X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsasl.c;h=fe748bc3b518c5ab3d0c967ae3c5a8bd35a7d22c;hb=956f1d16aa522da6f6506d9c8fe9ce0d9867678a;hp=df5958d0234db899dccb269a6bc7373a8476de68;hpb=f9cbbc6770a2b2ada0c8249161a8cdf0da91e902;p=openldap diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index df5958d023..fe748bc3b5 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -24,19 +24,16 @@ #include #endif -#if SASL_VERSION_MAJOR >= 2 #include +#if SASL_VERSION_MAJOR >= 2 #include #define SASL_CONST const #else #define SASL_CONST #endif -#include - -#ifdef SLAPD_SPASSWD -#include -#endif +#include "ldap_pvt.h" +#include "lber_pvt.h" /* Flags for telling slap_sasl_getdn() what type of identity is being passed */ #define FLAG_GETDN_AUTHCID 2 @@ -51,9 +48,9 @@ int slap_sasl_config( int cargc, char **cargv, char *line, if ( strcasecmp( cargv[0], "sasl-authz-policy" ) == 0 ) { if ( cargc != 2 ) { #ifdef NEW_LOGGING - LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + LDAP_LOG( CONFIG, CRIT, "%s: line %d: missing policy in \"sasl-authz-policy \" line\n", - fname, lineno )); + fname, lineno, 0 ); #else Debug( LDAP_DEBUG_ANY, "%s: line %d: missing policy in \"sasl-authz-policy \" line\n", @@ -64,12 +61,12 @@ int slap_sasl_config( int cargc, char **cargv, char *line, } if ( slap_sasl_setpolicy( cargv[1] ) ) { #ifdef NEW_LOGGING - LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + LDAP_LOG( CONFIG, CRIT, "%s: line %d: unable " "to parse value \"%s\" " "in \"sasl-authz-policy " "\" line.\n", - fname, lineno, cargv[1] )); + fname, lineno, cargv[1] ); #else Debug( LDAP_DEBUG_ANY, "%s: line %d: unable " @@ -86,9 +83,9 @@ int slap_sasl_config( int cargc, char **cargv, char *line, } else if ( strcasecmp( cargv[0], "sasl-host" ) == 0 ) { if ( cargc < 2 ) { #ifdef NEW_LOGGING - LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + LDAP_LOG( CONFIG, CRIT, "%s: line %d: missing host in \"sasl-host \" line\n", - fname, lineno )); + fname, lineno, 0 ); #else Debug( LDAP_DEBUG_ANY, "%s: line %d: missing host in \"sasl-host \" line\n", @@ -100,9 +97,9 @@ int slap_sasl_config( int cargc, char **cargv, char *line, if ( global_host != NULL ) { #ifdef NEW_LOGGING - LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + LDAP_LOG( CONFIG, CRIT, "%s: line %d: already set sasl-host!\n", - fname, lineno )); + fname, lineno, 0 ); #else Debug( LDAP_DEBUG_ANY, "%s: line %d: already set sasl-host!\n", @@ -119,9 +116,9 @@ int slap_sasl_config( int cargc, char **cargv, char *line, } else if ( strcasecmp( cargv[0], "sasl-realm" ) == 0 ) { if ( cargc < 2 ) { #ifdef NEW_LOGGING - LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + LDAP_LOG( CONFIG, CRIT, "%s: line %d: missing realm in \"sasl-realm \" line.\n", - fname, lineno )); + fname, lineno, 0 ); #else Debug( LDAP_DEBUG_ANY, "%s: line %d: missing realm in \"sasl-realm \" line\n", @@ -133,9 +130,9 @@ int slap_sasl_config( int cargc, char **cargv, char *line, if ( global_realm != NULL ) { #ifdef NEW_LOGGING - LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + LDAP_LOG( CONFIG, CRIT, "%s: line %d: already set sasl-realm!\n", - fname, lineno )); + fname, lineno, 0 ); #else Debug( LDAP_DEBUG_ANY, "%s: line %d: already set sasl-realm!\n", @@ -154,10 +151,10 @@ int slap_sasl_config( int cargc, char **cargv, char *line, int rc; if ( cargc != 3 ) { #ifdef NEW_LOGGING - LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + LDAP_LOG( CONFIG, CRIT, "%s: line %d: need 2 args in " "\"saslregexp \"\n", - fname, lineno )); + fname, lineno, 0 ); #else Debug( LDAP_DEBUG_ANY, "%s: line %d: need 2 args in \"saslregexp \"\n", @@ -177,10 +174,10 @@ int slap_sasl_config( int cargc, char **cargv, char *line, if ( cargc < 2 ) { #ifdef NEW_LOGGING - LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + LDAP_LOG( CONFIG, CRIT, "%s: line %d: missing flags in " "\"sasl-secprops \" line\n", - fname, lineno )); + fname, lineno, 0 ); #else Debug( LDAP_DEBUG_ANY, "%s: line %d: missing flags in \"sasl-secprops \" line\n", @@ -193,9 +190,9 @@ int slap_sasl_config( int cargc, char **cargv, char *line, txt = slap_sasl_secprops( cargv[1] ); if ( txt != NULL ) { #ifdef NEW_LOGGING - LDAP_LOG(( "config", LDAP_LEVEL_CRIT, + LDAP_LOG( CONFIG, CRIT, "%s: line %d sasl-secprops: %s\n", - fname, lineno, txt )); + fname, lineno, txt ); #else Debug( LDAP_DEBUG_ANY, "%s: line %d: sasl-secprops: %s\n", @@ -302,7 +299,7 @@ slap_sasl_log( #define SET_DN 1 #define SET_U 2 -static struct berval ext_bv = { sizeof("EXTERNAL")-1, "EXTERNAL" }; +static struct berval ext_bv = BER_BVC( "EXTERNAL" ); int slap_sasl_getdn( Connection *conn, char *id, int len, char *user_realm, struct berval *dn, int flags ) @@ -315,7 +312,7 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, ENTRY, "slap_sasl_getdn: conn %d id=%s\n", - conn ? conn->c_connid : -1, id ? (*id ? id : "") : "NULL" ); + conn ? conn->c_connid : -1, id ? (*id ? id : "") : "NULL", 0 ); #else Debug( LDAP_DEBUG_ARGS, "slap_sasl_getdn: id=%s\n", id?(*id?id:""):"NULL",0,0 ); @@ -345,8 +342,10 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, */ if( flags & FLAG_GETDN_AUTHCID ) { #ifdef HAVE_TLS - if( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len - && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) { + if( conn->c_is_tls && + conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len && + strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) + { /* X.509 DN is already normalized */ do_norm = 0; is_dn = SET_DN; @@ -386,7 +385,7 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1; /* username may have embedded realm name */ - if( realm = strchr( dn->bv_val, '@') ) { + if( ( realm = strchr( dn->bv_val, '@') ) ) { *realm++ = '\0'; len += sizeof(",cn=")-2; } else if( user_realm && *user_realm ) { @@ -400,24 +399,24 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, /* Build the new dn */ c1 = dn->bv_val; dn->bv_val = ch_malloc( len+1 ); - p = slap_strcopy( dn->bv_val, "uid=" ); - p = slap_strncopy( p, c1, dn->bv_len ); + p = lutil_strcopy( dn->bv_val, "uid=" ); + p = lutil_strncopy( p, c1, dn->bv_len ); if( realm ) { int rlen = dn->bv_len - ( realm - c1 ); - p = slap_strcopy( p, ",cn=" ); - p = slap_strncopy( p, realm, rlen ); + p = lutil_strcopy( p, ",cn=" ); + p = lutil_strncopy( p, realm, rlen ); realm[-1] = '@'; } else if( user_realm && *user_realm ) { - p = slap_strcopy( p, ",cn=" ); - p = slap_strcopy( p, user_realm ); + p = lutil_strcopy( p, ",cn=" ); + p = lutil_strcopy( p, user_realm ); } if( conn->c_sasl_bind_mech.bv_len ) { - p = slap_strcopy( p, ",cn=" ); - p = slap_strcopy( p, conn->c_sasl_bind_mech.bv_val ); + p = lutil_strcopy( p, ",cn=" ); + p = lutil_strcopy( p, conn->c_sasl_bind_mech.bv_val ); } - p = slap_strcopy( p, ",cn=auth" ); + p = lutil_strcopy( p, ",cn=auth" ); dn->bv_len = p - dn->bv_val; #ifdef NEW_LOGGING @@ -462,7 +461,77 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, } #if SASL_VERSION_MAJOR >= 2 -static const char *slap_propnames[] = { "*authcDN", "*authzDN", NULL }; +static const char *slap_propnames[] = { + "*slapConn", "*authcDN", "*authzDN", NULL }; + +static Filter *generic_filter; + +#define PROP_CONN 0 +#define PROP_AUTHC 1 +#define PROP_AUTHZ 2 + +typedef struct lookup_info { + int last; + int flags; + const struct propval *list; + sasl_server_params_t *sparams; +} lookup_info; + +static int +sasl_ap_lookup( + BackendDB *be, + Connection *conn, + Operation *op, + Entry *e, + AttributeName *an, + int attrsonly, + LDAPControl **ctrls ) +{ + BerVarray bv; + AttributeDescription *ad; + Attribute *a; + const char *text; + int rc, i; + slap_callback *tmp = op->o_callback; + lookup_info *sl = tmp->sc_private; + + for( i = 0; i < sl->last; i++ ) { + const char *name = sl->list[i].name; + + if ( name[0] == '*' ) { + if ( sl->flags & SASL_AUXPROP_AUTHZID ) continue; + name++; + } else if ( !(sl->flags & SASL_AUXPROP_AUTHZID ) ) + continue; + + if ( sl->list[i].values ) { + if ( !(sl->flags & SASL_AUXPROP_OVERRIDE) ) continue; + } + ad = NULL; + rc = slap_str2ad( name, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, DETAIL1, + "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, + "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); +#endif + continue; + } + a = attr_find( e->e_attrs, ad ); + if ( !a ) continue; + if ( ! access_allowed( be, conn, op, e, ad, NULL, ACL_AUTH, NULL ) ) + continue; + if ( sl->list[i].values && ( sl->flags & SASL_AUXPROP_OVERRIDE ) ) + sl->sparams->utils->prop_erase( sl->sparams->propctx, sl->list[i].name ); + for ( bv = a->a_vals; bv->bv_val; bv++ ) { + sl->sparams->utils->prop_set( sl->sparams->propctx, sl->list[i].name, + bv->bv_val, bv->bv_len ); + } + } + return LDAP_SUCCESS; +} static void slap_auxprop_lookup( @@ -472,29 +541,35 @@ slap_auxprop_lookup( const char *user, unsigned ulen) { - int rc, i, last; + int rc, i, doit=0; struct berval dn; - const struct propval *list; - BerVarray vals, bv; - AttributeDescription *ad; - const char *text; - - list = sparams->utils->prop_get( sparams->propctx ); - - /* Find our DN first */ - for( i = 0, last = 0; list[i].name; i++ ) { - if ( list[i].name[0] == '*' ) { + Connection *conn = NULL; + lookup_info sl; + + sl.list = sparams->utils->prop_get( sparams->propctx ); + sl.sparams = sparams; + sl.flags = flags; + + /* Find our DN and conn first */ + for( i = 0, sl.last = 0; sl.list[i].name; i++ ) { + if ( sl.list[i].name[0] == '*' ) { + if ( !strcmp( sl.list[i].name, slap_propnames[PROP_CONN] ) ) { + if ( sl.list[i].values && sl.list[i].values[0] ) + AC_MEMCPY( &conn, sl.list[i].values[0], sizeof( conn ) ); + if ( !sl.last ) sl.last = i; + } if ( (flags & SASL_AUXPROP_AUTHZID) && - !strcmp( list[i].name, slap_propnames[1] ) ) { - if ( list[i].values && list[i].values[0] ) - AC_MEMCPY( &dn, list[i].values[0], sizeof( dn ) ); - if ( !last ) last = i; + !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHZ] ) ) { + + if ( sl.list[i].values && sl.list[i].values[0] ) + AC_MEMCPY( &dn, sl.list[i].values[0], sizeof( dn ) ); + if ( !sl.last ) sl.last = i; break; } - if ( !strcmp( list[i].name, slap_propnames[0] ) ) { - if ( !last ) last = i; - if ( list[i].values && list[i].values[0] ) { - AC_MEMCPY( &dn, list[i].values[0], sizeof( dn ) ); + if ( !strcmp( sl.list[i].name, slap_propnames[PROP_AUTHC] ) ) { + if ( !sl.last ) sl.last = i; + if ( sl.list[i].values && sl.list[i].values[0] ) { + AC_MEMCPY( &dn, sl.list[i].values[0], sizeof( dn ) ); if ( !(flags & SASL_AUXPROP_AUTHZID) ) break; } @@ -502,9 +577,9 @@ slap_auxprop_lookup( } } - /* Now fetch the rest */ - for( i = 0; i < last; i++ ) { - const char *name = list[i].name; + /* Now see what else needs to be fetched */ + for( i = 0; i < sl.last; i++ ) { + const char *name = sl.list[i].name; if ( name[0] == '*' ) { if ( flags & SASL_AUXPROP_AUTHZID ) continue; @@ -512,30 +587,35 @@ slap_auxprop_lookup( } else if ( !(flags & SASL_AUXPROP_AUTHZID ) ) continue; - if ( list[i].values ) { + if ( sl.list[i].values ) { if ( !(flags & SASL_AUXPROP_OVERRIDE) ) continue; - sparams->utils->prop_erase( sparams->propctx, list[i].name ); } - ad = NULL; - rc = slap_str2ad( name, &ad, &text ); - if ( rc != LDAP_SUCCESS ) { -#ifdef NEW_LOGGING - LDAP_LOG( TRANSPORT, DETAIL1, - "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); -#else - Debug( LDAP_DEBUG_TRACE, - "slap_auxprop: str2ad(%s): %s\n", name, text, 0 ); -#endif - rc = slap_str2undef_ad( name, &ad, &text ); - if ( rc != LDAP_SUCCESS ) continue; - } - rc = backend_attribute( NULL,NULL,NULL,NULL, &dn, ad, &vals ); - if ( rc != LDAP_SUCCESS ) continue; - for ( bv = vals; bv->bv_val; bv++ ) { - sparams->utils->prop_set( sparams->propctx, list[i].name, - bv->bv_val, bv->bv_len ); + doit = 1; + } + + if (doit) { + Backend *be; + Operation op = {0}; + slap_callback cb = { slap_cb_null_response, + slap_cb_null_sresult, sasl_ap_lookup, NULL }; + + cb.sc_private = &sl; + + be = select_backend( &dn, 0, 1 ); + + if ( be && be->be_search ) { + op.o_tag = LDAP_REQ_SEARCH; + op.o_protocol = LDAP_VERSION3; + op.o_ndn = conn->c_ndn; + op.o_callback = &cb; + op.o_time = slap_get_time(); + op.o_do_not_cache = 1; + op.o_threadctx = conn->c_sasl_bindop->o_threadctx; + + (*be->be_search)( be, conn, &op, NULL, &dn, + LDAP_SCOPE_BASE, LDAP_DEREF_NEVER, 1, 0, + generic_filter, NULL, NULL, 0 ); } - ber_bvarray_free( vals ); } } @@ -566,6 +646,42 @@ slap_auxprop_init( return SASL_OK; } +typedef struct checkpass_info { + int rc; + struct berval cred; +} checkpass_info; + +static int +sasl_cb_checkpass( + BackendDB *be, + Connection *conn, + Operation *op, + Entry *e, + AttributeName *an, + int attrsonly, + LDAPControl **ctrls ) +{ + slap_callback *tmp = op->o_callback; + checkpass_info *ci = tmp->sc_private; + Attribute *a; + struct berval *bv; + + ci->rc = SASL_NOVERIFY; + + a = attr_find( e->e_attrs, slap_schema.si_ad_userPassword ); + if ( !a ) return 0; + if ( ! access_allowed( be, conn, op, e, slap_schema.si_ad_userPassword, + NULL, ACL_AUTH, NULL ) ) return 0; + + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { + if ( !lutil_passwd( bv, &ci->cred, NULL ) ) { + ci->rc = SASL_OK; + break; + } + } + return 0; +} + static int slap_sasl_checkpass( sasl_conn_t *sconn, @@ -576,12 +692,12 @@ slap_sasl_checkpass( struct propctx *propctx) { Connection *conn = (Connection *)context; - struct berval dn, cred; + struct berval dn; int rc; - BerVarray vals, bv; + Backend *be; + checkpass_info ci; - cred.bv_val = (char *)pass; - cred.bv_len = passlen; + ci.rc = SASL_NOUSER; /* SASL will fallback to its own mechanisms if we don't * find an answer here. @@ -603,47 +719,36 @@ slap_sasl_checkpass( return SASL_NOUSER; } - rc = backend_attribute( NULL, NULL, NULL, NULL, &dn, - slap_schema.si_ad_userPassword, &vals); - if ( rc != LDAP_SUCCESS ) { - ch_free( dn.bv_val ); - sasl_seterror( sconn, 0, ldap_err2string( rc ) ); - return SASL_NOVERIFY; + be = select_backend( &dn, 0, 1 ); + if ( be && be->be_search ) { + Operation op = {0}; + slap_callback cb = { slap_cb_null_response, + slap_cb_null_sresult, sasl_cb_checkpass, NULL }; + + ci.cred.bv_val = (char *)pass; + ci.cred.bv_len = passlen; + + cb.sc_private = &ci; + op.o_tag = LDAP_REQ_SEARCH; + op.o_protocol = LDAP_VERSION3; + op.o_ndn = conn->c_ndn; + op.o_callback = &cb; + op.o_time = slap_get_time(); + op.o_do_not_cache = 1; + op.o_threadctx = conn->c_sasl_bindop->o_threadctx; + + (*be->be_search)( be, conn, &op, NULL, &dn, + LDAP_SCOPE_BASE, LDAP_DEREF_NEVER, 1, 0, + generic_filter, NULL, NULL, 0 ); } - - rc = SASL_NOVERIFY; - - if ( vals != NULL ) { - for ( bv = vals; bv->bv_val != NULL; bv++ ) { - if ( !lutil_passwd( bv, &cred, NULL ) ) { - rc = SASL_OK; - break; - } - } - ber_bvarray_free( vals ); - } - - if ( rc != SASL_OK ) { + if ( ci.rc != SASL_OK ) { sasl_seterror( sconn, 0, ldap_err2string( LDAP_INVALID_CREDENTIALS ) ); } ch_free( dn.bv_val ); - return rc; -} - -static int -slap_sasl_cb_setpass( - sasl_conn_t *sconn, - void *context, - const char *username, - const char *pass, - unsigned passlen, - struct propctx *propctx, - unsigned flags) -{ - Connection *conn = (Connection *)context; + return ci.rc; } /* Convert a SASL authcid or authzid into a DN. Store the DN in an @@ -698,25 +803,39 @@ slap_sasl_canonicalize( prop_request( props, slap_propnames ); if ( flags & SASL_CU_AUTHID ) - which = 0; + which = PROP_AUTHC; else - which = 1; + which = PROP_AUTHZ; + /* Need to store the Connection for auxprop_lookup */ + if ( !auxvals[PROP_CONN].values ) { + names[0] = slap_propnames[PROP_CONN]; + names[1] = NULL; + prop_set( props, names[0], (char *)&conn, sizeof( conn ) ); + } + /* Already been here? */ if ( auxvals[which].values ) goto done; - if ( flags == SASL_CU_AUTHZID ) { - /* If we got unqualified authzid's, they probably came from SASL - * itself just passing the authcid to us. Look inside the oparams - * structure to see if that's true. (HACK: the out_len pointer is - * the address of a member of a sasl_out_params_t structure...) + /* Normally we require an authzID to have a u: or dn: prefix. + * However, SASL frequently gives us an authzID that is just + * an exact copy of the authcID, without a prefix. We need to + * detect and allow this condition. If SASL calls canonicalize + * with SASL_CU_AUTHID|SASL_CU_AUTHZID this is a no-brainer. + * But if it's broken into two calls, we need to remember the + * authcID so that we can compare the authzID later. We store + * the authcID temporarily in conn->c_sasl_dn. We necessarily + * finish Canonicalizing before Authorizing, so there is no + * conflict with slap_sasl_authorize's use of this temp var. */ - sasl_out_params_t dummy; - int offset = (void *)&dummy.ulen - (void *)&dummy.authid; - char **authid = (void *)out_len - offset; - if ( *authid && !strcmp( in, *authid ) ) - goto done; + if ( flags == SASL_CU_AUTHID ) { + conn->c_sasl_dn.bv_val = (char *) in; + } else if ( flags == SASL_CU_AUTHZID && conn->c_sasl_dn.bv_val ) { + rc = strcmp( in, conn->c_sasl_dn.bv_val ); + conn->c_sasl_dn.bv_val = NULL; + /* They were equal, no work needed */ + if ( !rc ) goto done; } rc = slap_sasl_getdn( conn, (char *)in, inlen, (char *)user_realm, &dn, @@ -781,7 +900,8 @@ slap_sasl_authorize( conn->c_sasl_dn.bv_len = 0; } - prop_getnames( props, slap_propnames, auxvals ); + /* Skip PROP_CONN */ + prop_getnames( props, slap_propnames+1, auxvals ); AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) ); @@ -793,7 +913,7 @@ slap_sasl_authorize( AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) ); - rc = slap_sasl_authorized( &authcDN, &authzDN ); + rc = slap_sasl_authorized( conn, &authcDN, &authzDN ); ch_free( authcDN.bv_val ); if ( rc != LDAP_SUCCESS ) { #ifdef NEW_LOGGING @@ -900,7 +1020,7 @@ slap_sasl_authorize( return SASL_NOAUTHZ; } - rc = slap_sasl_authorized( &authcDN, &authzDN ); + rc = slap_sasl_authorized(conn, &authcDN, &authzDN ); ch_free( authcDN.bv_val ); if( rc ) { #ifdef NEW_LOGGING @@ -981,11 +1101,35 @@ int slap_sasl_init( void ) { SASL_CB_LIST_END, NULL, NULL } }; +#ifdef HAVE_SASL_VERSION +#define SASL_BUILD_VERSION ((SASL_VERSION_MAJOR << 24) |\ + (SASL_VERSION_MINOR << 16) | SASL_VERSION_STEP) + + sasl_version( NULL, &rc ); + if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) || + (rc & 0xffff) < SASL_VERSION_STEP) { + +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, INFO, + "slap_sasl_init: SASL version mismatch, got %x, wanted %x.\n", + rc, SASL_BUILD_VERSION, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "slap_sasl_init: SASL version mismatch, got %x, wanted %x.\n", + rc, SASL_BUILD_VERSION, 0 ); +#endif + return -1; + } +#endif + + /* SASL 2 does its own memory management internally */ +#if SASL_VERSION_MAJOR < 2 sasl_set_alloc( - ch_malloc, - ch_calloc, - ch_realloc, - ch_free ); + ber_memalloc, + ber_memcalloc, + ber_memrealloc, + ber_memfree ); +#endif sasl_set_mutex( ldap_pvt_sasl_mutex_new, @@ -1007,6 +1151,10 @@ int slap_sasl_init( void ) Debug( LDAP_DEBUG_ANY, "sasl_server_init failed\n", 0, 0, 0 ); #endif +#if SASL_VERSION_MAJOR < 2 + /* A no-op used to make sure we linked with Cyrus 1.5 */ + sasl_client_auth( NULL, NULL, NULL, 0, NULL, NULL ); +#endif return -1; } @@ -1033,6 +1181,9 @@ int slap_sasl_destroy( void ) { #ifdef HAVE_CYRUS_SASL sasl_done(); +#endif +#if SASL_VERSION_MAJOR >= 2 + filter_free( generic_filter ); #endif free( global_host ); global_host = NULL; @@ -1081,10 +1232,6 @@ int slap_sasl_open( Connection *conn ) session_callbacks[cb].id = SASL_CB_SERVER_USERDB_CHECKPASS; session_callbacks[cb].proc = &slap_sasl_checkpass; session_callbacks[cb++].context = conn; - - session_callbacks[cb].id = SASL_CB_SERVER_USERDB_SETPASS; - session_callbacks[cb].proc = &slap_sasl_cb_setpass; - session_callbacks[cb++].context = conn; #endif session_callbacks[cb].id = SASL_CB_LIST_END; @@ -1097,6 +1244,9 @@ int slap_sasl_open( Connection *conn ) /* create new SASL context */ #if SASL_VERSION_MAJOR >= 2 + if ( generic_filter == NULL ) { + generic_filter = str2filter( "(objectclass=*)" ); + } if ( conn->c_sock_name.bv_len != 0 && strncmp( conn->c_sock_name.bv_val, "IP=", 3 ) == 0) { char *p; @@ -1261,7 +1411,7 @@ char ** slap_sasl_mechs( Connection *conn ) return NULL; } - mechs = str2charray( mechstr, "," ); + mechs = ldap_str2charray( mechstr, "," ); #if SASL_VERSION_MAJOR < 2 ch_free( mechstr ); @@ -1453,11 +1603,11 @@ slap_sasl_setpass( } #ifdef NEW_LOGGING - LDAP_LOG(( "backend", LDAP_LEVEL_ENTRY, + LDAP_LOG( BACKEND, ENTRY, "slap_sasl_setpass: \"%s\"\n", - id.bv_val ? id.bv_val : "" )); + id.bv_val ? id.bv_val : "", 0, 0); #else - Debug( LDAP_DEBUG_ARGS, "==> ldbm_back_exop_passwd: \"%s\"\n", + Debug( LDAP_DEBUG_ARGS, "==> slap_sasl_setpass: \"%s\"\n", id.bv_val ? id.bv_val : "", 0, 0 ); #endif