Add "sasl-external-x509dn-convert" configuration option aimed

at providing authid TLS/X.509 to LDAP DN mapping.  Experimental.

diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 02c1ebfe2ea949551cf244487bd94ee0aa5fa453..34c99d3e45ecce7320e9e01b1839e8918aee6566 100644 (file)
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -46,6 +46,7 @@ char   *slapd_args_file = NULL;
 
 int nSaslRegexp = 0;
 SaslRegexp_t *SaslRegexp = NULL;
+int sasl_external_x509dn_convert;
 
 static char    *fp_getline(FILE *fp, int *lineno);
 static void    fp_getline_init(int *lineno);
@@ -550,6 +551,9 @@ read_config( const char *fname )
                                return 1;
                        }
 
+               } else if ( strcasecmp( cargv[0], "sasl-external-x509dn-convert" ) == 0 ) {
+                       sasl_external_x509dn_convert++;
+
                /* set UCDATA path */
                } else if ( strcasecmp( cargv[0], "ucdata-path" ) == 0 ) {
                        int err;

diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 110b27fcf2798202455adad90c6880633239867b..63e509143db06b4e3c2a2612410cd539f69b6258 100644 (file)
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -811,6 +811,7 @@ LDAP_SLAPD_F (int)          global_idletimeout;
 LDAP_SLAPD_F (int)             global_schemacheck;
 LDAP_SLAPD_F (char)            *global_host;
 LDAP_SLAPD_F (char)            *global_realm;
+LDAP_SLAPD_F (int)             sasl_external_x509dn_convert;
 LDAP_SLAPD_F (char)            *default_passwd_hash;
 LDAP_SLAPD_F (int)             lber_debug;
 LDAP_SLAPD_F (int)             ldap_syslog;

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 06063451336e76582b03fe74affc2d22fc63f177..1034f2f2a24c55aa3f3dd43256141a5f6d3351f9 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -27,7 +27,6 @@
 
 static sasl_security_properties_t sasl_secprops;
 
-
 static int
 slap_sasl_log(
        void *context,
@@ -107,21 +106,43 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags )
                return( LDAP_SUCCESS );
        }
        ctx = conn->c_sasl_context;
-       dn = ch_strdup( id );
        len = strlen( id );
 
-       /* An authcID will need to be prefixed with u: */
+       /* An authcID needs to be converted to authzID form */
        if( flags & FLAG_GETDN_AUTHCID ) {
-               dn = ch_realloc( dn, len+3 );
-               memmove( dn+2, dn, len+1 );
-               dn[0] = 'u';
-               dn[1] = ':';
-               len += 2;
+               if( sasl_external_x509dn_convert && conn->c_sasl_bind_mech
+                       && ( strcasecmp( LDAP_SASL_EXTERNAL, conn->c_sasl_bind_mech ) == 0 ) 
+                       && len && dn[0] == '/' and dn[len-1]== '/' )
+               {
+                       /* check SASL external for X.509 style DN and */
+                       /* convert to dn:<dn> form */
+                       char *tmpdn = ldap_dcedn2dn( id );
+                       len = strlen( tmpdn );
+
+                       dn = ch_malloc( dn, len+4 );
+                       dn[0] = 'd';
+                       dn[1] = 'n';
+                       dn[2] = ':';
+                       memmove( &dn[3], tmpdn, len+1 );
+                       len += 3;
+
+               } else {
+                       /* convert to u:<username> form */
+                       dn = ch_malloc( dn, len+3 );
+                       dn[0] = 'u';
+                       dn[1] = ':';
+                       memmove( &dn[2], id, len+1 );
+                       len += 2;
+               }
+       } else {
+               dn = ch_strdup( id );
        }
 
        /* An authzID must be properly prefixed */
-       if( flags & FLAG_GETDN_AUTHZID && strncasecmp( dn, "u:", 2 ) &&
-         strncasecmp( dn, "dn:", 3 ) ) {
+       if( flags & FLAG_GETDN_AUTHZID
+               && strncasecmp( dn, "u:", 2 )
+               && strncasecmp( dn, "dn:", 3 ) )
+       {
                ch_free( dn );
                *dnptr = NULL;
                return( LDAP_INAPPROPRIATE_AUTH );