X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=ec86ede0f1551a43b08257eef7b7fbbfd4e240ae;hb=e25f6ef0cdd1780577dffeaca8ba8b19b5697880;hp=01018aa80973d54eec0c0feb91f9986d45561a8a;hpb=5fc22599e2e875c9620b63fbf465273fba3c378f;p=openldap diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 01018aa809..ec86ede0f1 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -1,20 +1,20 @@ /* $OpenLDAP$ */ /* - * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ #include "portable.h" -#include #include - -#include "slap.h" -#include "proto-slap.h" +#include +#include #include #include +#include "slap.h" + #ifdef HAVE_CYRUS_SASL #include #include @@ -25,9 +25,315 @@ #include #endif -static char *sasl_host = NULL; +/* Flags for telling slap_sasl_getdn() what type of identity is being passed */ +#define FLAG_GETDN_FINAL 1 +#define FLAG_GETDN_AUTHCID 2 +#define FLAG_GETDN_AUTHZID 4 + static sasl_security_properties_t sasl_secprops; +static int +slap_sasl_log( + void *context, + int priority, + const char *message) +{ + Connection *conn = context; + int level; + const char * label; + + if ( message == NULL ) { + return SASL_BADPARAM; + } + + switch (priority) { + case SASL_LOG_ERR: + level = LDAP_DEBUG_ANY; + label = "Error"; + break; + case SASL_LOG_WARNING: + level = LDAP_DEBUG_TRACE; + label = "Warning"; + break; + case SASL_LOG_INFO: + level = LDAP_DEBUG_TRACE; + label = "Info"; + break; + default: + return SASL_BADPARAM; + } + +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "SASL [conn=%ld] %s: %s\n", + conn ? conn->c_connid : -1, + label, message )); +#else + Debug( level, "SASL [conn=%ld] %s: %s\n", + conn ? conn->c_connid: -1, + label, message ); +#endif + + + return SASL_OK; +} + + +/* Take any sort of identity string and return a DN with the "dn:" prefix. The + string returned in *dnptr is in its own allocated memory, and must be free'd + by the calling process. + -Mark Adamson, Carnegie Mellon +*/ + +int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) +{ + char *c=NULL, *c1, *dn=NULL; + int rc, len; + sasl_conn_t *ctx; + + +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_getdn: conn %d id=%s\n", + conn ? conn->c_connid : -1, + id ? (*id ? id : "") : "NULL" )); +#else + Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s\n", + id?(*id?id:""):"NULL",0,0 ); +#endif + + + /* Blatantly anonymous ID */ + if( id && + ( id[sizeof( "anonymous" )-1] == '\0' + || id[sizeof( "anonymous" )-1] == '@' ) && + !strncasecmp( id, "anonymous", sizeof( "anonymous" )-1) ) { + *dnptr = NULL; + return( LDAP_SUCCESS ); + } + ctx = conn->c_sasl_context; + len = strlen( id ); + + /* An authcID needs to be converted to authzID form */ + if( flags & FLAG_GETDN_AUTHCID ) { + if( sasl_external_x509dn_convert && conn->c_sasl_bind_mech + && ( strcasecmp( "EXTERNAL", conn->c_sasl_bind_mech ) == 0 ) + && len && id[0] == '/' /* && id[len-1]== '/' */) + { + /* check SASL external for X.509 style DN and */ + /* convert to dn: form */ + char *tmpdn = ldap_dcedn2dn( id ); + len = strlen( tmpdn ); + + dn = ch_malloc( len+4 ); + dn[0] = 'd'; + dn[1] = 'n'; + dn[2] = ':'; + AC_MEMCPY( &dn[3], tmpdn, len+1 ); + len += 3; + + } else { + /* convert to u: form */ + dn = ch_malloc( len+3 ); + dn[0] = 'u'; + dn[1] = ':'; + AC_MEMCPY( &dn[2], id, len+1 ); + len += 2; + } + } else { + dn = ch_strdup( id ); + } + + /* An authzID must be properly prefixed */ + if( flags & FLAG_GETDN_AUTHZID + && strncasecmp( dn, "u:", sizeof("u:")-1 ) + && strncasecmp( dn, "dn:", sizeof("dn:")-1 ) ) + { + ch_free( dn ); + *dnptr = NULL; + return( LDAP_INAPPROPRIATE_AUTH ); + } + + /* Username strings */ + if( !strncasecmp( dn, "u:", sizeof("u:")-1 ) ) { + len += (sizeof("dn:uid=")-1) + (sizeof(",cn=auth")-1); + + /* Figure out how much data we have for the dn */ + rc = sasl_getprop( ctx, SASL_REALM, (void **)&c ); + if( rc != SASL_OK && rc != SASL_NOTDONE ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, + "slap_sasl_getdn: getprop(REALM) failed.\n" )); +#else + Debug(LDAP_DEBUG_TRACE, + "getdn: getprop(REALM) failed!\n", 0,0,0); +#endif + + ch_free( dn ); + *dnptr = NULL; + return( LDAP_OPERATIONS_ERROR ); + } + + if( c && *c ) { + len += strlen( c ) + (sizeof(",cn=")-1); + } + + if( conn->c_sasl_bind_mech ) { + len += strlen( conn->c_sasl_bind_mech ) + (sizeof(",cn=")-1); + } + + /* Build the new dn */ + c1 = dn; + dn = ch_malloc( len ); + len = sprintf( dn, "dn:uid=%s", c1+2 ); + ch_free( c1 ); + + if( c ) { + len += sprintf( dn+len, ",cn=%s", c ); + } + if( conn->c_sasl_bind_mech ) { + len += sprintf( dn+len, ",cn=%s", conn->c_sasl_bind_mech ); + } + strcpy( dn+len, ",cn=auth" ); + len += (sizeof(",cn=auth")-1); + +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_getdn: u:id converted to %s.\n", dn )); +#else + Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn,0,0 ); +#endif + } + + /* DN strings that are a cn=auth identity to run through regexp */ + if( !strncasecmp( dn, "dn:", sizeof("dn:")-1) && + ( ( flags & FLAG_GETDN_FINAL ) == 0 ) ) + { + c1 = slap_sasl2dn( dn + (sizeof("dn:")-1) ); + if( c1 ) { + ch_free( dn ); + dn = c1; + /* Reaffix the dn: prefix if it was removed */ + if( strncasecmp( dn, "dn:", sizeof("dn:")-1) ) { + c1 = dn; + dn = ch_malloc( strlen( c1 ) + sizeof("dn:") ); + sprintf( dn, "dn:%s", c1 ); + ch_free( c1 ); + } + +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_getdn: dn:id converted to %s.\n", dn )); +#else + Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", + dn, 0, 0 ); +#endif + } + } + + if( ( flags & FLAG_GETDN_FINAL ) == 0 ) { + dn_normalize( dn+(sizeof("dn:")-1) ); + } + + *dnptr = dn; + return( LDAP_SUCCESS ); +} + + + +static int +slap_sasl_authorize( + void *context, + const char *authcid, + const char *authzid, + const char **user, + const char **errstr) +{ + char *authcDN, *authzDN; + int rc; + Connection *conn = context; + + *user = NULL; + +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sas_authorize: conn %d authcid=\"%s\" authzid=\"%s\"\n", + conn ? conn->c_connid : -1, + authcid ? authcid : "", + authzid ? authzid : "" )); +#else + Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: " + "authcid=\"%s\" authzid=\"%s\"\n", + (long) (conn ? conn->c_connid : -1), + authcid ? authcid : "", + authzid ? authzid : "" ); +#endif + + + /* Convert the identities to DN's. If no authzid was given, client will + be bound as the DN matching their username */ + rc = slap_sasl_getdn( conn, (char *)authcid, &authcDN, FLAG_GETDN_AUTHCID ); + if( rc != LDAP_SUCCESS ) { + *errstr = ldap_err2string( rc ); + return SASL_NOAUTHZ; + } + if( ( authzid == NULL ) || !strcmp( authcid,authzid ) ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_authorize: conn %d Using authcDN=%s\n", + conn ? conn->c_connid : -1, authcDN )); +#else + Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " + "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN,0 ); +#endif + + *user = authcDN; + *errstr = NULL; + return SASL_OK; + } + rc = slap_sasl_getdn( conn, (char *)authzid, &authzDN, FLAG_GETDN_AUTHZID ); + if( rc != LDAP_SUCCESS ) { + ch_free( authcDN ); + *errstr = ldap_err2string( rc ); + return SASL_NOAUTHZ; + } + + rc = slap_sasl_authorized( authcDN, authzDN ); + if( rc ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, + "slap_sasl_authorize: conn %ld authorization disallowed (%d)\n", + (long)(conn ? conn->c_connid : -1), rc )); +#else + Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " + " authorization disallowed (%d)\n", + (long) (conn ? conn->c_connid : -1), rc, 0 ); +#endif + + *errstr = "not authorized"; + ch_free( authcDN ); + ch_free( authzDN ); + return SASL_NOAUTHZ; + } + +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_authorize: conn %d authorization allowed\n", + (long)(conn ? conn->c_connid : -1 ) )); +#else + Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " + " authorization allowed\n", + (long) (conn ? conn->c_connid : -1), 0, 0 ); +#endif + + + ch_free( authcDN ); + *user = authzDN; + *errstr = NULL; + return SASL_OK; +} + + static int slap_sasl_err2ldap( int saslerr ) { @@ -70,8 +376,8 @@ int slap_sasl_init( void ) { #ifdef HAVE_CYRUS_SASL int rc; - sasl_conn_t *server = NULL; static sasl_callback_t server_callbacks[] = { + { SASL_CB_LOG, &slap_sasl_log, NULL }, { SASL_CB_LIST_END, NULL, NULL } }; @@ -92,48 +398,44 @@ int slap_sasl_init( void ) rc = sasl_server_init( server_callbacks, "slapd" ); if( rc != SASL_OK ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, + "slap_sasl_init: init failed.\n" )); +#else Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n", 0, 0, 0 ); +#endif + return -1; } - if( sasl_host == NULL ) { - static char hostname[MAXHOSTNAMELEN+1]; - - if( gethostname( hostname, MAXHOSTNAMELEN ) == 0 ) { - hostname[MAXHOSTNAMELEN] = '\0'; - sasl_host = hostname; - } - } +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, + "slap_sasl_init: initialized!\n")); +#else + Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n", + 0, 0, 0 ); +#endif - Debug( LDAP_DEBUG_TRACE, - "slap_sasl_init: %s initialized!\n", - sasl_host, 0, 0 ); /* default security properties */ memset( &sasl_secprops, '\0', sizeof(sasl_secprops) ); - sasl_secprops.max_ssf = UINT_MAX; + sasl_secprops.max_ssf = INT_MAX; sasl_secprops.maxbufsize = 65536; sasl_secprops.security_flags = SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS; - -#ifdef SLAPD_SPASSWD - lutil_passwd_sasl_conn = server; -#else - sasl_dispose( &server ); #endif -#endif return 0; } int slap_sasl_destroy( void ) { #ifdef HAVE_CYRUS_SASL -#ifdef SLAPD_SPASSWD - sasl_dispose( &lutil_passwd_sasl_conn ); -#endif sasl_done(); #endif + free( global_host ); + global_host = NULL; + return 0; } @@ -143,20 +445,46 @@ int slap_sasl_open( Connection *conn ) #ifdef HAVE_CYRUS_SASL sasl_conn_t *ctx = NULL; + sasl_callback_t *session_callbacks; - /* create new SASL context */ - sc = sasl_server_new( "ldap", sasl_host, global_realm, NULL, -#ifdef LDAP_SASL_SECURITY_LAYER - SASL_SECURITY_LAYER, -#else - 0, -#endif - &ctx ); + assert( conn->c_sasl_context == NULL ); + assert( conn->c_sasl_extra == NULL ); + + conn->c_sasl_layers = 0; + + session_callbacks = + ch_calloc( 3, sizeof(sasl_callback_t)); + conn->c_sasl_extra = session_callbacks; + + session_callbacks[0].id = SASL_CB_LOG; + session_callbacks[0].proc = &slap_sasl_log; + session_callbacks[0].context = conn; + + session_callbacks[1].id = SASL_CB_PROXY_POLICY; + session_callbacks[1].proc = &slap_sasl_authorize; + session_callbacks[1].context = conn; + + session_callbacks[2].id = SASL_CB_LIST_END; + session_callbacks[2].proc = NULL; + session_callbacks[2].context = NULL; + if( global_host == NULL ) { + global_host = ldap_pvt_get_fqdn( NULL ); + } + + /* create new SASL context */ + sc = sasl_server_new( "ldap", global_host, global_realm, + session_callbacks, SASL_SECURITY_LAYER, &ctx ); if( sc != SASL_OK ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, + "slap_sasl_open: sasl_server_new failed: %d\n", sc )); +#else Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n", sc, 0, 0 ); +#endif + return -1; } @@ -167,8 +495,14 @@ int slap_sasl_open( Connection *conn ) SASL_SEC_PROPS, &sasl_secprops ); if( sc != SASL_OK ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, + "slap_sasl_open: sasl_setprop failed: %d \n", sc )); +#else Debug( LDAP_DEBUG_ANY, "sasl_setprop failed: %d\n", sc, 0, 0 ); +#endif + slap_sasl_close( conn ); return -1; } @@ -181,8 +515,8 @@ int slap_sasl_open( Connection *conn ) int slap_sasl_external( Connection *conn, - unsigned ssf, - char *auth_id ) + slap_ssf_t ssf, + const char *auth_id ) { #ifdef HAVE_CYRUS_SASL int sc; @@ -193,9 +527,9 @@ int slap_sasl_external( return LDAP_UNAVAILABLE; } - memset( &extprops, 0L, sizeof(extprops) ); + memset( &extprops, '\0', sizeof(extprops) ); extprops.ssf = ssf; - extprops.auth_id = auth_id; + extprops.auth_id = (char *) auth_id; sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL, (void *) &extprops ); @@ -236,8 +570,14 @@ char ** slap_sasl_mechs( Connection *conn ) &mechstr, NULL, NULL ); if( sc != SASL_OK ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, + "slap_sasl_mechs: sasl_listmech failed: %d\n", sc )); +#else Debug( LDAP_DEBUG_ANY, "slap_sasl_listmech failed: %d\n", sc, 0, 0 ); +#endif + return NULL; } @@ -260,31 +600,47 @@ int slap_sasl_close( Connection *conn ) } conn->c_sasl_context = NULL; + + free( conn->c_sasl_extra ); + conn->c_sasl_extra = NULL; #endif + return LDAP_SUCCESS; } int slap_sasl_bind( - Connection *conn, - Operation *op, - const char *dn, - const char *ndn, - const char *mech, - struct berval *cred, - char **edn ) + Connection *conn, + Operation *op, + struct berval *dn, + struct berval *ndn, + struct berval *cred, + char **edn, + slap_ssf_t *ssfp ) { int rc = 1; #ifdef HAVE_CYRUS_SASL sasl_conn_t *ctx = conn->c_sasl_context; struct berval response; - unsigned reslen; + unsigned reslen = 0; const char *errstr; int sc; +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "sasl_bind: conn %ld dn=\"%s\" mech=%s datalen=%ld\n", + conn->c_connid, + dn->bv_len ? dn->bv_val : "", + conn->c_sasl_bind_in_progress ? "" : conn->c_sasl_bind_mech, + cred ? cred->bv_len : 0 )); +#else Debug(LDAP_DEBUG_ARGS, - "==> sasl_bind: dn=\"%s\" mech=%s cred->bv_len=%d\n", - dn, mech, cred ? cred->bv_len : 0 ); + "==> sasl_bind: dn=\"%s\" mech=%s datalen=%ld\n", + dn->bv_len ? dn->bv_val : "", + conn->c_sasl_bind_in_progress ? "":conn->c_sasl_bind_mech, + cred ? cred->bv_len : 0 ); +#endif + if( ctx == NULL ) { send_ldap_result( conn, op, LDAP_UNAVAILABLE, @@ -292,10 +648,11 @@ int slap_sasl_bind( return rc; } - if ( mech != NULL ) { + if ( !conn->c_sasl_bind_in_progress ) { sc = sasl_server_start( ctx, - mech, - cred->bv_val, cred->bv_len, + conn->c_sasl_bind_mech, + cred->bv_len ? cred->bv_val : "", + cred->bv_len, (char **)&response.bv_val, &reslen, &errstr ); } else { @@ -313,75 +670,73 @@ int slap_sasl_bind( SASL_USERNAME, (void **)&username ); if ( sc != SASL_OK ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, + "slap_sasl_bind: getprop(USERNAME) failed: %d\n", sc )); +#else Debug(LDAP_DEBUG_TRACE, "slap_sasl_bind: getprop(USERNAME) failed!\n", 0, 0, 0); +#endif - send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), - NULL, "no SASL username", NULL, NULL ); - - } else if ( username == NULL || *username == '\0' ) { - Debug(LDAP_DEBUG_TRACE, - "slap_sasl_bind: getprop(USERNAME) returned NULL!\n", - 0, 0, 0); - send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS, + send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), NULL, "no SASL username", NULL, NULL ); } else { - char *realm = NULL; - sasl_ssf_t ssf = 0; - - (void) sasl_getprop( ctx, - SASL_REALM, (void **)&realm ); + rc = slap_sasl_getdn( conn, username, edn, FLAG_GETDN_FINAL ); + + if( rc == LDAP_SUCCESS ) { + int i; + sasl_ssf_t *ssf = NULL; + (void) sasl_getprop( ctx, SASL_SSF, (void *)&ssf ); + *ssfp = ssf ? *ssf : 0; + + if( *ssfp ) { + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + conn->c_sasl_layers++; + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + } - (void) sasl_getprop( ctx, - SASL_SSF, (void *)&ssf ); + /* Store the authorization DN as a subjectDN */ + if ( *edn ) { + i = 2; + do { + i++; + (*edn)[i-3] = (*edn)[i]; + } while( (*edn)[i] ); + } - Debug(LDAP_DEBUG_TRACE, - "slap_sasl_bind: username=\"%s\" realm=\"%s\" ssf=%lu\n", - username ? username : "", - realm ? realm : "", - (unsigned long) ssf ); - - if( !strncasecmp( username, "anonymous", sizeof("anonyous")-1 ) && - ( ( username[sizeof("anonymous")] == '\0' ) || - ( username[sizeof("anonymous")] == '@' ) ) ) - { - Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: anonymous\n", - 0, 0, 0); + send_ldap_sasl( conn, op, rc, + NULL, NULL, NULL, NULL, + response.bv_len ? &response : NULL ); } else { - *edn = ch_malloc( sizeof( "uid= + realm=" ) - + ( username ? strlen( username ) : 0 ) - + ( realm ? strlen( realm ) : 0 ) ); - - strcpy( *edn, "uid=" ); - strcat( *edn, username ); - - if( realm && *realm ) { - strcat( *edn, " + realm=" ); - strcat( *edn, realm ); - } - - Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: authzdn: \"%s\"\n", - *edn, 0, 0); + send_ldap_result( conn, op, rc, + NULL, errstr, NULL, NULL ); } - - send_ldap_sasl( conn, op, rc = LDAP_SUCCESS, - NULL, NULL, NULL, NULL, &response ); } } else if ( sc == SASL_CONTINUE ) { send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS, - NULL, NULL, NULL, NULL, &response ); + NULL, NULL, NULL, NULL, &response ); } else { send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), NULL, errstr, NULL, NULL ); } + if( response.bv_len ) { + ch_free( response.bv_val ); + } + +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_bind: rc=%d\n", rc )); +#else Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0); +#endif + #else send_ldap_result( conn, op, rc = LDAP_UNAVAILABLE,