X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=bf068e85c1d3b59f76cd296700deec480a8bf76e;hb=b8bf38cd5bbf9d6bb26262bd5f78bd8961c5591f;hp=3363294e01de7847447f477120b7e32c6d51f070;hpb=7e87f547160f78690b4fe2a6bdf7f67505de8ee4;p=openldap

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 3363294e01..bf068e85c1 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -64,116 +64,6 @@ typedef struct sasl_ctx {
 
 static struct berval ext_bv = BER_BVC( "EXTERNAL" );
 
-int slap_sasl_config( int cargc, char **cargv, char *line,
-	const char *fname, int lineno )
-{
-		/* set SASL proxy authorization policy */
-		if ( !strcasecmp( cargv[0], "authz-policy" ) ||
-			!strcasecmp( cargv[0], "sasl-authz-policy" ))
-		{
-			if ( cargc != 2 ) {
-				Debug( LDAP_DEBUG_ANY,
-					"%s: line %d: missing policy in"
-					" \"%s <policy>\" line\n",
-				    cargv[0], fname, lineno );
-
-				return( 1 );
-			}
-			if ( slap_sasl_setpolicy( cargv[1] ) ) {
-				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-					"unable to parse value \"%s\" in \"authz-policy "
-					"<policy>\" line.\n",
-					fname, lineno, cargv[1] );
-				return( 1 );
-			}
-
-		} else if ( !strcasecmp( cargv[0], "authz-regexp" ) || 
-			!strcasecmp( cargv[0], "sasl-regexp" ) ||
-			!strcasecmp( cargv[0], "saslregexp" ) )
-		{
-			int rc;
-			if ( cargc != 3 ) {
-				Debug( LDAP_DEBUG_ANY, 
-					"%s: line %d: need 2 args in "
-					"\"authz-regexp <match> <replace>\"\n",
-					fname, lineno, 0 );
-
-				return( 1 );
-			}
-			rc = slap_sasl_regexp_config( cargv[1], cargv[2] );
-			if ( rc ) {
-				return rc;
-			}
-
-#ifdef HAVE_CYRUS_SASL
-		/* set SASL host */
-		} else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) {
-			if ( cargc < 2 ) {
-				Debug( LDAP_DEBUG_ANY,
-	    			"%s: line %d: missing host in \"sasl-host <host>\" line\n",
-				    fname, lineno, 0 );
-
-				return( 1 );
-			}
-
-			if ( global_host != NULL ) {
-				Debug( LDAP_DEBUG_ANY,
-					"%s: line %d: already set sasl-host!\n",
-					fname, lineno, 0 );
-
-				return 1;
-
-			} else {
-				global_host = ch_strdup( cargv[1] );
-			}
-
-		/* set SASL realm */
-		} else if ( strcasecmp( cargv[0], "sasl-realm" ) == 0 ) {
-			if ( cargc < 2 ) {
-				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-					"missing realm in \"sasl-realm <realm>\" line.\n",
-				    fname, lineno, 0 );
-
-				return( 1 );
-			}
-
-			if ( global_realm != NULL ) {
-				Debug( LDAP_DEBUG_ANY,
-					"%s: line %d: already set sasl-realm!\n",
-					fname, lineno, 0 );
-
-				return 1;
-
-			} else {
-				global_realm = ch_strdup( cargv[1] );
-			}
-
-		/* SASL security properties */
-		} else if ( strcasecmp( cargv[0], "sasl-secprops" ) == 0 ) {
-			char *txt;
-
-			if ( cargc < 2 ) {
-				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
-					"missing flags in \"sasl-secprops <properties>\" line\n",
-				    fname, lineno, 0 );
-
-				return 1;
-			}
-
-			txt = slap_sasl_secprops( cargv[1] );
-			if ( txt != NULL ) {
-				Debug( LDAP_DEBUG_ANY,
-					"%s: line %d: sasl-secprops: %s\n",
-				    fname, lineno, txt );
-
-				return 1;
-			}
-#endif /* HAVE_CYRUS_SASL */
-	    }
-
-	    return LDAP_SUCCESS;
-}
-
 #ifdef HAVE_CYRUS_SASL
 
 int
@@ -398,18 +288,13 @@ slap_auxprop_lookup(
 
 		if ( op.o_bd && op.o_bd->be_search ) {
 			SlapReply rs = {REP_RESULT};
+			op.o_hdr = conn->c_sasl_bindop->o_hdr;
 			op.o_tag = LDAP_REQ_SEARCH;
-			op.o_protocol = LDAP_VERSION3;
 			op.o_ndn = conn->c_ndn;
 			op.o_callback = &cb;
 			op.o_time = slap_get_time();
 			op.o_do_not_cache = 1;
 			op.o_is_auth_check = 1;
-			op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
-			op.o_tmpmemctx = conn->c_sasl_bindop->o_tmpmemctx;
-			op.o_tmpmfuncs = conn->c_sasl_bindop->o_tmpmfuncs;
-			op.o_conn = conn;
-			op.o_connid = conn->c_connid;
 			op.o_req_dn = op.o_req_ndn;
 			op.ors_scope = LDAP_SCOPE_BASE;
 			op.ors_deref = LDAP_DEREF_NEVER;
@@ -496,33 +381,33 @@ slap_auxprop_store(
 	}
 	*modtail = NULL;
 
-	rc = slap_mods_check( modlist, 0, &text, textbuf, textlen, NULL );
+	rc = slap_mods_check( modlist, &text, textbuf, textlen, NULL );
 
 	if ( rc == LDAP_SUCCESS ) {
-		rc = slap_mods_opattrs( &op, modlist, modtail, &text, textbuf,
-			textlen, 1 );
-	}
-
-	if ( rc == LDAP_SUCCESS ) {
-		op.o_tag = LDAP_REQ_MODIFY;
-		op.o_protocol = LDAP_VERSION3;
-		op.o_ndn = op.o_req_ndn;
-		op.o_callback = &cb;
-		op.o_time = slap_get_time();
-		op.o_do_not_cache = 1;
-		op.o_is_auth_check = 1;
-		op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
-		op.o_tmpmemctx = conn->c_sasl_bindop->o_tmpmemctx;
-		op.o_tmpmfuncs = conn->c_sasl_bindop->o_tmpmfuncs;
-		op.o_conn = conn;
-		op.o_connid = conn->c_connid;
-		op.o_req_dn = op.o_req_ndn;
-		op.orm_modlist = modlist;
-
-		rc = op.o_bd->be_modify( &op, &rs );
+		rc = slap_mods_no_update_check( modlist, &text,
+				textbuf, textlen );
+
+		if ( rc == LDAP_SUCCESS ) {
+			rc = slap_mods_opattrs( &op, modlist, modtail,
+					&text, textbuf, textlen, 1 );
+
+			if ( rc == LDAP_SUCCESS ) {
+				op.o_hdr = conn->c_sasl_bindop->o_hdr;
+				op.o_tag = LDAP_REQ_MODIFY;
+				op.o_ndn = op.o_req_ndn;
+				op.o_callback = &cb;
+				op.o_time = slap_get_time();
+				op.o_do_not_cache = 1;
+				op.o_is_auth_check = 1;
+				op.o_req_dn = op.o_req_ndn;
+				op.orm_modlist = modlist;
+
+				rc = op.o_bd->be_modify( &op, &rs );
+			}
+		}
 	}
 	slap_mods_free( modlist );
-	return rc ? SASL_FAIL : SASL_OK;
+	return rc != LDAP_SUCCESS ? SASL_FAIL : SASL_OK;
 }
 #endif /* SASL_VERSION_FULL >= 2.1.16 */
 
@@ -883,7 +768,66 @@ slap_sasl_err2ldap( int saslerr )
 
 	return rc;
 }
-#endif
+
+#ifdef SLAPD_SPASSWD
+
+static struct berval sasl_pwscheme = BER_BVC("{SASL}");
+
+static int chk_sasl(
+	const struct berval *sc,
+	const struct berval * passwd,
+	const struct berval * cred,
+	const char **text )
+{
+	unsigned int i;
+	int rtn;
+	void *ctx, *sconn = NULL;
+
+	for( i=0; i<cred->bv_len; i++) {
+		if(cred->bv_val[i] == '\0') {
+			return LUTIL_PASSWD_ERR;	/* NUL character in password */
+		}
+	}
+
+	if( cred->bv_val[i] != '\0' ) {
+		return LUTIL_PASSWD_ERR;	/* cred must behave like a string */
+	}
+
+	for( i=0; i<passwd->bv_len; i++) {
+		if(passwd->bv_val[i] == '\0') {
+			return LUTIL_PASSWD_ERR;	/* NUL character in password */
+		}
+	}
+
+	if( passwd->bv_val[i] != '\0' ) {
+		return LUTIL_PASSWD_ERR;	/* passwd must behave like a string */
+	}
+
+	rtn = LUTIL_PASSWD_ERR;
+
+	ctx = ldap_pvt_thread_pool_context();
+	ldap_pvt_thread_pool_getkey( ctx, slap_sasl_bind, &sconn, NULL );
+
+	if( sconn != NULL ) {
+		int sc;
+# if SASL_VERSION_MAJOR < 2
+		sc = sasl_checkpass( sconn,
+			passwd->bv_val, passwd->bv_len,
+			cred->bv_val, cred->bv_len,
+			text );
+# else
+		sc = sasl_checkpass( sconn,
+			passwd->bv_val, passwd->bv_len,
+			cred->bv_val, cred->bv_len );
+# endif
+		rtn = ( sc != SASL_OK ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
+	}
+
+	return rtn;
+}
+#endif /* SLAPD_SPASSWD */
+
+#endif /* HAVE_CYRUS_SASL */
 
 int slap_sasl_init( void )
 {
@@ -908,10 +852,9 @@ int slap_sasl_init( void )
 		char version[sizeof("xxx.xxx.xxxxx")];
 		sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
 			rc & 0xffff );
-		Debug( LDAP_DEBUG_ANY,
-		"slap_sasl_init: SASL library version mismatch:"
-		" expected " SASL_VERSION_STRING ","
-		" got %s\n", version, 0, 0 );
+		Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:"
+			" expected " SASL_VERSION_STRING ","
+			" got %s\n", version, 0, 0 );
 		return -1;
 	}
 #endif
@@ -934,14 +877,19 @@ int slap_sasl_init( void )
 #if SASL_VERSION_MAJOR >= 2
 	generic_filter.f_desc = slap_schema.si_ad_objectClass;
 
-	sasl_auxprop_add_plugin( "slapd", slap_auxprop_init );
+	rc = sasl_auxprop_add_plugin( "slapd", slap_auxprop_init );
+	if( rc != SASL_OK ) {
+		Debug( LDAP_DEBUG_ANY, "slap_sasl_init: auxprop add plugin failed\n",
+			0, 0, 0 );
+		return -1;
+	}
 #endif
 	/* should provide callbacks for logging */
 	/* server name should be configurable */
 	rc = sasl_server_init( server_callbacks, "slapd" );
 
 	if( rc != SASL_OK ) {
-		Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n",
+		Debug( LDAP_DEBUG_ANY, "slap_sasl_init: server init failed\n",
 			0, 0, 0 );
 #if SASL_VERSION_MAJOR < 2
 		/* A no-op used to make sure we linked with Cyrus 1.5 */
@@ -951,6 +899,10 @@ int slap_sasl_init( void )
 		return -1;
 	}
 
+#ifdef SLAPD_SPASSWD
+	lutil_passwd_add( &sasl_pwscheme, chk_sasl, NULL );
+#endif
+
 	Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n",
 		0, 0, 0 );
 
@@ -1442,6 +1394,13 @@ char* slap_sasl_secprops( const char *in )
 #endif
 }
 
+void slap_sasl_secprops_unparse( struct berval *bv )
+{
+#ifdef HAVE_CYRUS_SASL
+	ldap_pvt_sasl_secprops_unparse( &sasl_secprops, bv );
+#endif
+}
+
 #ifdef HAVE_CYRUS_SASL
 int
 slap_sasl_setpass( Operation *op, SlapReply *rs )
@@ -1606,44 +1565,63 @@ int slap_sasl_getdn( Connection *conn, Operation *op, struct berval *id,
 
 	/* Username strings */
 	if( is_dn == SET_U ) {
-		char		*p;
-		struct berval	realm = BER_BVNULL, c1 = *dn;
-		ber_len_t	len;
-
-		len = dn->bv_len + STRLENOF( "uid=" ) + STRLENOF( ",cn=auth" );
-
-		if( user_realm && *user_realm ) {
-			ber_str2bv( user_realm, 0, 0, &realm );
- 			len += realm.bv_len + STRLENOF( ",cn=" );
+		/* ITS#3419: values may need escape */
+		LDAPRDN		DN[ 5 ];
+		LDAPAVA 	*RDNs[ 4 ][ 2 ];
+		LDAPAVA 	AVAs[ 4 ];
+		int		irdn;
+
+		irdn = 0;
+		DN[ irdn ] = RDNs[ irdn ];
+		RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+		AVAs[ irdn ].la_attr = slap_schema.si_ad_uid->ad_cname;
+		AVAs[ irdn ].la_value = *dn;
+		AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+		AVAs[ irdn ].la_private = NULL;
+		RDNs[ irdn ][ 1 ] = NULL;
+
+		if ( user_realm && *user_realm ) {
+			irdn++;
+			DN[ irdn ] = RDNs[ irdn ];
+			RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+			AVAs[ irdn ].la_attr = slap_schema.si_ad_cn->ad_cname;
+			ber_str2bv( user_realm, 0, 0, &AVAs[ irdn ].la_value );
+			AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+			AVAs[ irdn ].la_private = NULL;
+			RDNs[ irdn ][ 1 ] = NULL;
 		}
 
-		if( mech->bv_len ) {
-			len += mech->bv_len + STRLENOF( ",cn=" );
+		if ( !BER_BVISNULL( mech ) ) {
+			irdn++;
+			DN[ irdn ] = RDNs[ irdn ];
+			RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+			AVAs[ irdn ].la_attr = slap_schema.si_ad_cn->ad_cname;
+			AVAs[ irdn ].la_value = *mech;
+			AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+			AVAs[ irdn ].la_private = NULL;
+			RDNs[ irdn ][ 1 ] = NULL;
 		}
 
-		/* Build the new dn */
-		dn->bv_val = slap_sl_malloc( len + 1, op->o_tmpmemctx );
-		if( dn->bv_val == NULL ) {
-			Debug( LDAP_DEBUG_ANY, 
-				"slap_sasl_getdn: SLAP_MALLOC failed", 0, 0, 0 );
-			return LDAP_OTHER;
-		}
-		p = lutil_strcopy( dn->bv_val, "uid=" );
-		p = lutil_strncopy( p, c1.bv_val, c1.bv_len );
+		irdn++;
+		DN[ irdn ] = RDNs[ irdn ];
+		RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+		AVAs[ irdn ].la_attr = slap_schema.si_ad_cn->ad_cname;
+		BER_BVSTR( &AVAs[ irdn ].la_value, "auth" );
+		AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+		AVAs[ irdn ].la_private = NULL;
+		RDNs[ irdn ][ 1 ] = NULL;
 
-		if( realm.bv_len ) {
-			p = lutil_strcopy( p, ",cn=" );
-			p = lutil_strncopy( p, realm.bv_val, realm.bv_len );
-		}
+		irdn++;
+		DN[ irdn ] = NULL;
 
-		if( mech->bv_len ) {
-			p = lutil_strcopy( p, ",cn=" );
-			p = lutil_strcopy( p, mech->bv_val );
+		rc = ldap_dn2bv_x( DN, dn, LDAP_DN_FORMAT_LDAPV3, op->o_tmpmemctx );
+		if ( rc != LDAP_SUCCESS ) {
+			BER_BVZERO( dn );
+			return rc;
 		}
-		p = lutil_strcopy( p, ",cn=auth" );
-		dn->bv_len = p - dn->bv_val;
 
 		Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 );
+
 	} else {
 		
 		/* Dup the DN in any case, so we don't risk