struct berval **salt, /* salt to store */
const char *method ));
-#if defined( SLAPD_SPASSWD ) && defined( HAVE_CYRUS_SASL )
- /* cheat to avoid pulling in <sasl.h> */
-LDAP_LUTIL_V( struct sasl_conn * ) lutil_passwd_sasl_conn;
+#ifdef SLAPD_CRYPT
+typedef int (lutil_cryptfunc) LDAP_P((
+ const char *key,
+ const char *salt,
+ char **hash ));
+LDAP_LUTIL_V (lutil_cryptfunc *) lutil_cryptptr;
#endif
LDAP_LUTIL_F( int )
#include <ac/string.h>
#include <ac/unistd.h>
-#ifdef SLAPD_SPASSWD
-# ifdef HAVE_SASL_SASL_H
-# include <sasl/sasl.h>
-# else
-# include <sasl.h>
-# endif
-#endif
-
#if defined(SLAPD_LMHASH)
# include <openssl/des.h>
#endif /* SLAPD_LMHASH */
#ifdef SLAPD_CRYPT
static char *salt_format = NULL;
+static lutil_cryptfunc lutil_crypt;
+lutil_cryptfunc *lutil_cryptptr = lutil_crypt;
#endif
struct pw_scheme {
static LUTIL_PASSWD_HASH_FUNC hash_lanman;
#endif
-#ifdef SLAPD_SPASSWD
-static LUTIL_PASSWD_CHK_FUNC chk_sasl;
-#endif
-
#ifdef SLAPD_CRYPT
static LUTIL_PASSWD_CHK_FUNC chk_crypt;
static LUTIL_PASSWD_HASH_FUNC hash_crypt;
{ BER_BVC("{LANMAN}"), chk_lanman, hash_lanman },
#endif /* SLAPD_LMHASH */
-#ifdef SLAPD_SPASSWD
- { BER_BVC("{SASL}"), chk_sasl, NULL },
-#endif
-
#ifdef SLAPD_CRYPT
{ BER_BVC("{CRYPT}"), chk_crypt, hash_crypt },
# if defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD )
}
#endif /* SLAPD_LMHASH */
-#ifdef SLAPD_SPASSWD
-#ifdef HAVE_CYRUS_SASL
-sasl_conn_t *lutil_passwd_sasl_conn = NULL;
-#endif
-
-static int chk_sasl(
- const struct berval *sc,
- const struct berval * passwd,
- const struct berval * cred,
- const char **text )
+#ifdef SLAPD_CRYPT
+static int lutil_crypt(
+ const char *key,
+ const char *salt,
+ char **hash )
{
- unsigned int i;
- int rtn;
-
- for( i=0; i<cred->bv_len; i++) {
- if(cred->bv_val[i] == '\0') {
- return LUTIL_PASSWD_ERR; /* NUL character in password */
- }
- }
-
- if( cred->bv_val[i] != '\0' ) {
- return LUTIL_PASSWD_ERR; /* cred must behave like a string */
- }
+ char *cr = crypt( key, salt );
+ int rc;
- for( i=0; i<passwd->bv_len; i++) {
- if(passwd->bv_val[i] == '\0') {
- return LUTIL_PASSWD_ERR; /* NUL character in password */
+ if( cr == NULL || cr[0] == '\0' ) {
+ /* salt must have been invalid */
+ rc = LUTIL_PASSWD_ERR;
+ } else {
+ if ( hash ) {
+ *hash = ber_strdup( cr );
+ rc = LUTIL_PASSWD_OK;
+ } else {
+ rc = strcmp( salt, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
}
}
-
- if( passwd->bv_val[i] != '\0' ) {
- return LUTIL_PASSWD_ERR; /* passwd must behave like a string */
- }
-
- rtn = LUTIL_PASSWD_ERR;
-
-#ifdef HAVE_CYRUS_SASL
- if( lutil_passwd_sasl_conn != NULL ) {
- int sc;
-# if SASL_VERSION_MAJOR < 2
- sc = sasl_checkpass( lutil_passwd_sasl_conn,
- passwd->bv_val, passwd->bv_len,
- cred->bv_val, cred->bv_len,
- text );
-# else
- sc = sasl_checkpass( lutil_passwd_sasl_conn,
- passwd->bv_val, passwd->bv_len,
- cred->bv_val, cred->bv_len );
-# endif
- rtn = ( sc != SASL_OK ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
- }
-#endif
-
- return rtn;
+ return rc;
}
-#endif
-#ifdef SLAPD_CRYPT
static int chk_crypt(
const struct berval *sc,
const struct berval * passwd,
{
char *cr;
unsigned int i;
+ int rc;
for( i=0; i<cred->bv_len; i++) {
if(cred->bv_val[i] == '\0') {
return LUTIL_PASSWD_ERR; /* passwd must behave like a string */
}
- cr = crypt( cred->bv_val, passwd->bv_val );
-
- if( cr == NULL || cr[0] == '\0' ) {
- /* salt must have been invalid */
- return LUTIL_PASSWD_ERR;
- }
-
- return strcmp( passwd->bv_val, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
+ return lutil_cryptptr( cred->bv_val, passwd->bv_val, NULL );
}
# if defined( HAVE_GETPWNAM ) && defined( HAVE_PW_PASSWD )
return LUTIL_PASSWD_ERR;
}
- cr = crypt(cred->bv_val, pw);
-
- if( cr == NULL || cr[0] == '\0' ) {
- /* salt must have been invalid */
- return LUTIL_PASSWD_ERR;
- }
-
- return strcmp(pw, cr) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
-
+ return lutil_cryptptr( cred->bv_val, pw, NULL );
}
# endif
#endif
{
unsigned char salt[32]; /* salt suitable for most anything */
unsigned int i;
+ char *save;
+ int rc;
for( i=0; i<passwd->bv_len; i++) {
if(passwd->bv_val[i] == '\0') {
snprintf( (char *) salt, sizeof(entropy), salt_format, entropy );
}
- hash->bv_val = crypt( passwd->bv_val, (char *) salt );
+ rc = lutil_cryptptr( passwd->bv_val, (char *) salt, &hash->bv_val );
+ if ( rc != LUTIL_PASSWD_OK ) return rc;
if( hash->bv_val == NULL ) return -1;
hash->bv_len = strlen( hash->bv_val );
+ save = hash->bv_val;
+
if( hash->bv_len == 0 ) {
- return LUTIL_PASSWD_ERR;
+ rc = LUTIL_PASSWD_ERR;
+ } else {
+ rc = pw_string( scheme, hash );
}
-
- return pw_string( scheme, hash );
+ ber_memfree( save );
+ return rc;
}
#endif
#ifdef SLAPD_CRYPT
free( salt_format );
- salt_format = format != NULL ? strdup( format ) : NULL;
+ salt_format = format != NULL ? ber_strdup( format ) : NULL;
#endif
return 0;
return 0;
}
-#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
- ldap_pvt_thread_mutex_lock( &passwd_mutex );
#ifdef SLAPD_SPASSWD
- lutil_passwd_sasl_conn = op->o_conn->c_sasl_authctx;
-#endif
+ ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind,
+ op->o_conn->c_sasl_authctx, NULL );
#endif
result = lutil_passwd( &op->o_bd->be_rootpw, &op->orb_cred, NULL, NULL );
-#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
#ifdef SLAPD_SPASSWD
- lutil_passwd_sasl_conn = NULL;
-#endif
- ldap_pvt_thread_mutex_unlock( &passwd_mutex );
+ ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind, NULL, NULL );
#endif
return result == 0;
{ NULL, NULL, NULL }
};
+/* Notes:
+ * add / delete: all types that may be added or deleted must use an
+ * X-ORDERED attributeType for their RDN. Adding and deleting entries
+ * should automatically renumber the index of any siblings as needed,
+ * so that no gaps in the numbering sequence exist after the add/delete
+ * is completed.
+ * What can be added:
+ * schema objects
+ * backend objects for backend-specific config directives
+ * database objects
+ * overlay objects
+ *
+ * delete: probably no support this time around.
+ *
+ * modrdn: generally not done. Will be invoked automatically by add/
+ * delete to update numbering sequence. Perform as an explicit operation
+ * so that the renumbering effect may be replicated. Subtree rename must
+ * be supported, since renumbering a database will affect all its child
+ * overlays.
+ *
+ * modify: must be fully supported.
+ */
+
int
config_back_initialize( BackendInfo *bi )
{
#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_t gmtime_mutex;
#endif
-#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
-ldap_pvt_thread_mutex_t passwd_mutex;
-#endif
slap_counters_t slap_counters;
#ifndef HAVE_GMTIME_R
ldap_pvt_thread_mutex_init( &gmtime_mutex );
#endif
-#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
- ldap_pvt_thread_mutex_init( &passwd_mutex );
-#endif
+ slap_passwd_init();
rc = slap_sasl_init();
#include <ac/string.h>
#include <ac/unistd.h>
+#ifdef SLAPD_CRYPT
+#include <ac/crypt.h>
+#endif
+
#include "slap.h"
#include <lber_pvt.h>
struct berval *bv;
AccessControlState acl_state = ACL_STATE_INIT;
- for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
- int rc;
+#ifdef SLAPD_SPASSWD
+ ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind,
+ op->o_conn->c_sasl_authctx, NULL );
+#endif
+ for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) {
/* if e is provided, check access */
if ( e && access_allowed( op, e, a->a_desc, bv,
ACL_AUTH, &acl_state ) == 0 )
{
continue;
}
-
-#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
- ldap_pvt_thread_mutex_lock( &passwd_mutex );
-#ifdef SLAPD_SPASSWD
- lutil_passwd_sasl_conn = op->o_conn->c_sasl_authctx;
-#endif
-#endif
-
- rc = lutil_passwd( bv, cred, NULL, text );
-
-#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
-#ifdef SLAPD_SPASSWD
- lutil_passwd_sasl_conn = NULL;
-#endif
- ldap_pvt_thread_mutex_unlock( &passwd_mutex );
-#endif
-
- if ( !rc ) {
+
+ if ( !lutil_passwd( bv, cred, NULL, text ) ) {
result = 0;
break;
}
}
+#ifdef SLAPD_SPASSWD
+ ldap_pvt_thread_pool_setkey( op->o_threadctx, slap_sasl_bind,
+ NULL, NULL );
+#endif
+
return result;
}
assert( hash );
-#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
- ldap_pvt_thread_mutex_lock( &passwd_mutex );
-#endif
-
lutil_passwd_hash( cred , hash, new, text );
-
-#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
- ldap_pvt_thread_mutex_unlock( &passwd_mutex );
-#endif
-
}
void
slap_passwd_hash(
slap_passwd_hash_type( cred, new, hash, text );
}
+
+#ifdef SLAPD_CRYPT
+static ldap_pvt_thread_mutex_t passwd_mutex;
+static lutil_cryptfunc slapd_crypt;
+
+static int slapd_crypt( const char *key, const char *salt, char **hash )
+{
+ char *cr;
+ int rc;
+
+ ldap_pvt_thread_mutex_lock( &passwd_mutex );
+
+ cr = crypt( key, salt );
+ if ( cr == NULL || cr[0] == '\0' ) {
+ /* salt must have been invalid */
+ rc = LUTIL_PASSWD_ERR;
+ } else {
+ if ( hash ) {
+ *hash = ber_strdup( cr );
+ rc = LUTIL_PASSWD_OK;
+ }
+ rc = strcmp( salt, cr ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
+ }
+
+ ldap_pvt_thread_mutex_unlock( &passwd_mutex );
+ return rc;
+}
+#endif /* SLAPD_CRYPT */
+
+void slap_passwd_init()
+{
+#ifdef SLAPD_CRYPT
+ ldap_pvt_thread_mutex_init( &passwd_mutex );
+ lutil_cryptptr = slapd_crypt;
+#endif
+}
+
struct berval *newpass,
const char **text );
+LDAP_SLAPD_F (void) slap_passwd_init (void);
+
/*
* phonetic.c
*/
LDAP_SLAPD_V (ldap_pvt_thread_mutex_t) entry2str_mutex;
LDAP_SLAPD_V (ldap_pvt_thread_mutex_t) replog_mutex;
-#if defined( SLAPD_CRYPT ) || defined( SLAPD_SPASSWD )
-LDAP_SLAPD_V (ldap_pvt_thread_mutex_t) passwd_mutex;
-#endif
#ifndef HAVE_GMTIME_R
LDAP_SLAPD_V (ldap_pvt_thread_mutex_t) gmtime_mutex;
#endif
return rc;
}
-#endif
+
+#ifdef SLAPD_SPASSWD
+
+static struct berval sasl_pwscheme = BER_BVC("{SASL}");
+
+static int chk_sasl(
+ const struct berval *sc,
+ const struct berval * passwd,
+ const struct berval * cred,
+ const char **text )
+{
+ unsigned int i;
+ int rtn;
+ void *ctx, *sconn = NULL;
+
+ for( i=0; i<cred->bv_len; i++) {
+ if(cred->bv_val[i] == '\0') {
+ return LUTIL_PASSWD_ERR; /* NUL character in password */
+ }
+ }
+
+ if( cred->bv_val[i] != '\0' ) {
+ return LUTIL_PASSWD_ERR; /* cred must behave like a string */
+ }
+
+ for( i=0; i<passwd->bv_len; i++) {
+ if(passwd->bv_val[i] == '\0') {
+ return LUTIL_PASSWD_ERR; /* NUL character in password */
+ }
+ }
+
+ if( passwd->bv_val[i] != '\0' ) {
+ return LUTIL_PASSWD_ERR; /* passwd must behave like a string */
+ }
+
+ rtn = LUTIL_PASSWD_ERR;
+
+ ctx = ldap_pvt_thread_pool_context();
+ ldap_pvt_thread_pool_getkey( ctx, slap_sasl_bind, &sconn, NULL );
+
+ if( sconn != NULL ) {
+ int sc;
+# if SASL_VERSION_MAJOR < 2
+ sc = sasl_checkpass( sconn,
+ passwd->bv_val, passwd->bv_len,
+ cred->bv_val, cred->bv_len,
+ text );
+# else
+ sc = sasl_checkpass( sconn,
+ passwd->bv_val, passwd->bv_len,
+ cred->bv_val, cred->bv_len );
+# endif
+ rtn = ( sc != SASL_OK ) ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK;
+ }
+
+ return rtn;
+}
+#endif /* SLAPD_SPASSWD */
+
+#endif /* HAVE_CYRUS_SASL */
int slap_sasl_init( void )
{
return -1;
}
+#ifdef SLAPD_SPASSWD
+ lutil_passwd_add( &sasl_pwscheme, chk_sasl, NULL );
+#endif
+
Debug( LDAP_DEBUG_TRACE, "slap_sasl_init: initialized!\n",
0, 0, 0 );
projects / openldap / commitdiff