first cut at SASL bind issues in idassert (related to ITS#6817)

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index 9e9e4fd7f621d400473d04e4536c07752ac86870..2fec6fe287011593165a908fa5f4df850c6b0980 100644 (file)
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -338,6 +338,15 @@ permissions, or the asserted identities must have appropriate
 .I authzFrom 
 permissions.  Note, however, that the ID assertion feature is mostly 
 useful when the asserted identities do not exist on the remote server.
+When
+.I bindmethod
+is
+.BR SASL ,
+the 
+.I authcDN
+must be specified in addition to the
+.IR authcID ,
+although it is not used within the authentication process.
 
 Flags can be
 

diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5
index 2d984d5f37d7c57a276c3cc353e8f698b2c9be82..8c996b6428a4c5a78fcc14c7b4bbeef3a0664c68 100644 (file)
--- a/doc/man/man5/slapd-meta.5
+++ b/doc/man/man5/slapd-meta.5
@@ -480,6 +480,15 @@ permissions, or the asserted identities must have appropriate
 .I authzFrom 
 permissions.  Note, however, that the ID assertion feature is mostly 
 useful when the asserted identities do not exist on the remote server.
+When
+.I bindmethod
+is
+.BR SASL ,
+the 
+.I authcDN
+must be specified in addition to the
+.IR authcID ,
+although it is not used within the authentication process.
 
 Flags can be
 

diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h
index f06c34eb2015d8a6f34124abd515db5a9f772848..e8b352212a8e2d9af654d7073955f0d18daf7f50 100644 (file)
--- a/servers/slapd/back-ldap/back-ldap.h
+++ b/servers/slapd/back-ldap/back-ldap.h
@@ -235,6 +235,9 @@ typedef struct slap_idassert_t {
 #define        LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND     (0x10U)
 #define        LDAP_BACK_AUTH_AUTHZ_ALL                        (0x20U)
 #define        LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL              (0x40U)
+#define LDAP_BACK_AUTH_DN_AUTHZID                      (0x100U)
+#define LDAP_BACK_AUTH_DN_WHOAMI                       (0x200U)
+#define LDAP_BACK_AUTH_DN_MASK                         (LDAP_BACK_AUTH_DN_AUTHZID|LDAP_BACK_AUTH_DN_WHOAMI)
 #define        li_idassert_flags       li_idassert.si_flags
 
        BerVarray       si_authz;

diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index 8dba7b0942fe12f954af373f627ff77a39b0fe15..17194906250f4f24f718f7364b6bc7cae7c6341a 100644 (file)
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -866,6 +866,17 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si )
                                } else if ( strcasecmp( flags[ j ], "proxy-authz-non-critical" ) == 0 ) {
                                        si->si_flags &= ~LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL;
 
+                               } else if ( strcasecmp( flags[ j ], "dn-none" ) == 0 ) {
+                                       si->si_flags &= ~LDAP_BACK_AUTH_DN_MASK;
+
+                               } else if ( strcasecmp( flags[ j ], "dn-authzid" ) == 0 ) {
+                                       si->si_flags &= ~LDAP_BACK_AUTH_DN_MASK;
+                                       si->si_flags |= LDAP_BACK_AUTH_DN_AUTHZID;
+
+                               } else if ( strcasecmp( flags[ j ], "dn-whoami" ) == 0 ) {
+                                       si->si_flags &= ~LDAP_BACK_AUTH_DN_MASK;
+                                       si->si_flags |= LDAP_BACK_AUTH_DN_WHOAMI;
+
                                } else {
                                        snprintf( c->cr_msg, sizeof( c->cr_msg ),
                                                "\"idassert-bind <args>\": "
@@ -902,6 +913,17 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si )
                        Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
                        return 1;
                }
+
+       } else if ( si->si_bc.sb_method == LDAP_AUTH_SASL ) {
+               if ( BER_BVISNULL( &si->si_bc.sb_binddn ) &&
+                       !(si->si_flags & LDAP_BACK_AUTH_DN_MASK) )
+               {
+                       snprintf( c->cr_msg, sizeof( c->cr_msg ),
+                               "\"idassert-bind <args>\": "
+                               "SASL needs \"binddn\" or either \"dn-authzid\" or \"dn-whoami\" in flags" );
+                       Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
+                       return 1;
+               }
        }
 
        bindconf_tls_defaults( &si->si_bc );
@@ -1140,7 +1162,7 @@ ldap_back_cf_gen( ConfigArgs *c )
                                        (void)lutil_strcopy( ptr, "authz=native" );
                                }
 
-                               len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround,proxy-authz-non-critical" );
+                               len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround,proxy-authz-non-critical,dn-authzid" );
                                /* flags */
                                if ( !BER_BVISEMPTY( &bv ) ) {
                                        len += STRLENOF( " " );
@@ -1180,6 +1202,20 @@ ldap_back_cf_gen( ConfigArgs *c )
                                        ptr = lutil_strcopy( ptr, ",proxy-authz-non-critical" );
                                }
 
+                               switch ( li->li_idassert_flags & LDAP_BACK_AUTH_DN_MASK ) {
+                               case LDAP_BACK_AUTH_DN_AUTHZID:
+                                       ptr = lutil_strcopy( ptr, ",dn-authzid" );
+                                       break;
+
+                               case LDAP_BACK_AUTH_DN_WHOAMI:
+                                       ptr = lutil_strcopy( ptr, ",dn-whoami" );
+                                       break;
+
+                               default:
+                                       ptr = lutil_strcopy( ptr, ",dn-none" );
+                                       break;
+                               }
+
                                bv.bv_len = ( ptr - bv.bv_val );
                                /* end-of-flags */
                        }