X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=fe748bc3b518c5ab3d0c967ae3c5a8bd35a7d22c;hb=8558b8808e7e8deba617908eed99a8213f1bc405;hp=3430d4ee68015ff84a10df9ab195a4f5fbb0e136;hpb=3099d89d9eb1f0d043e8ce127c7342d19ffd58cf;p=openldap

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 3430d4ee68..fe748bc3b5 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -818,17 +818,24 @@ slap_sasl_canonicalize(
 	if ( auxvals[which].values )
 		goto done;
 
-	if ( flags == SASL_CU_AUTHZID ) {
-	/* If we got unqualified authzid's, they probably came from SASL
-	 * itself just passing the authcid to us. Look inside the oparams
-	 * structure to see if that's true. (HACK: the out_len pointer is
-	 * the address of a member of a sasl_out_params_t structure...)
+	/* Normally we require an authzID to have a u: or dn: prefix.
+	 * However, SASL frequently gives us an authzID that is just
+	 * an exact copy of the authcID, without a prefix. We need to
+	 * detect and allow this condition. If SASL calls canonicalize
+	 * with SASL_CU_AUTHID|SASL_CU_AUTHZID this is a no-brainer.
+	 * But if it's broken into two calls, we need to remember the
+	 * authcID so that we can compare the authzID later. We store
+	 * the authcID temporarily in conn->c_sasl_dn. We necessarily
+	 * finish Canonicalizing before Authorizing, so there is no
+	 * conflict with slap_sasl_authorize's use of this temp var.
 	 */
-		sasl_out_params_t dummy;
-		int offset = (void *)&dummy.ulen - (void *)&dummy.authid;
-		char **authid = (void *)out_len - offset;
-		if ( *authid && !strcmp( in, *authid ) )
-			goto done;
+	if ( flags == SASL_CU_AUTHID ) {
+		conn->c_sasl_dn.bv_val = (char *) in;
+	} else if ( flags == SASL_CU_AUTHZID && conn->c_sasl_dn.bv_val ) {
+		rc = strcmp( in, conn->c_sasl_dn.bv_val );
+		conn->c_sasl_dn.bv_val = NULL;
+		/* They were equal, no work needed */
+		if ( !rc ) goto done;
 	}
 
 	rc = slap_sasl_getdn( conn, (char *)in, inlen, (char *)user_realm, &dn,