X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=d8c0c06305932b82e5584ed5de8129d52f51eecd;hb=437d2ce5a920d12402b557b4b814e6d14cd40c9d;hp=61511fa534dc326d97ffdd12ef0b2626c34493fa;hpb=6939c531700652491f4be4688c6a1f35a1ab8a18;p=openldap diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 61511fa534..d8c0c06305 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -292,7 +292,7 @@ slap_sasl_log( static const char *slap_propnames[] = { "*slapConn", "*authcDN", "*authzDN", NULL }; -static Filter *generic_filter; +static Filter generic_filter = { LDAP_FILTER_PRESENT }; #define PROP_CONN 0 #define PROP_AUTHC 1 @@ -305,15 +305,10 @@ typedef struct lookup_info { sasl_server_params_t *sparams; } lookup_info; +static slap_response sasl_ap_lookup, sasl_cb_checkpass; + static int -sasl_ap_lookup( - BackendDB *be, - Connection *conn, - Operation *op, - Entry *e, - AttributeName *an, - int attrsonly, - LDAPControl **ctrls ) +sasl_ap_lookup( Operation *op, SlapReply *rs ) { BerVarray bv; AttributeDescription *ad; @@ -323,6 +318,8 @@ sasl_ap_lookup( slap_callback *tmp = op->o_callback; lookup_info *sl = tmp->sc_private; + if (rs->sr_type != REP_SEARCH) return 0; + for( i = 0; i < sl->last; i++ ) { const char *name = sl->list[i].name; @@ -347,15 +344,18 @@ sasl_ap_lookup( #endif continue; } - a = attr_find( e->e_attrs, ad ); + a = attr_find( rs->sr_entry->e_attrs, ad ); if ( !a ) continue; - if ( ! access_allowed( be, conn, op, e, ad, NULL, ACL_AUTH, NULL ) ) + if ( ! access_allowed( op, rs->sr_entry, ad, NULL, ACL_AUTH, NULL ) ) { continue; - if ( sl->list[i].values && ( sl->flags & SASL_AUXPROP_OVERRIDE ) ) - sl->sparams->utils->prop_erase( sl->sparams->propctx, sl->list[i].name ); + } + if ( sl->list[i].values && ( sl->flags & SASL_AUXPROP_OVERRIDE ) ) { + sl->sparams->utils->prop_erase( sl->sparams->propctx, + sl->list[i].name ); + } for ( bv = a->a_vals; bv->bv_val; bv++ ) { - sl->sparams->utils->prop_set( sl->sparams->propctx, sl->list[i].name, - bv->bv_val, bv->bv_len ); + sl->sparams->utils->prop_set( sl->sparams->propctx, + sl->list[i].name, bv->bv_val, bv->bv_len ); } } return LDAP_SUCCESS; @@ -369,8 +369,8 @@ slap_auxprop_lookup( const char *user, unsigned ulen) { + Operation op = {0}; int rc, i, doit=0; - struct berval dn; Connection *conn = NULL; lookup_info sl; @@ -390,14 +390,14 @@ slap_auxprop_lookup( !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHZ] ) ) { if ( sl.list[i].values && sl.list[i].values[0] ) - AC_MEMCPY( &dn, sl.list[i].values[0], sizeof( dn ) ); + AC_MEMCPY( &op.o_req_ndn, sl.list[i].values[0], sizeof( struct berval ) ); if ( !sl.last ) sl.last = i; break; } if ( !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHC] ) ) { if ( !sl.last ) sl.last = i; if ( sl.list[i].values && sl.list[i].values[0] ) { - AC_MEMCPY( &dn, sl.list[i].values[0], sizeof( dn ) ); + AC_MEMCPY( &op.o_req_ndn, sl.list[i].values[0], sizeof( struct berval ) ); if ( !(flags & SASL_AUXPROP_AUTHZID) ) break; } @@ -422,27 +422,30 @@ slap_auxprop_lookup( } if (doit) { - Backend *be; - Operation op = {0}; - slap_callback cb = { slap_cb_null_response, - slap_cb_null_sresult, sasl_ap_lookup, NULL }; + slap_callback cb = { sasl_ap_lookup }; cb.sc_private = &sl; - be = select_backend( &dn, 0, 1 ); + op.o_bd = select_backend( &op.o_req_ndn, 0, 1 ); - if ( be && be->be_search ) { + if ( op.o_bd && op.o_bd->be_search ) { + SlapReply rs = {REP_RESULT}; op.o_tag = LDAP_REQ_SEARCH; op.o_protocol = LDAP_VERSION3; op.o_ndn = conn->c_ndn; op.o_callback = &cb; op.o_time = slap_get_time(); op.o_do_not_cache = 1; + op.o_is_auth_check = 1; op.o_threadctx = conn->c_sasl_bindop->o_threadctx; - - (*be->be_search)( be, conn, &op, NULL, &dn, - LDAP_SCOPE_BASE, LDAP_DEREF_NEVER, 1, 0, - generic_filter, NULL, NULL, 0 ); + op.o_conn = conn; + op.o_connid = conn->c_connid; + op.ors_scope = LDAP_SCOPE_BASE; + op.ors_deref = LDAP_DEREF_NEVER; + op.ors_slimit = 1; + op.ors_filter = &generic_filter; + + op.o_bd->be_search( &op, &rs ); } } } @@ -480,25 +483,20 @@ typedef struct checkpass_info { } checkpass_info; static int -sasl_cb_checkpass( - BackendDB *be, - Connection *conn, - Operation *op, - Entry *e, - AttributeName *an, - int attrsonly, - LDAPControl **ctrls ) +sasl_cb_checkpass( Operation *op, SlapReply *rs ) { slap_callback *tmp = op->o_callback; checkpass_info *ci = tmp->sc_private; Attribute *a; struct berval *bv; + if (rs->sr_type != REP_SEARCH) return 0; + ci->rc = SASL_NOVERIFY; - a = attr_find( e->e_attrs, slap_schema.si_ad_userPassword ); + a = attr_find( rs->sr_entry->e_attrs, slap_schema.si_ad_userPassword ); if ( !a ) return 0; - if ( ! access_allowed( be, conn, op, e, slap_schema.si_ad_userPassword, + if ( ! access_allowed( op, rs->sr_entry, slap_schema.si_ad_userPassword, NULL, ACL_AUTH, NULL ) ) return 0; for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { @@ -520,9 +518,8 @@ slap_sasl_checkpass( struct propctx *propctx) { Connection *conn = (Connection *)context; - struct berval dn; + Operation op = {0}; int rc; - Backend *be; checkpass_info ci; ci.rc = SASL_NOUSER; @@ -531,27 +528,26 @@ slap_sasl_checkpass( * find an answer here. */ - rc = slap_sasl_getdn( conn, (char *)username, 0, NULL, &dn, + rc = slap_sasl_getdn( conn, (char *)username, 0, NULL, &op.o_req_ndn, SLAP_GETDN_AUTHCID ); if ( rc != LDAP_SUCCESS ) { sasl_seterror( sconn, 0, ldap_err2string( rc ) ); return SASL_NOUSER; } - if ( dn.bv_len == 0 ) { + if ( op.o_req_ndn.bv_len == 0 ) { sasl_seterror( sconn, 0, "No password is associated with the Root DSE" ); - if ( dn.bv_val != NULL ) { - ch_free( dn.bv_val ); + if ( op.o_req_ndn.bv_val != NULL ) { + ch_free( op.o_req_ndn.bv_val ); } return SASL_NOUSER; } - be = select_backend( &dn, 0, 1 ); - if ( be && be->be_search ) { - Operation op = {0}; - slap_callback cb = { slap_cb_null_response, - slap_cb_null_sresult, sasl_cb_checkpass, NULL }; + op.o_bd = select_backend( &op.o_req_ndn, 0, 1 ); + if ( op.o_bd && op.o_bd->be_search ) { + slap_callback cb = { sasl_cb_checkpass }; + SlapReply rs = {REP_RESULT}; ci.cred.bv_val = (char *)pass; ci.cred.bv_len = passlen; @@ -563,18 +559,23 @@ slap_sasl_checkpass( op.o_callback = &cb; op.o_time = slap_get_time(); op.o_do_not_cache = 1; + op.o_is_auth_check = 1; op.o_threadctx = conn->c_sasl_bindop->o_threadctx; - - (*be->be_search)( be, conn, &op, NULL, &dn, - LDAP_SCOPE_BASE, LDAP_DEREF_NEVER, 1, 0, - generic_filter, NULL, NULL, 0 ); + op.o_conn = conn; + op.o_connid = conn->c_connid; + op.ors_scope = LDAP_SCOPE_BASE; + op.ors_deref = LDAP_DEREF_NEVER; + op.ors_slimit = 1; + op.ors_filter = &generic_filter; + + op.o_bd->be_search( &op, &rs ); } if ( ci.rc != SASL_OK ) { sasl_seterror( sconn, 0, ldap_err2string( LDAP_INVALID_CREDENTIALS ) ); } - ch_free( dn.bv_val ); + ch_free( op.o_req_ndn.bv_val ); return ci.rc; } @@ -610,13 +611,13 @@ slap_sasl_canonicalize( LDAP_LOG( TRANSPORT, ENTRY, "slap_sasl_canonicalize: conn %d %s=\"%s\"\n", conn ? conn->c_connid : -1, - (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", in ? in : ""); + (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", + in ? in : ""); #else - Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: " - "%s=\"%s\"\n", - conn ? conn->c_connid : -1, - (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", - in ? in : "" ); + Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: %s=\"%s\"\n", + conn ? conn->c_connid : -1, + (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", + in ? in : ""); #endif /* If name is too big, just truncate. We don't care, we're @@ -685,14 +686,16 @@ slap_sasl_canonicalize( #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, ENTRY, "slap_sasl_canonicalize: conn %d %s=\"%s\"\n", - conn ? conn->c_connid : -1, names[0]+1, dn.bv_val ); + conn ? conn->c_connid : -1, names[0]+1, + dn.bv_val ? dn.bv_val : "" ); #else - Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: " - "%s=\"%s\"\n", - conn ? conn->c_connid : -1, - names[0]+1, dn.bv_val ); + Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: %s=\"%s\"\n", + conn ? conn->c_connid : -1, names[0]+1, + dn.bv_val ? dn.bv_val : "" ); #endif -done: AC_MEMCPY( out, in, inlen ); + +done: + AC_MEMCPY( out, in, inlen ); out[inlen] = '\0'; *out_len = inlen; @@ -985,6 +988,8 @@ int slap_sasl_init( void ) ldap_pvt_sasl_mutex_dispose ); #if SASL_VERSION_MAJOR >= 2 + generic_filter.f_desc = slap_schema.si_ad_objectClass; + sasl_auxprop_add_plugin( "slapd", slap_auxprop_init ); #endif /* should provide callbacks for logging */ @@ -1028,9 +1033,6 @@ int slap_sasl_destroy( void ) { #ifdef HAVE_CYRUS_SASL sasl_done(); -#endif -#if SASL_VERSION_MAJOR >= 2 - filter_free( generic_filter ); #endif free( global_host ); global_host = NULL; @@ -1101,9 +1103,6 @@ int slap_sasl_open( Connection *conn ) /* create new SASL context */ #if SASL_VERSION_MAJOR >= 2 - if ( generic_filter == NULL ) { - generic_filter = str2filter( "(objectclass=*)" ); - } if ( conn->c_sock_name.bv_len != 0 && strncmp( conn->c_sock_name.bv_val, "IP=", 3 ) == 0) { char *p; @@ -1297,44 +1296,35 @@ int slap_sasl_close( Connection *conn ) return LDAP_SUCCESS; } -int slap_sasl_bind( - Connection *conn, - Operation *op, - struct berval *dn, - struct berval *ndn, - struct berval *cred, - struct berval *edn, - slap_ssf_t *ssfp ) +int slap_sasl_bind( Operation *op, SlapReply *rs ) { - int rc = 1; - #ifdef HAVE_CYRUS_SASL - sasl_conn_t *ctx = conn->c_sasl_context; + sasl_conn_t *ctx = op->o_conn->c_sasl_context; struct berval response; unsigned reslen = 0; - const char *errstr = NULL; int sc; #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, ENTRY, "sasl_bind: dn=\"%s\" mech=%s datalen=%ld\n", - dn->bv_len ? dn->bv_val : "", - conn->c_sasl_bind_in_progress ? "" : - conn->c_sasl_bind_mech.bv_val, - cred ? cred->bv_len : 0 ); + op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", + op->o_conn->c_sasl_bind_in_progress ? "" : + op->o_conn->c_sasl_bind_mech.bv_val, + op->orb_cred.bv_len ); #else Debug(LDAP_DEBUG_ARGS, "==> sasl_bind: dn=\"%s\" mech=%s datalen=%ld\n", - dn->bv_len ? dn->bv_val : "", - conn->c_sasl_bind_in_progress ? "":conn->c_sasl_bind_mech.bv_val, - cred ? cred->bv_len : 0 ); + op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", + op->o_conn->c_sasl_bind_in_progress ? "" : + op->o_conn->c_sasl_bind_mech.bv_val, + op->orb_cred.bv_len ); #endif if( ctx == NULL ) { - send_ldap_result( conn, op, LDAP_UNAVAILABLE, - NULL, "SASL unavailable on this session", NULL, NULL ); - return rc; + send_ldap_error( op, rs, LDAP_UNAVAILABLE, + "SASL unavailable on this session" ); + return rs->sr_err; } #if SASL_VERSION_MAJOR >= 2 @@ -1349,16 +1339,16 @@ int slap_sasl_bind( sasl_server_step( ctx, cred, clen, resp, rlen, err ) #endif - if ( !conn->c_sasl_bind_in_progress ) { + if ( !op->o_conn->c_sasl_bind_in_progress ) { sc = START( ctx, - conn->c_sasl_bind_mech.bv_val, - cred->bv_val, cred->bv_len, - (SASL_CONST char **)&response.bv_val, &reslen, &errstr ); + op->o_conn->c_sasl_bind_mech.bv_val, + op->orb_cred.bv_val, op->orb_cred.bv_len, + (SASL_CONST char **)&response.bv_val, &reslen, &rs->sr_text ); } else { sc = STEP( ctx, - cred->bv_val, cred->bv_len, - (SASL_CONST char **)&response.bv_val, &reslen, &errstr ); + op->orb_cred.bv_val, op->orb_cred.bv_len, + (SASL_CONST char **)&response.bv_val, &reslen, &rs->sr_text ); } response.bv_len = reslen; @@ -1366,35 +1356,35 @@ int slap_sasl_bind( if ( sc == SASL_OK ) { sasl_ssf_t *ssf = NULL; - *edn = conn->c_sasl_dn; - conn->c_sasl_dn.bv_val = NULL; - conn->c_sasl_dn.bv_len = 0; + op->orb_edn = op->o_conn->c_sasl_dn; + op->o_conn->c_sasl_dn.bv_val = NULL; + op->o_conn->c_sasl_dn.bv_len = 0; - rc = LDAP_SUCCESS; + rs->sr_err = LDAP_SUCCESS; (void) sasl_getprop( ctx, SASL_SSF, (void *)&ssf ); - *ssfp = ssf ? *ssf : 0; + op->orb_ssf = ssf ? *ssf : 0; - if( *ssfp ) { - ldap_pvt_thread_mutex_lock( &conn->c_mutex ); - conn->c_sasl_layers++; - ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + if( op->orb_ssf ) { + ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); + op->o_conn->c_sasl_layers++; + ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); } - send_ldap_sasl( conn, op, rc, - NULL, NULL, NULL, NULL, - response.bv_len ? &response : NULL ); + if (response.bv_len) rs->sr_sasldata = &response; + send_ldap_sasl( op, rs ); } else if ( sc == SASL_CONTINUE ) { - send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS, - NULL, NULL, NULL, NULL, &response ); + rs->sr_err = LDAP_SASL_BIND_IN_PROGRESS, + rs->sr_sasldata = &response; + send_ldap_sasl( op, rs ); } else { #if SASL_VERSION_MAJOR >= 2 - errstr = sasl_errdetail( ctx ); + rs->sr_text = sasl_errdetail( ctx ); #endif - send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), - NULL, errstr, NULL, NULL ); + rs->sr_err = slap_sasl_err2ldap( sc ), + send_ldap_result( op, rs ); } #if SASL_VERSION_MAJOR < 2 @@ -1404,18 +1394,18 @@ int slap_sasl_bind( #endif #ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, RESULTS, "slap_sasl_bind: rc=%d\n", rc, 0, 0 ); + LDAP_LOG( TRANSPORT, RESULTS, "slap_sasl_bind: rc=%d\n", rs->sr_err, 0, 0 ); #else - Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0); + Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rs->sr_err, 0, 0); #endif #else - send_ldap_result( conn, op, rc = LDAP_UNAVAILABLE, - NULL, "SASL not supported", NULL, NULL ); + send_ldap_error( op, rs, LDAP_UNAVAILABLE, + "SASL not supported" ); #endif - return rc; + return rs->sr_err; } char* slap_sasl_secprops( const char *in ) @@ -1431,30 +1421,20 @@ char* slap_sasl_secprops( const char *in ) #ifdef HAVE_CYRUS_SASL int -slap_sasl_setpass( - Connection *conn, - Operation *op, - const char *reqoid, - struct berval *reqdata, - char **rspoid, - struct berval **rspdata, - LDAPControl *** rspctrls, - const char **text ) +slap_sasl_setpass( Operation *op, SlapReply *rs ) { - int rc; struct berval id = { 0, NULL }; /* needs to come from connection */ struct berval new = { 0, NULL }; struct berval old = { 0, NULL }; - assert( reqoid != NULL ); - assert( strcmp( LDAP_EXOP_MODIFY_PASSWD, reqoid ) == 0 ); + assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 ); - rc = sasl_getprop( conn->c_sasl_context, SASL_USERNAME, + rs->sr_err = sasl_getprop( op->o_conn->c_sasl_context, SASL_USERNAME, (SASL_CONST void **)&id.bv_val ); - if( rc != SASL_OK ) { - *text = "unable to retrieve SASL username"; - rc = LDAP_OTHER; + if( rs->sr_err != SASL_OK ) { + rs->sr_text = "unable to retrieve SASL username"; + rs->sr_err = LDAP_OTHER; goto done; } @@ -1467,10 +1447,10 @@ slap_sasl_setpass( id.bv_val ? id.bv_val : "", 0, 0 ); #endif - rc = slap_passwd_parse( reqdata, - NULL, &old, &new, text ); + rs->sr_err = slap_passwd_parse( op->ore_reqdata, + NULL, &old, &new, &rs->sr_text ); - if( rc != LDAP_SUCCESS ) { + if( rs->sr_err != LDAP_SUCCESS ) { goto done; } @@ -1478,27 +1458,27 @@ slap_sasl_setpass( slap_passwd_generate(&new); if( new.bv_len == 0 ) { - *text = "password generation failed."; - rc = LDAP_OTHER; + rs->sr_text = "password generation failed."; + rs->sr_err = LDAP_OTHER; goto done; } - *rspdata = slap_passwd_return( &new ); + rs->sr_rspdata = slap_passwd_return( &new ); } #if SASL_VERSION_MAJOR < 2 - rc = sasl_setpass( conn->c_sasl_context, - id.bv_val, new.bv_val, new.bv_len, 0, text ); + rs->sr_err = sasl_setpass( op->o_conn->c_sasl_context, + id.bv_val, new.bv_val, new.bv_len, 0, &rs->sr_text ); #else - rc = sasl_setpass( conn->c_sasl_context, id.bv_val, + rs->sr_err = sasl_setpass( op->o_conn->c_sasl_context, id.bv_val, new.bv_val, new.bv_len, old.bv_val, old.bv_len, 0 ); - if( rc != SASL_OK ) { - *text = sasl_errdetail( conn->c_sasl_context ); + if( rs->sr_err != SASL_OK ) { + rs->sr_text = sasl_errdetail( op->o_conn->c_sasl_context ); } #endif - switch(rc) { + switch(rs->sr_err) { case SASL_OK: - rc = LDAP_SUCCESS; + rs->sr_err = LDAP_SUCCESS; break; case SASL_NOCHANGE: @@ -1508,11 +1488,11 @@ slap_sasl_setpass( case SASL_FAIL: case SASL_BADPARAM: default: - rc = LDAP_OTHER; + rs->sr_err = LDAP_OTHER; } done: - return rc; + return rs->sr_err; } #endif /* HAVE_CYRUS_SASL */ @@ -1526,8 +1506,9 @@ done: -Howard Chu, Symas Corp. */ -#define SET_DN 1 -#define SET_U 2 +#define SET_NONE 0 +#define SET_DN 1 +#define SET_U 2 static struct berval ext_bv = BER_BVC( "EXTERNAL" ); @@ -1535,16 +1516,16 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, char *user_realm, struct berval *dn, int flags ) { char *c1; - int rc, is_dn = 0, do_norm = 1; + int rc, is_dn = SET_NONE, do_norm = 1; struct berval dn2; #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, ENTRY, - "slap_sasl_getdn: conn %d id=%s\n", - conn ? conn->c_connid : -1, id ? (*id ? id : "") : "NULL", 0 ); + "slap_sasl_getdn: conn %d id=%s [len=%d]\n", + conn ? conn->c_connid : -1, id ? (*id ? id : "") : "NULL", len ); #else - Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s\n", - id?(*id?id:""):"NULL",0,0 ); + Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s [len=%d]\n", + id ? ( *id ? id : "" ) : "NULL", len, 0 ); #endif dn->bv_val = NULL; @@ -1583,7 +1564,7 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, dn->bv_len = len; } } - if( !is_dn ) { + if( is_dn == SET_NONE ) { if( !strncasecmp( id, "u:", sizeof("u:")-1 )) { is_dn = SET_U; dn->bv_val = id+2; @@ -1596,7 +1577,7 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, } /* No other possibilities from here */ - if( !is_dn ) { + if( is_dn == SET_NONE ) { dn->bv_val = NULL; dn->bv_len = 0; return( LDAP_INAPPROPRIATE_AUTH ); @@ -1658,6 +1639,13 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, #else Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn->bv_val,0,0 ); #endif + } else { + + /* Dup the DN in any case, so we don't risk + * leaks or dangling pointers later, + * and the DN value is '\0' terminated */ + ber_dupbv( &dn2, dn ); + dn->bv_val = dn2.bv_val; } /* All strings are in DN form now. Normalize if needed. */ @@ -1665,8 +1653,7 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, rc = dnNormalize2( NULL, dn, &dn2 ); /* User DNs were constructed above and must be freed now */ - if ( is_dn == SET_U ) - ch_free( dn->bv_val ); + ch_free( dn->bv_val ); if ( rc != LDAP_SUCCESS ) { dn->bv_val = NULL;