X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=fe748bc3b518c5ab3d0c967ae3c5a8bd35a7d22c;hb=956f1d16aa522da6f6506d9c8fe9ce0d9867678a;hp=807418a558051e362f763319a7a85e2db7b0bd45;hpb=379f84ba474c0b9c1e2b94c8dadf16b6f11948d6;p=openldap diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 807418a558..fe748bc3b5 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -24,19 +24,16 @@ #include #endif -#if SASL_VERSION_MAJOR >= 2 #include +#if SASL_VERSION_MAJOR >= 2 #include #define SASL_CONST const #else #define SASL_CONST #endif -#include - -#ifdef SLAPD_SPASSWD -#include -#endif +#include "ldap_pvt.h" +#include "lber_pvt.h" /* Flags for telling slap_sasl_getdn() what type of identity is being passed */ #define FLAG_GETDN_AUTHCID 2 @@ -44,6 +41,171 @@ static sasl_security_properties_t sasl_secprops; +int slap_sasl_config( int cargc, char **cargv, char *line, + const char *fname, int lineno ) +{ + /* set SASL proxy authorization policy */ + if ( strcasecmp( cargv[0], "sasl-authz-policy" ) == 0 ) { + if ( cargc != 2 ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d: missing policy in \"sasl-authz-policy \" line\n", + fname, lineno, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing policy in \"sasl-authz-policy \" line\n", + fname, lineno, 0 ); +#endif + + return( 1 ); + } + if ( slap_sasl_setpolicy( cargv[1] ) ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d: unable " + "to parse value \"%s\" " + "in \"sasl-authz-policy " + "\" line.\n", + fname, lineno, cargv[1] ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: unable " + "to parse value \"%s\" " + "in \"sasl-authz-policy " + "\" line\n", + fname, lineno, cargv[1] ); +#endif + return( 1 ); + } + + + /* set SASL host */ + } else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) { + if ( cargc < 2 ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d: missing host in \"sasl-host \" line\n", + fname, lineno, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing host in \"sasl-host \" line\n", + fname, lineno, 0 ); +#endif + + return( 1 ); + } + + if ( global_host != NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d: already set sasl-host!\n", + fname, lineno, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: already set sasl-host!\n", + fname, lineno, 0 ); +#endif + + return 1; + + } else { + global_host = ch_strdup( cargv[1] ); + } + + /* set SASL realm */ + } else if ( strcasecmp( cargv[0], "sasl-realm" ) == 0 ) { + if ( cargc < 2 ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d: missing realm in \"sasl-realm \" line.\n", + fname, lineno, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing realm in \"sasl-realm \" line\n", + fname, lineno, 0 ); +#endif + + return( 1 ); + } + + if ( global_realm != NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d: already set sasl-realm!\n", + fname, lineno, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: already set sasl-realm!\n", + fname, lineno, 0 ); +#endif + + return 1; + + } else { + global_realm = ch_strdup( cargv[1] ); + } + + } else if ( !strcasecmp( cargv[0], "sasl-regexp" ) + || !strcasecmp( cargv[0], "saslregexp" ) ) + { + int rc; + if ( cargc != 3 ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d: need 2 args in " + "\"saslregexp \"\n", + fname, lineno, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: need 2 args in \"saslregexp \"\n", + fname, lineno, 0 ); +#endif + + return( 1 ); + } + rc = slap_sasl_regexp_config( cargv[1], cargv[2] ); + if ( rc ) { + return rc; + } + + /* SASL security properties */ + } else if ( strcasecmp( cargv[0], "sasl-secprops" ) == 0 ) { + char *txt; + + if ( cargc < 2 ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d: missing flags in " + "\"sasl-secprops \" line\n", + fname, lineno, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: missing flags in \"sasl-secprops \" line\n", + fname, lineno, 0 ); +#endif + + return 1; + } + + txt = slap_sasl_secprops( cargv[1] ); + if ( txt != NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, CRIT, + "%s: line %d sasl-secprops: %s\n", + fname, lineno, txt ); +#else + Debug( LDAP_DEBUG_ANY, + "%s: line %d: sasl-secprops: %s\n", + fname, lineno, txt ); +#endif + + return 1; + } + } + + return LDAP_SUCCESS; +} + static int slap_sasl_log( void *context, @@ -111,10 +273,8 @@ slap_sasl_log( } #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "SASL [conn=%ld] %s: %s\n", - conn ? conn->c_connid : -1, - label, message )); + LDAP_LOG( TRANSPORT, ENTRY, + "SASL [conn=%ld] %s: %s\n", conn ? conn->c_connid : -1, label, message); #else Debug( level, "SASL [conn=%ld] %s: %s\n", conn ? conn->c_connid: -1, @@ -139,7 +299,7 @@ slap_sasl_log( #define SET_DN 1 #define SET_U 2 -static struct berval ext_bv = { sizeof("EXTERNAL")-1, "EXTERNAL" }; +static struct berval ext_bv = BER_BVC( "EXTERNAL" ); int slap_sasl_getdn( Connection *conn, char *id, int len, char *user_realm, struct berval *dn, int flags ) @@ -150,10 +310,9 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, struct berval dn2; #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + LDAP_LOG( TRANSPORT, ENTRY, "slap_sasl_getdn: conn %d id=%s\n", - conn ? conn->c_connid : -1, - id ? (*id ? id : "") : "NULL" )); + conn ? conn->c_connid : -1, id ? (*id ? id : "") : "NULL", 0 ); #else Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s\n", id?(*id?id:""):"NULL",0,0 ); @@ -176,36 +335,45 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, ctx = conn->c_sasl_context; - /* An authcID needs to be converted to authzID form */ + /* An authcID needs to be converted to authzID form. Set the + * values directly into *dn; they will be normalized later. (and + * normalizing always makes a new copy.) An ID from a TLS certificate + * is already normalized, so copy it and skip normalization. + */ if( flags & FLAG_GETDN_AUTHCID ) { #ifdef HAVE_TLS - if( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len - && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) { + if( conn->c_is_tls && + conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len && + strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) + { /* X.509 DN is already normalized */ do_norm = 0; is_dn = SET_DN; + ber_str2bv( id, len, 1, dn ); } else #endif { /* convert to u: form */ is_dn = SET_U; + dn->bv_val = id; + dn->bv_len = len; } - ber_str2bv( id, len, 1, dn ); } if( !is_dn ) { if( !strncasecmp( id, "u:", sizeof("u:")-1 )) { is_dn = SET_U; - ber_str2bv( id+2, len-2, 1, dn ); + dn->bv_val = id+2; + dn->bv_len = len-2; } else if ( !strncasecmp( id, "dn:", sizeof("dn:")-1) ) { is_dn = SET_DN; - ber_str2bv( id+3, len-3, 1, dn ); + dn->bv_val = id+3; + dn->bv_len = len-3; } } - /* An authzID must be properly prefixed */ - if( (flags & FLAG_GETDN_AUTHZID) && !is_dn ) { - free( dn->bv_val ); + /* No other possibilities from here */ + if( !is_dn ) { dn->bv_val = NULL; dn->bv_len = 0; return( LDAP_INAPPROPRIATE_AUTH ); @@ -217,7 +385,7 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1; /* username may have embedded realm name */ - if( realm = strchr( dn->bv_val, '@') ) { + if( ( realm = strchr( dn->bv_val, '@') ) ) { *realm++ = '\0'; len += sizeof(",cn=")-2; } else if( user_realm && *user_realm ) { @@ -231,55 +399,42 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, /* Build the new dn */ c1 = dn->bv_val; dn->bv_val = ch_malloc( len+1 ); - p = slap_strcopy( dn->bv_val, "uid=" ); - p = slap_strcopy( p, c1 ); + p = lutil_strcopy( dn->bv_val, "uid=" ); + p = lutil_strncopy( p, c1, dn->bv_len ); if( realm ) { - p = slap_strcopy( p, ",cn=" ); - p = slap_strcopy( p, realm ); + int rlen = dn->bv_len - ( realm - c1 ); + p = lutil_strcopy( p, ",cn=" ); + p = lutil_strncopy( p, realm, rlen ); + realm[-1] = '@'; } else if( user_realm && *user_realm ) { - p = slap_strcopy( p, ",cn=" ); - p = slap_strcopy( p, user_realm ); + p = lutil_strcopy( p, ",cn=" ); + p = lutil_strcopy( p, user_realm ); } - ch_free( c1 ); if( conn->c_sasl_bind_mech.bv_len ) { - p = slap_strcopy( p, ",cn=" ); - p = slap_strcopy( p, conn->c_sasl_bind_mech.bv_val ); + p = lutil_strcopy( p, ",cn=" ); + p = lutil_strcopy( p, conn->c_sasl_bind_mech.bv_val ); } - p = slap_strcopy( p, ",cn=auth" ); + p = lutil_strcopy( p, ",cn=auth" ); dn->bv_len = p - dn->bv_val; - is_dn = SET_DN; #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val )); + LDAP_LOG( TRANSPORT, ENTRY, + "slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val, 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn->bv_val,0,0 ); #endif } - /* DN strings that are a cn=auth identity to run through regexp */ - if( is_dn == SET_DN ) - { - slap_sasl2dn( conn, dn, &dn2 ); - if( dn2.bv_val ) { - ch_free( dn->bv_val ); - *dn = dn2; - do_norm = 0; /* slap_sasl2dn normalizes */ -#ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_getdn: dn:id converted to %s.\n", dn->bv_val )); -#else - Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", - dn->bv_val, 0, 0 ); -#endif - } - } - + /* All strings are in DN form now. Normalize if needed. */ if ( do_norm ) { rc = dnNormalize2( NULL, dn, &dn2 ); - free(dn->bv_val); + + /* User DNs were constructed above and must be freed now */ + if ( is_dn == SET_U ) + ch_free( dn->bv_val ); + if ( rc != LDAP_SUCCESS ) { dn->bv_val = NULL; dn->bv_len = 0; @@ -288,11 +443,95 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, *dn = dn2; } + /* Run thru regexp */ + slap_sasl2dn( conn, dn, &dn2 ); + if( dn2.bv_val ) { + ch_free( dn->bv_val ); + *dn = dn2; +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, ENTRY, + "slap_sasl_getdn: dn:id converted to %s.\n", dn->bv_val, 0, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", + dn->bv_val, 0, 0 ); +#endif + } + return( LDAP_SUCCESS ); } #if SASL_VERSION_MAJOR >= 2 -static const char *slap_propnames[] = { "*authcDN", "*authzDN", NULL }; +static const char *slap_propnames[] = { + "*slapConn", "*authcDN", "*authzDN", NULL }; + +static Filter *generic_filter; + +#define PROP_CONN 0 +#define PROP_AUTHC 1 +#define PROP_AUTHZ 2 + +typedef struct lookup_info { + int last; + int flags; + const struct propval *list; + sasl_server_params_t *sparams; +} lookup_info; + +static int +sasl_ap_lookup( + BackendDB *be, + Connection *conn, + Operation *op, + Entry *e, + AttributeName *an, + int attrsonly, + LDAPControl **ctrls ) +{ + BerVarray bv; + AttributeDescription *ad; + Attribute *a; + const char *text; + int rc, i; + slap_callback *tmp = op->o_callback; + lookup_info *sl = tmp->sc_private; + + for( i = 0; i < sl->last; i++ ) { + const char *name = sl->list[i].name; + + if ( name[0] == '*' ) { + if ( sl->flags & SASL_AUXPROP_AUTHZID ) continue; + name++; + } else if ( !(sl->flags & SASL_AUXPROP_AUTHZID ) ) + continue; + + if ( sl->list[i].values ) { + if ( !(sl->flags & SASL_AUXPROP_OVERRIDE) ) continue; + } + ad = NULL; + rc = slap_str2ad( name, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, DETAIL1, + "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, + "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); +#endif + continue; + } + a = attr_find( e->e_attrs, ad ); + if ( !a ) continue; + if ( ! access_allowed( be, conn, op, e, ad, NULL, ACL_AUTH, NULL ) ) + continue; + if ( sl->list[i].values && ( sl->flags & SASL_AUXPROP_OVERRIDE ) ) + sl->sparams->utils->prop_erase( sl->sparams->propctx, sl->list[i].name ); + for ( bv = a->a_vals; bv->bv_val; bv++ ) { + sl->sparams->utils->prop_set( sl->sparams->propctx, sl->list[i].name, + bv->bv_val, bv->bv_len ); + } + } + return LDAP_SUCCESS; +} static void slap_auxprop_lookup( @@ -302,35 +541,45 @@ slap_auxprop_lookup( const char *user, unsigned ulen) { - int rc; + int rc, i, doit=0; struct berval dn; - const struct propval *list, *cur; - BerVarray vals, bv; - AttributeDescription *ad; - const char *text; - - list = sparams->utils->prop_get( sparams->propctx ); - - /* Find our DN first */ - for( cur = list; cur->name; cur++ ) { - if ( cur->name[0] == '*' ) { + Connection *conn = NULL; + lookup_info sl; + + sl.list = sparams->utils->prop_get( sparams->propctx ); + sl.sparams = sparams; + sl.flags = flags; + + /* Find our DN and conn first */ + for( i = 0, sl.last = 0; sl.list[i].name; i++ ) { + if ( sl.list[i].name[0] == '*' ) { + if ( !strcmp( sl.list[i].name, slap_propnames[PROP_CONN] ) ) { + if ( sl.list[i].values && sl.list[i].values[0] ) + AC_MEMCPY( &conn, sl.list[i].values[0], sizeof( conn ) ); + if ( !sl.last ) sl.last = i; + } if ( (flags & SASL_AUXPROP_AUTHZID) && - !strcmp( cur->name, slap_propnames[1] ) ) { - if ( cur->values && cur->values[0] ) - AC_MEMCPY( &dn, cur->values[0], sizeof( dn ) ); + !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHZ] ) ) { + + if ( sl.list[i].values && sl.list[i].values[0] ) + AC_MEMCPY( &dn, sl.list[i].values[0], sizeof( dn ) ); + if ( !sl.last ) sl.last = i; break; } - if ( !strcmp( cur->name, slap_propnames[0] ) ) { - AC_MEMCPY( &dn, cur->values[0], sizeof( dn ) ); - if ( !(flags & SASL_AUXPROP_AUTHZID) ) - break; + if ( !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHC] ) ) { + if ( !sl.last ) sl.last = i; + if ( sl.list[i].values && sl.list[i].values[0] ) { + AC_MEMCPY( &dn, sl.list[i].values[0], sizeof( dn ) ); + if ( !(flags & SASL_AUXPROP_AUTHZID) ) + break; + } } } } - /* Now fetch the rest */ - for( cur = list; cur->name; cur++ ) { - const char *name = cur->name; + /* Now see what else needs to be fetched */ + for( i = 0; i < sl.last; i++ ) { + const char *name = sl.list[i].name; if ( name[0] == '*' ) { if ( flags & SASL_AUXPROP_AUTHZID ) continue; @@ -338,30 +587,35 @@ slap_auxprop_lookup( } else if ( !(flags & SASL_AUXPROP_AUTHZID ) ) continue; - if ( cur->values ) { + if ( sl.list[i].values ) { if ( !(flags & SASL_AUXPROP_OVERRIDE) ) continue; - sparams->utils->prop_erase( sparams->propctx, cur->name ); } - ad = NULL; - rc = slap_str2ad( name, &ad, &text ); - if ( rc != LDAP_SUCCESS ) { -#ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_DETAIL1, - "slap_auxprop: str2ad(%s): %s\n", name, text )); -#else - Debug( LDAP_DEBUG_TRACE, - "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); -#endif - rc = slap_str2undef_ad( name, &ad, &text ); - if ( rc != LDAP_SUCCESS ) continue; - } - rc = backend_attribute( NULL,NULL,NULL,NULL, &dn, ad, &vals ); - if ( rc != LDAP_SUCCESS ) continue; - for ( bv = vals; bv->bv_val; bv++ ) { - sparams->utils->prop_set( sparams->propctx, cur->name, - bv->bv_val, bv->bv_len ); + doit = 1; + } + + if (doit) { + Backend *be; + Operation op = {0}; + slap_callback cb = { slap_cb_null_response, + slap_cb_null_sresult, sasl_ap_lookup, NULL }; + + cb.sc_private = &sl; + + be = select_backend( &dn, 0, 1 ); + + if ( be && be->be_search ) { + op.o_tag = LDAP_REQ_SEARCH; + op.o_protocol = LDAP_VERSION3; + op.o_ndn = conn->c_ndn; + op.o_callback = &cb; + op.o_time = slap_get_time(); + op.o_do_not_cache = 1; + op.o_threadctx = conn->c_sasl_bindop->o_threadctx; + + (*be->be_search)( be, conn, &op, NULL, &dn, + LDAP_SCOPE_BASE, LDAP_DEREF_NEVER, 1, 0, + generic_filter, NULL, NULL, 0 ); } - ber_bvarray_free( vals ); } } @@ -392,6 +646,42 @@ slap_auxprop_init( return SASL_OK; } +typedef struct checkpass_info { + int rc; + struct berval cred; +} checkpass_info; + +static int +sasl_cb_checkpass( + BackendDB *be, + Connection *conn, + Operation *op, + Entry *e, + AttributeName *an, + int attrsonly, + LDAPControl **ctrls ) +{ + slap_callback *tmp = op->o_callback; + checkpass_info *ci = tmp->sc_private; + Attribute *a; + struct berval *bv; + + ci->rc = SASL_NOVERIFY; + + a = attr_find( e->e_attrs, slap_schema.si_ad_userPassword ); + if ( !a ) return 0; + if ( ! access_allowed( be, conn, op, e, slap_schema.si_ad_userPassword, + NULL, ACL_AUTH, NULL ) ) return 0; + + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { + if ( !lutil_passwd( bv, &ci->cred, NULL ) ) { + ci->rc = SASL_OK; + break; + } + } + return 0; +} + static int slap_sasl_checkpass( sasl_conn_t *sconn, @@ -402,12 +692,12 @@ slap_sasl_checkpass( struct propctx *propctx) { Connection *conn = (Connection *)context; - struct berval dn, cred; + struct berval dn; int rc; - BerVarray vals, bv; + Backend *be; + checkpass_info ci; - cred.bv_val = (char *)pass; - cred.bv_len = passlen; + ci.rc = SASL_NOUSER; /* SASL will fallback to its own mechanisms if we don't * find an answer here. @@ -429,34 +719,36 @@ slap_sasl_checkpass( return SASL_NOUSER; } - rc = backend_attribute( NULL, NULL, NULL, NULL, &dn, - slap_schema.si_ad_userPassword, &vals); - if ( rc != LDAP_SUCCESS ) { - ch_free( dn.bv_val ); - sasl_seterror( sconn, 0, ldap_err2string( rc ) ); - return SASL_NOVERIFY; - } - - rc = SASL_NOVERIFY; - - if ( vals != NULL ) { - for ( bv = vals; bv->bv_val != NULL; bv++ ) { - if ( !lutil_passwd( bv, &cred, NULL ) ) { - rc = SASL_OK; - break; - } - } - ber_bvarray_free( vals ); + be = select_backend( &dn, 0, 1 ); + if ( be && be->be_search ) { + Operation op = {0}; + slap_callback cb = { slap_cb_null_response, + slap_cb_null_sresult, sasl_cb_checkpass, NULL }; + + ci.cred.bv_val = (char *)pass; + ci.cred.bv_len = passlen; + + cb.sc_private = &ci; + op.o_tag = LDAP_REQ_SEARCH; + op.o_protocol = LDAP_VERSION3; + op.o_ndn = conn->c_ndn; + op.o_callback = &cb; + op.o_time = slap_get_time(); + op.o_do_not_cache = 1; + op.o_threadctx = conn->c_sasl_bindop->o_threadctx; + + (*be->be_search)( be, conn, &op, NULL, &dn, + LDAP_SCOPE_BASE, LDAP_DEREF_NEVER, 1, 0, + generic_filter, NULL, NULL, 0 ); } - - if ( rc != SASL_OK ) { + if ( ci.rc != SASL_OK ) { sasl_seterror( sconn, 0, ldap_err2string( LDAP_INVALID_CREDENTIALS ) ); } ch_free( dn.bv_val ); - return rc; + return ci.rc; } /* Convert a SASL authcid or authzid into a DN. Store the DN in an @@ -479,18 +771,18 @@ slap_sasl_canonicalize( { Connection *conn = (Connection *)context; struct propctx *props = sasl_auxprop_getctx( sconn ); + struct propval auxvals[3]; struct berval dn; - int rc; + int rc, which; const char *names[2]; *out_len = 0; #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + LDAP_LOG( TRANSPORT, ENTRY, "slap_sasl_canonicalize: conn %d %s=\"%s\"\n", - conn ? conn->c_connid : -1, - (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", - in ? in : "" )); + conn ? conn->c_connid : -1, + (flags & SASL_CU_AUTHID) ? "authcid" : "authzid", in ? in : ""); #else Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: " "%s=\"%s\"\n", @@ -499,20 +791,51 @@ slap_sasl_canonicalize( in ? in : "" ); #endif + /* If name is too big, just truncate. We don't care, we're + * using DNs, not the usernames. + */ if ( inlen > out_max ) - return SASL_BUFOVER; + inlen = out_max-1; - if ( flags == SASL_CU_AUTHZID ) { - /* If we got unqualified authzid's, they probably came from SASL - * itself just passing the authcid to us. Ignore it. - */ - if (strncasecmp(in, "u:", 2) && strncasecmp(in, "dn:", 3)) { - AC_MEMCPY( out, in, inlen ); - out[inlen] = '\0'; - *out_len = inlen; + /* See if we need to add request, can only do it once */ + prop_getnames( props, slap_propnames, auxvals ); + if ( !auxvals[0].name ) + prop_request( props, slap_propnames ); - return SASL_OK; - } + if ( flags & SASL_CU_AUTHID ) + which = PROP_AUTHC; + else + which = PROP_AUTHZ; + + /* Need to store the Connection for auxprop_lookup */ + if ( !auxvals[PROP_CONN].values ) { + names[0] = slap_propnames[PROP_CONN]; + names[1] = NULL; + prop_set( props, names[0], (char *)&conn, sizeof( conn ) ); + } + + /* Already been here? */ + if ( auxvals[which].values ) + goto done; + + /* Normally we require an authzID to have a u: or dn: prefix. + * However, SASL frequently gives us an authzID that is just + * an exact copy of the authcID, without a prefix. We need to + * detect and allow this condition. If SASL calls canonicalize + * with SASL_CU_AUTHID|SASL_CU_AUTHZID this is a no-brainer. + * But if it's broken into two calls, we need to remember the + * authcID so that we can compare the authzID later. We store + * the authcID temporarily in conn->c_sasl_dn. We necessarily + * finish Canonicalizing before Authorizing, so there is no + * conflict with slap_sasl_authorize's use of this temp var. + */ + if ( flags == SASL_CU_AUTHID ) { + conn->c_sasl_dn.bv_val = (char *) in; + } else if ( flags == SASL_CU_AUTHZID && conn->c_sasl_dn.bv_val ) { + rc = strcmp( in, conn->c_sasl_dn.bv_val ); + conn->c_sasl_dn.bv_val = NULL; + /* They were equal, no work needed */ + if ( !rc ) goto done; } rc = slap_sasl_getdn( conn, (char *)in, inlen, (char *)user_realm, &dn, @@ -522,33 +845,25 @@ slap_sasl_canonicalize( return SASL_NOAUTHZ; } - AC_MEMCPY( out, in, inlen ); - out[inlen] = '\0'; - - *out_len = inlen; - - if ( flags & SASL_CU_AUTHID ) - names[0] = slap_propnames[0]; - else - names[0] = slap_propnames[1]; + names[0] = slap_propnames[which]; names[1] = NULL; - sasl_auxprop_request( sconn, names ); prop_set( props, names[0], (char *)&dn, sizeof( dn ) ); #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + LDAP_LOG( TRANSPORT, ENTRY, "slap_sasl_canonicalize: conn %d %s=\"%s\"\n", - conn ? conn->c_connid : -1, - (flags & SASL_CU_AUTHID) ? "authcDN" : "authzDN", - dn.bv_val )); + conn ? conn->c_connid : -1, names[0]+1, dn.bv_val ); #else Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: " "%s=\"%s\"\n", conn ? conn->c_connid : -1, - (flags & SASL_CU_AUTHID) ? "authcDN" : "authzDN", - dn.bv_val ); + names[0]+1, dn.bv_val ); #endif +done: AC_MEMCPY( out, in, inlen ); + out[inlen] = '\0'; + + *out_len = inlen; return SASL_OK; } @@ -571,30 +886,40 @@ slap_sasl_authorize( int rc; #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, + LDAP_LOG( TRANSPORT, ENTRY, "slap_sasl_authorize: conn %d authcid=\"%s\" authzid=\"%s\"\n", - conn ? conn->c_connid : -1, auth_identity, requested_user)); + conn ? conn->c_connid : -1, auth_identity, requested_user); #else Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: " "authcid=\"%s\" authzid=\"%s\"\n", conn ? conn->c_connid : -1, auth_identity, requested_user ); #endif + if ( conn->c_sasl_dn.bv_val ) { + ch_free( conn->c_sasl_dn.bv_val ); + conn->c_sasl_dn.bv_val = NULL; + conn->c_sasl_dn.bv_len = 0; + } - prop_getnames( props, slap_propnames, auxvals ); + /* Skip PROP_CONN */ + prop_getnames( props, slap_propnames+1, auxvals ); + AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) ); + /* Nothing to do if no authzID was given */ - if ( !auxvals[1].name ) + if ( !auxvals[1].name || !auxvals[1].values ) { + conn->c_sasl_dn = authcDN; return SASL_OK; + } - AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) ); AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) ); - rc = slap_sasl_authorized( &authcDN, &authzDN ); + rc = slap_sasl_authorized( conn, &authcDN, &authzDN ); + ch_free( authcDN.bv_val ); if ( rc != LDAP_SUCCESS ) { #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, - "slap_sasl_authorize: conn %ld authorization disallowed (%d)\n", - (long)(conn ? conn->c_connid : -1), rc )); + LDAP_LOG( TRANSPORT, INFO, + "slap_sasl_authorize: conn %ld authorization disallowed (%d)\n", + (long)(conn ? conn->c_connid : -1), rc, 0 ); #else Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " " authorization disallowed (%d)\n", @@ -602,13 +927,16 @@ slap_sasl_authorize( #endif sasl_seterror( sconn, 0, "not authorized" ); + ch_free( authzDN.bv_val ); return SASL_NOAUTHZ; } + conn->c_sasl_dn = authzDN; + #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_authorize: conn %d authorization allowed\n", - (long)(conn ? conn->c_connid : -1 ) )); + LDAP_LOG( TRANSPORT, ENTRY, + "slap_sasl_authorize: conn %d authorization allowed\n", + (long)(conn ? conn->c_connid : -1), 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " " authorization allowed\n", @@ -626,18 +954,22 @@ slap_sasl_authorize( const char **errstr) { struct berval authcDN, authzDN; - int rc: + int rc; Connection *conn = context; char *realm; *user = NULL; + if ( conn->c_sasl_dn.bv_val ) { + ch_free( conn->c_sasl_dn.bv_val ); + conn->c_sasl_dn.bv_val = NULL; + conn->c_sasl_dn.bv_len = 0; + } #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_authorize: conn %d authcid=\"%s\" authzid=\"%s\"\n", - conn ? conn->c_connid : -1, - authcid ? authcid : "", - authzid ? authzid : "" )); + LDAP_LOG( TRANSPORT, ENTRY, + "slap_sasl_authorize: conn %d authcid=\"%s\" authzid=\"%s\"\n", + conn ? conn->c_connid : -1, authcid ? authcid : "", + authzid ? authzid : "" ); #else Debug( LDAP_DEBUG_ARGS, "SASL Authorize [conn=%ld]: " "authcid=\"%s\" authzid=\"%s\"\n", @@ -650,8 +982,8 @@ slap_sasl_authorize( rc = sasl_getprop( conn->c_sasl_context, SASL_REALM, (void **)&realm ); if( rc != SASL_OK && rc != SASL_NOTDONE ) { #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, - "slap_sasl_authorize: getprop(REALM) failed.\n" )); + LDAP_LOG( TRANSPORT, ERR, + "slap_sasl_authorize: getprop(REALM) failed.\n", 0, 0, 0 ); #else Debug(LDAP_DEBUG_TRACE, "authorize: getprop(REALM) failed!\n", 0,0,0); @@ -669,15 +1001,15 @@ slap_sasl_authorize( } if( ( authzid == NULL ) || !strcmp( authcid,authzid ) ) { #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_authorize: conn %d Using authcDN=%s\n", - conn ? conn->c_connid : -1, authcDN.bv_val )); + LDAP_LOG( TRANSPORT, ENTRY, + "slap_sasl_authorize: conn %d Using authcDN=%s\n", + conn ? conn->c_connid : -1, authcDN.bv_val, 0 ); #else Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 ); #endif - *user = authcDN.bv_val; + conn->c_sasl_dn = authcDN; *errstr = NULL; return SASL_OK; } @@ -688,12 +1020,13 @@ slap_sasl_authorize( return SASL_NOAUTHZ; } - rc = slap_sasl_authorized( &authcDN, &authzDN ); + rc = slap_sasl_authorized(conn, &authcDN, &authzDN ); + ch_free( authcDN.bv_val ); if( rc ) { #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, - "slap_sasl_authorize: conn %ld authorization disallowed (%d)\n", - (long)(conn ? conn->c_connid : -1), rc )); + LDAP_LOG( TRANSPORT, INFO, + "slap_sasl_authorize: conn %ld authorization disallowed (%d)\n", + (long)(conn ? conn->c_connid : -1), rc, 0 ); #else Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " " authorization disallowed (%d)\n", @@ -701,24 +1034,21 @@ slap_sasl_authorize( #endif *errstr = "not authorized"; - ch_free( authcDN.bv_val ); ch_free( authzDN.bv_val ); return SASL_NOAUTHZ; } #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_authorize: conn %d authorization allowed\n", - (long)(conn ? conn->c_connid : -1 ) )); + LDAP_LOG( TRANSPORT, RESULTS, + "slap_sasl_authorize: conn %d authorization allowed\n", + (long)(conn ? conn->c_connid : -1 ), 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " " authorization allowed\n", (long) (conn ? conn->c_connid : -1), 0, 0 ); #endif - - ch_free( authcDN.bv_val ); - *user = authzDN.bv_val; + conn->c_sasl_dn = authzDN; *errstr = NULL; return SASL_OK; } @@ -771,11 +1101,35 @@ int slap_sasl_init( void ) { SASL_CB_LIST_END, NULL, NULL } }; +#ifdef HAVE_SASL_VERSION +#define SASL_BUILD_VERSION ((SASL_VERSION_MAJOR << 24) |\ + (SASL_VERSION_MINOR << 16) | SASL_VERSION_STEP) + + sasl_version( NULL, &rc ); + if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) || + (rc & 0xffff) < SASL_VERSION_STEP) { + +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, INFO, + "slap_sasl_init: SASL version mismatch, got %x, wanted %x.\n", + rc, SASL_BUILD_VERSION, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "slap_sasl_init: SASL version mismatch, got %x, wanted %x.\n", + rc, SASL_BUILD_VERSION, 0 ); +#endif + return -1; + } +#endif + + /* SASL 2 does its own memory management internally */ +#if SASL_VERSION_MAJOR < 2 sasl_set_alloc( - ch_malloc, - ch_calloc, - ch_realloc, - ch_free ); + ber_memalloc, + ber_memcalloc, + ber_memrealloc, + ber_memfree ); +#endif sasl_set_mutex( ldap_pvt_sasl_mutex_new, @@ -792,19 +1146,21 @@ int slap_sasl_init( void ) if( rc != SASL_OK ) { #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, - "slap_sasl_init: init failed.\n" )); + LDAP_LOG( TRANSPORT, INFO, "slap_sasl_init: init failed.\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n", 0, 0, 0 ); #endif +#if SASL_VERSION_MAJOR < 2 + /* A no-op used to make sure we linked with Cyrus 1.5 */ + sasl_client_auth( NULL, NULL, NULL, 0, NULL, NULL ); +#endif return -1; } #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, - "slap_sasl_init: initialized!\n")); + LDAP_LOG( TRANSPORT, INFO, "slap_sasl_init: initialized!\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n", 0, 0, 0 ); @@ -825,6 +1181,9 @@ int slap_sasl_destroy( void ) { #ifdef HAVE_CYRUS_SASL sasl_done(); +#endif +#if SASL_VERSION_MAJOR >= 2 + filter_free( generic_filter ); #endif free( global_host ); global_host = NULL; @@ -885,6 +1244,9 @@ int slap_sasl_open( Connection *conn ) /* create new SASL context */ #if SASL_VERSION_MAJOR >= 2 + if ( generic_filter == NULL ) { + generic_filter = str2filter( "(objectclass=*)" ); + } if ( conn->c_sock_name.bv_len != 0 && strncmp( conn->c_sock_name.bv_val, "IP=", 3 ) == 0) { char *p; @@ -926,8 +1288,8 @@ int slap_sasl_open( Connection *conn ) if( sc != SASL_OK ) { #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, - "slap_sasl_open: sasl_server_new failed: %d\n", sc )); + LDAP_LOG( TRANSPORT, ERR, + "slap_sasl_open: sasl_server_new failed: %d\n", sc, 0, 0 ); #else Debug( LDAP_DEBUG_ANY, "sasl_server_new failed: %d\n", sc, 0, 0 ); @@ -944,8 +1306,8 @@ int slap_sasl_open( Connection *conn ) if( sc != SASL_OK ) { #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, - "slap_sasl_open: sasl_setprop failed: %d \n", sc )); + LDAP_LOG( TRANSPORT, ERR, + "slap_sasl_open: sasl_setprop failed: %d \n", sc, 0, 0 ); #else Debug( LDAP_DEBUG_ANY, "sasl_setprop failed: %d\n", sc, 0, 0 ); @@ -1039,8 +1401,8 @@ char ** slap_sasl_mechs( Connection *conn ) if( sc != SASL_OK ) { #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, - "slap_sasl_mechs: sasl_listmech failed: %d\n", sc )); + LDAP_LOG( TRANSPORT, ERR, + "slap_sasl_mechs: sasl_listmech failed: %d\n", sc, 0, 0 ); #else Debug( LDAP_DEBUG_ANY, "slap_sasl_listmech failed: %d\n", sc, 0, 0 ); @@ -1049,7 +1411,7 @@ char ** slap_sasl_mechs( Connection *conn ) return NULL; } - mechs = str2charray( mechstr, "," ); + mechs = ldap_str2charray( mechstr, "," ); #if SASL_VERSION_MAJOR < 2 ch_free( mechstr ); @@ -1097,12 +1459,12 @@ int slap_sasl_bind( int sc; #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "sasl_bind: conn %ld dn=\"%s\" mech=%s datalen=%ld\n", - conn->c_connid, + LDAP_LOG( TRANSPORT, ENTRY, + "sasl_bind: dn=\"%s\" mech=%s datalen=%ld\n", dn->bv_len ? dn->bv_val : "", - conn->c_sasl_bind_in_progress ? "" : conn->c_sasl_bind_mech.bv_val, - cred ? cred->bv_len : 0 )); + conn->c_sasl_bind_in_progress ? "" : + conn->c_sasl_bind_mech.bv_val, + cred ? cred->bv_len : 0 ); #else Debug(LDAP_DEBUG_ARGS, "==> sasl_bind: dn=\"%s\" mech=%s datalen=%ld\n", @@ -1146,18 +1508,11 @@ int slap_sasl_bind( response.bv_len = reslen; if ( sc == SASL_OK ) { -#if SASL_VERSION_MAJOR >= 2 - struct propctx *props = sasl_auxprop_getctx( ctx ); - struct propval vals[3]; sasl_ssf_t *ssf = NULL; - prop_getnames( props, slap_propnames, vals ); - - AC_MEMCPY( edn, vals[0].values[0], sizeof(*edn) ); - if ( vals[1].name ) { - ch_free( edn->bv_val ); - AC_MEMCPY( edn, vals[1].values[0], sizeof(*edn) ); - } + *edn = conn->c_sasl_dn; + conn->c_sasl_dn.bv_val = NULL; + conn->c_sasl_dn.bv_len = 0; rc = LDAP_SUCCESS; @@ -1173,46 +1528,6 @@ int slap_sasl_bind( send_ldap_sasl( conn, op, rc, NULL, NULL, NULL, NULL, response.bv_len ? &response : NULL ); -#else - char *username = NULL; - - sc = sasl_getprop( ctx, - SASL_USERNAME, (SASL_CONST void **)&username ); - - if ( sc != SASL_OK ) { -#ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, - "slap_sasl_bind: getprop(USERNAME) failed: %d\n", sc )); -#else - Debug(LDAP_DEBUG_TRACE, - "slap_sasl_bind: getprop(USERNAME) failed!\n", - 0, 0, 0); -#endif - - - send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), - NULL, "no SASL username", NULL, NULL ); - - } else { - sasl_ssf_t *ssf = NULL; - - rc = LDAP_SUCCESS; - ber_str2bv( username, 0, 1, edn ); - - (void) sasl_getprop( ctx, SASL_SSF, (void *)&ssf ); - *ssfp = ssf ? *ssf : 0; - - if( *ssfp ) { - ldap_pvt_thread_mutex_lock( &conn->c_mutex ); - conn->c_sasl_layers++; - ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); - } - - send_ldap_sasl( conn, op, rc, - NULL, NULL, NULL, NULL, - response.bv_len ? &response : NULL ); - } -#endif } else if ( sc == SASL_CONTINUE ) { send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS, @@ -1233,8 +1548,7 @@ int slap_sasl_bind( #endif #ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_bind: rc=%d\n", rc )); + LDAP_LOG( TRANSPORT, RESULTS, "slap_sasl_bind: rc=%d\n", rc, 0, 0 ); #else Debug(LDAP_DEBUG_TRACE, "<== slap_sasl_bind: rc=%d\n", rc, 0, 0); #endif @@ -1258,3 +1572,90 @@ char* slap_sasl_secprops( const char *in ) return "SASL not supported"; #endif } + +#ifdef HAVE_CYRUS_SASL +int +slap_sasl_setpass( + Connection *conn, + Operation *op, + const char *reqoid, + struct berval *reqdata, + char **rspoid, + struct berval **rspdata, + LDAPControl *** rspctrls, + const char **text ) +{ + int rc; + struct berval id = { 0, NULL }; /* needs to come from connection */ + struct berval new = { 0, NULL }; + struct berval old = { 0, NULL }; + + assert( reqoid != NULL ); + assert( strcmp( LDAP_EXOP_MODIFY_PASSWD, reqoid ) == 0 ); + + rc = sasl_getprop( conn->c_sasl_context, SASL_USERNAME, + (SASL_CONST void **)&id.bv_val ); + + if( rc != SASL_OK ) { + *text = "unable to retrieve SASL username"; + rc = LDAP_OTHER; + goto done; + } + +#ifdef NEW_LOGGING + LDAP_LOG( BACKEND, ENTRY, + "slap_sasl_setpass: \"%s\"\n", + id.bv_val ? id.bv_val : "", 0, 0); +#else + Debug( LDAP_DEBUG_ARGS, "==> slap_sasl_setpass: \"%s\"\n", + id.bv_val ? id.bv_val : "", 0, 0 ); +#endif + + rc = slap_passwd_parse( reqdata, + NULL, &old, &new, text ); + + if( rc != LDAP_SUCCESS ) { + goto done; + } + + if( new.bv_len == 0 ) { + slap_passwd_generate(&new); + + if( new.bv_len == 0 ) { + *text = "password generation failed."; + rc = LDAP_OTHER; + goto done; + } + + *rspdata = slap_passwd_return( &new ); + } + +#if SASL_VERSION_MAJOR < 2 + rc = sasl_setpass( conn->c_sasl_context, + id.bv_val, new.bv_val, new.bv_len, 0, text ); +#else + rc = sasl_setpass( conn->c_sasl_context, id.bv_val, + new.bv_val, new.bv_len, old.bv_val, old.bv_len, 0 ); + if( rc != SASL_OK ) { + *text = sasl_errdetail( conn->c_sasl_context ); + } +#endif + switch(rc) { + case SASL_OK: + rc = LDAP_SUCCESS; + break; + + case SASL_NOCHANGE: + case SASL_NOMECH: + case SASL_DISABLED: + case SASL_PWLOCK: + case SASL_FAIL: + case SASL_BADPARAM: + default: + rc = LDAP_OTHER; + } + +done: + return rc; +} +#endif