8961c5591f;hp=0587c62e92def1d53a688a20ec70322be89ff616;hpb=2f5e17d056f5c8d0722419841eedc67c05993595;p=openldap
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 0587c62e92..bf068e85c1 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -1,7 +1,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software .
*
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -64,116 +64,6 @@ typedef struct sasl_ctx {
static struct berval ext_bv = BER_BVC( "EXTERNAL" );
-int slap_sasl_config( int cargc, char **cargv, char *line,
- const char *fname, int lineno )
-{
- /* set SASL proxy authorization policy */
- if ( !strcasecmp( cargv[0], "authz-policy" ) ||
- !strcasecmp( cargv[0], "sasl-authz-policy" ))
- {
- if ( cargc != 2 ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: missing policy in"
- " \"%s \" line\n",
- cargv[0], fname, lineno );
-
- return( 1 );
- }
- if ( slap_sasl_setpolicy( cargv[1] ) ) {
- Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "unable to parse value \"%s\" in \"authz-policy "
- "\" line.\n",
- fname, lineno, cargv[1] );
- return( 1 );
- }
-
- } else if ( !strcasecmp( cargv[0], "authz-regexp" ) ||
- !strcasecmp( cargv[0], "sasl-regexp" ) ||
- !strcasecmp( cargv[0], "saslregexp" ) )
- {
- int rc;
- if ( cargc != 3 ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: need 2 args in "
- "\"authz-regexp \"\n",
- fname, lineno, 0 );
-
- return( 1 );
- }
- rc = slap_sasl_regexp_config( cargv[1], cargv[2] );
- if ( rc ) {
- return rc;
- }
-
-#ifdef HAVE_CYRUS_SASL
- /* set SASL host */
- } else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) {
- if ( cargc < 2 ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: missing host in \"sasl-host \" line\n",
- fname, lineno, 0 );
-
- return( 1 );
- }
-
- if ( global_host != NULL ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: already set sasl-host!\n",
- fname, lineno, 0 );
-
- return 1;
-
- } else {
- global_host = ch_strdup( cargv[1] );
- }
-
- /* set SASL realm */
- } else if ( strcasecmp( cargv[0], "sasl-realm" ) == 0 ) {
- if ( cargc < 2 ) {
- Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "missing realm in \"sasl-realm \" line.\n",
- fname, lineno, 0 );
-
- return( 1 );
- }
-
- if ( global_realm != NULL ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: already set sasl-realm!\n",
- fname, lineno, 0 );
-
- return 1;
-
- } else {
- global_realm = ch_strdup( cargv[1] );
- }
-
- /* SASL security properties */
- } else if ( strcasecmp( cargv[0], "sasl-secprops" ) == 0 ) {
- char *txt;
-
- if ( cargc < 2 ) {
- Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "missing flags in \"sasl-secprops \" line\n",
- fname, lineno, 0 );
-
- return 1;
- }
-
- txt = slap_sasl_secprops( cargv[1] );
- if ( txt != NULL ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: sasl-secprops: %s\n",
- fname, lineno, txt );
-
- return 1;
- }
-#endif /* HAVE_CYRUS_SASL */
- }
-
- return LDAP_SUCCESS;
-}
-
#ifdef HAVE_CYRUS_SASL
int
@@ -878,7 +768,66 @@ slap_sasl_err2ldap( int saslerr )
return rc;
}
-#endif
+
+#ifdef SLAPD_SPASSWD
+
+static struct berval sasl_pwscheme = BER_BVC("{SASL}");
+
+static int chk_sasl(
+ const struct berval *sc,
+ const struct berval * passwd,
+ const struct berval * cred,
+ const char **text )
+{
+ unsigned int i;
+ int rtn;
+ void *ctx, *sconn = NULL;
+
+ for( i=0; ibv_len; i++) {
+ if(cred->bv_val[i] == '\0') {
+ return LUTIL_PASSWD_ERR; /* NUL character in password */
+ }
+ }
+
+ if( cred->bv_val[i] != '\0' ) {
+ return LUTIL_PASSWD_ERR; /* cred must behave like a string */
+ }
+
+ for( i=0; ibv_len; i++) {
+ if(passwd->bv_val[i] == '\0') {
+ return LUTIL_PASSWD_ERR; /* NUL character in password */
+ }
+ }
+
+ if( passwd->bv_val[i] != '\0' ) {
+ return LUTIL_PASSWD_ERR; /* passwd must behave like a string */
+ }
+
+ rtn = LUTIL_PASSWD_ERR;
+
+ ctx = ldap_pvt_thread_pool_context();
+ ldap_pvt_thread_pool_getkey( ctx, slap_sasl_bind, &sconn, NULL );
+
+ if( sconn != NULL ) {
+ int sc;
+# if SASL_VERSION_MAJOR < 2
+ sc = sasl_checkpass( sconn,
+ passwd->bv_val, passwd->bv_len,
+ cred->bv_val, cred->bv_len,
+ text );
+# else
+ sc = sasl_checkpass( sconn,
+ passwd->bv_val, passwd->bv_len,
+ cred->bv_val, cred->bv_len );
+# endif
+ rtn = ( sc != SASL_OK ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
+ }
+
+ return rtn;
+}
+#endif /* SLAPD_SPASSWD */
+
+#endif /* HAVE_CYRUS_SASL */
int slap_sasl_init( void )
{
@@ -950,6 +899,10 @@ int slap_sasl_init( void )
return -1;
}
+#ifdef SLAPD_SPASSWD
+ lutil_passwd_add( &sasl_pwscheme, chk_sasl, NULL );
+#endif
+
Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n",
0, 0, 0 );
@@ -1441,6 +1394,13 @@ char* slap_sasl_secprops( const char *in )
#endif
}
+void slap_sasl_secprops_unparse( struct berval *bv )
+{
+#ifdef HAVE_CYRUS_SASL
+ ldap_pvt_sasl_secprops_unparse( &sasl_secprops, bv );
+#endif
+}
+
#ifdef HAVE_CYRUS_SASL
int
slap_sasl_setpass( Operation *op, SlapReply *rs )