X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=ec86ede0f1551a43b08257eef7b7fbbfd4e240ae;hb=e25f6ef0cdd1780577dffeaca8ba8b19b5697880;hp=aa06f29b5d4680984ff17cb5a059de4cfd309ca6;hpb=2231d5e64eb0647f1eea6f0fbb2c8dd7440c748d;p=openldap diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index aa06f29b5d..ec86ede0f1 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -1,20 +1,20 @@ /* $OpenLDAP$ */ /* - * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ #include "portable.h" -#include #include - -#include "slap.h" -#include "proto-slap.h" +#include +#include #include #include +#include "slap.h" + #ifdef HAVE_CYRUS_SASL #include #include @@ -25,8 +25,12 @@ #include #endif -static sasl_security_properties_t sasl_secprops; +/* Flags for telling slap_sasl_getdn() what type of identity is being passed */ +#define FLAG_GETDN_FINAL 1 +#define FLAG_GETDN_AUTHCID 2 +#define FLAG_GETDN_AUTHZID 4 +static sasl_security_properties_t sasl_secprops; static int slap_sasl_log( @@ -59,9 +63,17 @@ slap_sasl_log( return SASL_BADPARAM; } - Debug( level, "SASL [conn=%d] %s: %s\n", +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "SASL [conn=%ld] %s: %s\n", + conn ? conn->c_connid : -1, + label, message )); +#else + Debug( level, "SASL [conn=%ld] %s: %s\n", conn ? conn->c_connid: -1, label, message ); +#endif + return SASL_OK; } @@ -75,61 +87,99 @@ slap_sasl_log( int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) { - char *c, *c1, *dn=NULL; - int rc, len, len1; + char *c=NULL, *c1, *dn=NULL; + int rc, len; sasl_conn_t *ctx; +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_getdn: conn %d id=%s\n", + conn ? conn->c_connid : -1, + id ? (*id ? id : "") : "NULL" )); +#else Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s\n", id?(*id?id:""):"NULL",0,0 ); +#endif + /* Blatantly anonymous ID */ - len = strlen( "anonymous" ); - if( id && !strncasecmp( id, "anonymous", len) && - ( id[len] == '\0' || id[len] == '@' ) ) { + if( id && + ( id[sizeof( "anonymous" )-1] == '\0' + || id[sizeof( "anonymous" )-1] == '@' ) && + !strncasecmp( id, "anonymous", sizeof( "anonymous" )-1) ) { *dnptr = NULL; return( LDAP_SUCCESS ); } ctx = conn->c_sasl_context; - dn = ch_strdup( id ); len = strlen( id ); - /* An authcID will need to be prefixed with u: */ + /* An authcID needs to be converted to authzID form */ if( flags & FLAG_GETDN_AUTHCID ) { - dn = ch_realloc( dn, len+3 ); - memmove( dn+2, dn, len+1 ); - dn[0] = 'u'; - dn[1] = ':'; - len += 2; + if( sasl_external_x509dn_convert && conn->c_sasl_bind_mech + && ( strcasecmp( "EXTERNAL", conn->c_sasl_bind_mech ) == 0 ) + && len && id[0] == '/' /* && id[len-1]== '/' */) + { + /* check SASL external for X.509 style DN and */ + /* convert to dn: form */ + char *tmpdn = ldap_dcedn2dn( id ); + len = strlen( tmpdn ); + + dn = ch_malloc( len+4 ); + dn[0] = 'd'; + dn[1] = 'n'; + dn[2] = ':'; + AC_MEMCPY( &dn[3], tmpdn, len+1 ); + len += 3; + + } else { + /* convert to u: form */ + dn = ch_malloc( len+3 ); + dn[0] = 'u'; + dn[1] = ':'; + AC_MEMCPY( &dn[2], id, len+1 ); + len += 2; + } + } else { + dn = ch_strdup( id ); } /* An authzID must be properly prefixed */ - if( flags & FLAG_GETDN_AUTHZID && strncasecmp( dn, "u:", 2 ) && - strncasecmp( dn, "dn:", 3 ) ) { + if( flags & FLAG_GETDN_AUTHZID + && strncasecmp( dn, "u:", sizeof("u:")-1 ) + && strncasecmp( dn, "dn:", sizeof("dn:")-1 ) ) + { ch_free( dn ); *dnptr = NULL; return( LDAP_INAPPROPRIATE_AUTH ); } /* Username strings */ - len1 = strlen( ",cn=authzid" ); - if( !strncasecmp( dn, "u:", 2 ) ) { - len += strlen( "dn:uid=" ) + len1; + if( !strncasecmp( dn, "u:", sizeof("u:")-1 ) ) { + len += (sizeof("dn:uid=")-1) + (sizeof(",cn=auth")-1); /* Figure out how much data we have for the dn */ rc = sasl_getprop( ctx, SASL_REALM, (void **)&c ); - if( rc != SASL_OK ) { + if( rc != SASL_OK && rc != SASL_NOTDONE ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, + "slap_sasl_getdn: getprop(REALM) failed.\n" )); +#else Debug(LDAP_DEBUG_TRACE, "getdn: getprop(REALM) failed!\n", 0,0,0); +#endif + ch_free( dn ); *dnptr = NULL; return( LDAP_OPERATIONS_ERROR ); } - if( c ) { - len += strlen( c ) + strlen(",cn=" ); + + if( c && *c ) { + len += strlen( c ) + (sizeof(",cn=")-1); } + if( conn->c_sasl_bind_mech ) { - len += strlen( conn->c_sasl_bind_mech ) + strlen( ",cn=mech" ); + len += strlen( conn->c_sasl_bind_mech ) + (sizeof(",cn=")-1); } /* Build the new dn */ @@ -144,30 +194,45 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) if( conn->c_sasl_bind_mech ) { len += sprintf( dn+len, ",cn=%s", conn->c_sasl_bind_mech ); } - strcpy( dn+len, ",cn=authzid" ); - len += len1; + strcpy( dn+len, ",cn=auth" ); + len += (sizeof(",cn=auth")-1); + +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_getdn: u:id converted to %s.\n", dn )); +#else Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn,0,0 ); +#endif } - /* DN strings that are a cn=authzid identity to run through regexp */ - if( !strncasecmp( dn, "dn:", 3) && ( ( flags & FLAG_GETDN_FINAL ) == 0 ) ) { - c1 = slap_sasl2dn( dn + 3 ); + /* DN strings that are a cn=auth identity to run through regexp */ + if( !strncasecmp( dn, "dn:", sizeof("dn:")-1) && + ( ( flags & FLAG_GETDN_FINAL ) == 0 ) ) + { + c1 = slap_sasl2dn( dn + (sizeof("dn:")-1) ); if( c1 ) { ch_free( dn ); dn = c1; /* Reaffix the dn: prefix if it was removed */ - if( strncasecmp( dn, "dn:", 3) ) { + if( strncasecmp( dn, "dn:", sizeof("dn:")-1) ) { c1 = dn; - dn = ch_malloc( strlen( c1 ) + 4 ); + dn = ch_malloc( strlen( c1 ) + sizeof("dn:") ); sprintf( dn, "dn:%s", c1 ); ch_free( c1 ); } - Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", dn,0,0 ); + +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_getdn: dn:id converted to %s.\n", dn )); +#else + Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", + dn, 0, 0 ); +#endif } } - if( ( flags & FLAG_GETDN_FINAL ) == 0 ) { - dn_normalize( dn ); + if( ( flags & FLAG_GETDN_FINAL ) == 0 ) { + dn_normalize( dn+(sizeof("dn:")-1) ); } *dnptr = dn; @@ -190,11 +255,20 @@ slap_sasl_authorize( *user = NULL; +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sas_authorize: conn %d authcid=\"%s\" authzid=\"%s\"\n", + conn ? conn->c_connid : -1, + authcid ? authcid : "", + authzid ? authzid : "" )); +#else Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: " "authcid=\"%s\" authzid=\"%s\"\n", (long) (conn ? conn->c_connid : -1), authcid ? authcid : "", authzid ? authzid : "" ); +#endif + /* Convert the identities to DN's. If no authzid was given, client will be bound as the DN matching their username */ @@ -204,8 +278,15 @@ slap_sasl_authorize( return SASL_NOAUTHZ; } if( ( authzid == NULL ) || !strcmp( authcid,authzid ) ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_authorize: conn %d Using authcDN=%s\n", + conn ? conn->c_connid : -1, authcDN )); +#else Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN,0 ); +#endif + *user = authcDN; *errstr = NULL; return SASL_OK; @@ -219,18 +300,32 @@ slap_sasl_authorize( rc = slap_sasl_authorized( authcDN, authzDN ); if( rc ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, + "slap_sasl_authorize: conn %ld authorization disallowed (%d)\n", + (long)(conn ? conn->c_connid : -1), rc )); +#else Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " " authorization disallowed (%d)\n", (long) (conn ? conn->c_connid : -1), rc, 0 ); +#endif + *errstr = "not authorized"; ch_free( authcDN ); ch_free( authzDN ); return SASL_NOAUTHZ; } +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_authorize: conn %d authorization allowed\n", + (long)(conn ? conn->c_connid : -1 ) )); +#else Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " " authorization allowed\n", (long) (conn ? conn->c_connid : -1), 0, 0 ); +#endif + ch_free( authcDN ); *user = authzDN; @@ -303,13 +398,25 @@ int slap_sasl_init( void ) rc = sasl_server_init( server_callbacks, "slapd" ); if( rc != SASL_OK ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, + "slap_sasl_init: init failed.\n" )); +#else Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n", 0, 0, 0 ); +#endif + return -1; } +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, + "slap_sasl_init: initialized!\n")); +#else Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n", 0, 0, 0 ); +#endif + /* default security properties */ memset( &sasl_secprops, '\0', sizeof(sasl_secprops) ); @@ -326,6 +433,9 @@ int slap_sasl_destroy( void ) #ifdef HAVE_CYRUS_SASL sasl_done(); #endif + free( global_host ); + global_host = NULL; + return 0; } @@ -367,8 +477,14 @@ int slap_sasl_open( Connection *conn ) session_callbacks, SASL_SECURITY_LAYER, &ctx ); if( sc != SASL_OK ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, + "slap_sasl_open: sasl_server_new failed: %d\n", sc )); +#else Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n", sc, 0, 0 ); +#endif + return -1; } @@ -379,8 +495,14 @@ int slap_sasl_open( Connection *conn ) SASL_SEC_PROPS, &sasl_secprops ); if( sc != SASL_OK ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, + "slap_sasl_open: sasl_setprop failed: %d \n", sc )); +#else Debug( LDAP_DEBUG_ANY, "sasl_setprop failed: %d\n", sc, 0, 0 ); +#endif + slap_sasl_close( conn ); return -1; } @@ -448,8 +570,14 @@ char ** slap_sasl_mechs( Connection *conn ) &mechstr, NULL, NULL ); if( sc != SASL_OK ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, + "slap_sasl_mechs: sasl_listmech failed: %d\n", sc )); +#else Debug( LDAP_DEBUG_ANY, "slap_sasl_listmech failed: %d\n", sc, 0, 0 ); +#endif + return NULL; } @@ -481,27 +609,38 @@ int slap_sasl_close( Connection *conn ) } int slap_sasl_bind( - Connection *conn, - Operation *op, - const char *dn, - const char *ndn, - struct berval *cred, - char **edn, - slap_ssf_t *ssfp ) + Connection *conn, + Operation *op, + struct berval *dn, + struct berval *ndn, + struct berval *cred, + char **edn, + slap_ssf_t *ssfp ) { int rc = 1; #ifdef HAVE_CYRUS_SASL sasl_conn_t *ctx = conn->c_sasl_context; struct berval response; - unsigned reslen; + unsigned reslen = 0; const char *errstr; int sc; +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "sasl_bind: conn %ld dn=\"%s\" mech=%s datalen=%ld\n", + conn->c_connid, + dn->bv_len ? dn->bv_val : "", + conn->c_sasl_bind_in_progress ? "" : conn->c_sasl_bind_mech, + cred ? cred->bv_len : 0 )); +#else Debug(LDAP_DEBUG_ARGS, - "==> sasl_bind: dn=\"%s\" mech=%s datalen=%d\n", dn, - conn->c_sasl_bind_in_progress ? "":conn->c_sasl_bind_mech, - cred ? cred->bv_len : 0 ); + "==> sasl_bind: dn=\"%s\" mech=%s datalen=%ld\n", + dn->bv_len ? dn->bv_val : "", + conn->c_sasl_bind_in_progress ? "":conn->c_sasl_bind_mech, + cred ? cred->bv_len : 0 ); +#endif + if( ctx == NULL ) { send_ldap_result( conn, op, LDAP_UNAVAILABLE, @@ -512,7 +651,8 @@ int slap_sasl_bind( if ( !conn->c_sasl_bind_in_progress ) { sc = sasl_server_start( ctx, conn->c_sasl_bind_mech, - cred->bv_val, cred->bv_len, + cred->bv_len ? cred->bv_val : "", + cred->bv_len, (char **)&response.bv_val, &reslen, &errstr ); } else { @@ -530,9 +670,15 @@ int slap_sasl_bind( SASL_USERNAME, (void **)&username ); if ( sc != SASL_OK ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, + "slap_sasl_bind: getprop(USERNAME) failed: %d\n", sc )); +#else Debug(LDAP_DEBUG_TRACE, "slap_sasl_bind: getprop(USERNAME) failed!\n", 0, 0, 0); +#endif + send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), NULL, "no SASL username", NULL, NULL ); @@ -580,7 +726,17 @@ int slap_sasl_bind( NULL, errstr, NULL, NULL ); } + if( response.bv_len ) { + ch_free( response.bv_val ); + } + +#ifdef NEW_LOGGING + LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + "slap_sasl_bind: rc=%d\n", rc )); +#else Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0); +#endif + #else send_ldap_result( conn, op, rc = LDAP_UNAVAILABLE,