Cyrus 2 support now requires Cyrus 2.1.3. Adds support for in-directory

SASL secrets. (Only works with plaintext userpassword tho.)

diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 5f469ac84a34aab6a91e000ae86838e5c1d6de3a..7b2a65a980508f7dbfd1eb8cbf9b184ab1266f71 100644 (file)
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -833,6 +833,7 @@ LDAP_SLAPD_F (int) slap_sasl_bind LDAP_P((
  * saslauthz.c
  */
 LDAP_SLAPD_F (void) slap_sasl2dn LDAP_P((
+       Connection *conn,
        struct berval *saslname,
        struct berval *dn ));
 LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P((

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index af5e3484e73912f6ee35739c36f9d9e7957e1ba9..b6023810e30ba191ea0fc2f1ea574afff7205dff 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -26,6 +26,7 @@
 
 #if SASL_VERSION_MAJOR >= 2
 #include <lutil.h>
+#include <sasl/saslplug.h>
 #define        SASL_CONST const
 #else
 #define        SASL_CONST
@@ -250,7 +251,7 @@ int slap_sasl_getdn( Connection *conn, char *id, int len,
        /* DN strings that are a cn=auth identity to run through regexp */
        if( is_dn == SET_DN )
        {
-               slap_sasl2dn( dn, &dn2 );
+               slap_sasl2dn( conn, dn, &dn2 );
                if( dn2.bv_val ) {
                        ch_free( dn->bv_val );
                        *dn = dn2;
@@ -279,6 +280,106 @@ int slap_sasl_getdn( Connection *conn, char *id, int len,
 }
 
 #if SASL_VERSION_MAJOR >= 2
+static const char *slap_propnames[] = { "*authcDN", "*authzDN", NULL };
+
+static void
+slap_auxprop_lookup(
+       void *glob_context,
+       sasl_server_params_t *sparams,
+       unsigned flags,
+       const char *user,
+       unsigned ulen)
+{
+       int rc;
+       struct berval dn;
+       const struct propval *list, *cur;
+       BerVarray vals, bv;
+       AttributeDescription *ad;
+       const char *text;
+
+       list = sparams->utils->prop_get( sparams->propctx );
+
+       /* Find our DN first */
+       for( cur = list; cur->name; cur++ ) {
+               if ( cur->name[0] == '*' ) {
+                       if ( (flags & SASL_AUXPROP_AUTHZID) &&
+                               !strcmp( cur->name, slap_propnames[1] ) ) {
+                               if ( cur->values && cur->values[0] )
+                                       AC_MEMCPY( &dn, cur->values[0], sizeof( dn ) );
+                               break;
+                       }
+                       if ( !strcmp( cur->name, slap_propnames[0] ) ) {
+                               AC_MEMCPY( &dn, cur->values[0], sizeof( dn ) );
+                               if ( !(flags & SASL_AUXPROP_AUTHZID) )
+                                       break;
+                       }
+               }
+       }
+
+       /* Now fetch the rest */
+       for( cur = list; cur->name; cur++ ) {
+               const char *name = cur->name;
+
+               if ( name[0] == '*' ) {
+                       if ( flags & SASL_AUXPROP_AUTHZID ) continue;
+                       name++;
+               } else if ( !(flags & SASL_AUXPROP_AUTHZID ) )
+                       continue;
+
+               if ( cur->values ) {
+                       if ( !(flags & SASL_AUXPROP_OVERRIDE) ) continue;
+                       sparams->utils->prop_erase( sparams->propctx, cur->name );
+               }
+               ad = NULL;
+               rc = slap_str2ad( name, &ad, &text );
+               if ( rc != LDAP_SUCCESS ) {
+#ifdef NEW_LOGGING
+                       LDAP_LOG(( "sasl", LDAP_LEVEL_DETAIL1,
+                               "slap_auxprop: str2ad(%s): %s\n", name, text ));
+#else
+                       Debug( LDAP_DEBUG_TRACE,
+                               "slap_auxprop: str2ad(%s): %s\n", name, text, 0 );
+#endif
+                       rc = slap_str2undef_ad( name, &ad, &text );
+                       if ( rc != LDAP_SUCCESS ) continue;
+               }
+               rc = backend_attribute( NULL,NULL,NULL,NULL, &dn, ad, &vals );
+               if ( rc != LDAP_SUCCESS ) continue;
+               for ( bv = vals; bv->bv_val; bv++ ) {
+                       sparams->utils->prop_set( sparams->propctx, cur->name,
+                               bv->bv_val, bv->bv_len );
+               }
+               ber_bvarray_free( vals );
+       }
+}
+
+static sasl_auxprop_plug_t slap_auxprop_plugin = {
+       0,      /* Features */
+       0,      /* spare */
+       NULL,   /* glob_context */
+       NULL,   /* auxprop_free */
+       slap_auxprop_lookup,
+       "slapd",        /* name */
+       NULL    /* spare */
+};
+
+static int
+slap_auxprop_init(
+       const sasl_utils_t *utils,
+       int max_version,
+       int *out_version,
+       sasl_auxprop_plug_t **plug,
+       const char *plugname)
+{
+       if ( !out_version | !plug ) return SASL_BADPARAM;
+
+       if ( max_version < SASL_AUXPROP_PLUG_VERSION ) return SASL_BADVERS;
+
+       *out_version = SASL_AUXPROP_PLUG_VERSION;
+       *plug = &slap_auxprop_plugin;
+       return SASL_OK;
+}
+
 static int
 slap_sasl_checkpass(
        sasl_conn_t *sconn,
@@ -346,7 +447,12 @@ slap_sasl_checkpass(
        return rc;
 }
 
-#if 0  /* CANON isn't for what you think it does. */
+/* Convert a SASL authcid or authzid into a DN. Store the DN in an
+ * auxiliary property, so that we can refer to it in sasl_authorize
+ * without interfering with anything else. Also, the SASL username
+ * buffer is constrained to 256 characters, and our DNs could be
+ * much longer (totally arbitrary length)...
+ */
 static int
 slap_sasl_canonicalize(
        sasl_conn_t *sconn,
@@ -360,8 +466,11 @@ slap_sasl_canonicalize(
        unsigned *out_len)
 {
        Connection *conn = (Connection *)context;
+       struct propctx *props = sasl_auxprop_getctx( sconn );
        struct berval dn;
-       int rc;
+       int rc, ext = 0;
+       char *realm;
+       const char *names[2];
 
        *out_len = 0;
 
@@ -369,51 +478,81 @@ slap_sasl_canonicalize(
        LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
                "slap_sasl_canonicalize: conn %d %s=\"%s\"\n",
                        conn ? conn->c_connid : -1,
-                       (flags == SASL_CU_AUTHID) ? "authcid" : "authzid",
+                       (flags & SASL_CU_AUTHID) ? "authcid" : "authzid",
                        in ? in : "<empty>" ));
 #else
        Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: "
                "%s=\"%s\"\n",
                        conn ? conn->c_connid : -1,
-                       (flags == SASL_CU_AUTHID) ? "authcid" : "authzid",
+                       (flags & SASL_CU_AUTHID) ? "authcid" : "authzid",
                        in ? in : "<empty>" );
 #endif
 
-       rc = slap_sasl_getdn( conn, (char *)in, inlen, (char *)user_realm, &dn,
-               (flags == SASL_CU_AUTHID) ? FLAG_GETDN_AUTHCID : FLAG_GETDN_AUTHZID );
+       if ( inlen > out_max )
+               return SASL_BUFOVER;
+
+       if ( flags == SASL_CU_AUTHZID ) {
+       /* If we got unqualified authzid's, they probably came from SASL
+        * itself just passing the authcid to us. Ignore it.
+        */
+               if (strncasecmp(in, "u:", 2) && strncasecmp(in, "dn:", 3)) {
+                       AC_MEMCPY( out, in, inlen );
+                       out[inlen] = '\0';
+                       *out_len = inlen;
+
+                       return SASL_OK;
+               }
+       }
+
+       /* If using SASL-EXTERNAL, don't modify the ID in any way */
+       if ( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
+               && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) {
+               ext = 1;
+               realm = NULL;
+       } else {
+       /* Else look for an embedded realm in the name */
+               realm = strchr( in, '@' );
+               if ( realm ) *realm++ = '\0';
+       }
+       rc = slap_sasl_getdn( conn, (char *)in, inlen, realm ? realm : (char *)user_realm, &dn,
+               (flags & SASL_CU_AUTHID) ? FLAG_GETDN_AUTHCID : FLAG_GETDN_AUTHZID );
+       if ( realm )
+               realm[-1] = '@';
        if ( rc != LDAP_SUCCESS ) {
                sasl_seterror( sconn, 0, ldap_err2string( rc ) );
                return SASL_NOAUTHZ;
        }               
 
-       if ( out_max < dn.bv_len ) {
-               return SASL_BUFOVER;
-       }
-
-       AC_MEMCPY( out, dn.bv_val, dn.bv_len );
-       out[dn.bv_len] = '\0';
+       AC_MEMCPY( out, in, inlen );
+       out[inlen] = '\0';
 
-       *out_len = dn.bv_len;
+       *out_len = inlen;
 
-       ch_free( dn.bv_val );
+       if ( flags & SASL_CU_AUTHID )
+               names[0] = slap_propnames[0];
+       else
+               names[0] = slap_propnames[1];
+       names[1] = NULL;
 
+       sasl_auxprop_request( sconn, names );
+       prop_set( props, names[0], (char *)&dn, sizeof( dn ) );
+               
 #ifdef NEW_LOGGING
        LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
                "slap_sasl_canonicalize: conn %d %s=\"%s\"\n",
                        conn ? conn->c_connid : -1,
-                       (flags == SASL_CU_AUTHID) ? "authcDN" : "authzDN",
-                       out ));
+                       (flags & SASL_CU_AUTHID) ? "authcDN" : "authzDN",
+                       dn.bv_val ));
 #else
        Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: "
                "%s=\"%s\"\n",
                        conn ? conn->c_connid : -1,
-                       (flags == SASL_CU_AUTHID) ? "authcDN" : "authzDN",
-                       out );
+                       (flags & SASL_CU_AUTHID) ? "authcDN" : "authzDN",
+                       dn.bv_val );
 #endif
 
        return SASL_OK;
 }
-#endif
 
 #define        CANON_BUF_SIZE  256     /* from saslint.h */
 
@@ -427,12 +566,12 @@ slap_sasl_authorize(
        unsigned alen,
        const char *def_realm,
        unsigned urlen,
-       struct propctx *propctx)
+       struct propctx *props)
 {
        Connection *conn = (Connection *)context;
+       struct propval auxvals[3];
        struct berval authcDN, authzDN;
-       char *realm;
-       int rc, equal = 1, ext = 0;
+       int rc;
 
 #ifdef NEW_LOGGING
        LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
@@ -444,66 +583,16 @@ slap_sasl_authorize(
                conn ? conn->c_connid : -1, auth_identity, requested_user );
 #endif
 
-       if ( requested_user )
-               equal = !strcmp( auth_identity, requested_user );
-
-       /* If using SASL-EXTERNAL, don't modify the ID in any way */
-       if ( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
-               && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) {
-               ext = 1;
-               realm = NULL;
-       } else {
-       /* Else look for an embedded realm in the name */
-               realm = strchr( auth_identity, '@' );
-               if ( realm ) *realm++ = '\0';
-       }
-
-       rc = slap_sasl_getdn( conn, auth_identity, alen, realm ? realm : (char *)def_realm,
-               &authcDN, FLAG_GETDN_AUTHCID );
-       if ( realm )
-               realm[-1] = '@';
-
-       if ( rc != LDAP_SUCCESS ) {
-               sasl_seterror( sconn, 0, ldap_err2string( rc ) );
-               return SASL_NOAUTHZ;
-       }               
-
-       if ( equal ) {
-               if ( authcDN.bv_len > CANON_BUF_SIZE ) {
-                       free( authcDN.bv_val );
-                       return SASL_BUFOVER;
-               }
-               AC_MEMCPY( requested_user, authcDN.bv_val, authcDN.bv_len );
-
+       prop_getnames( props, slap_propnames, auxvals );
+       
+       /* Nothing to do if no authzID was given */
+       if ( !auxvals[1].name )
                return SASL_OK;
-       }
-
-       if ( ext ) {
-               realm = NULL;
-       } else {
-               realm = strchr( requested_user, '@' );
-               if ( realm ) *realm++ = '\0';
-       }
-
-       rc = slap_sasl_getdn( conn, requested_user, rlen, realm ? realm : (char *)def_realm,
-               &authzDN, FLAG_GETDN_AUTHZID );
-       if ( realm )
-               realm[-1] = '@';
-
-       if ( rc != LDAP_SUCCESS ) {
-               free( authcDN.bv_val );
-               sasl_seterror( sconn, 0, ldap_err2string( rc ) );
-               return SASL_NOAUTHZ;
-       }
-
-       if (authzDN.bv_len > CANON_BUF_SIZE) {
-               free( authcDN.bv_val );
-               free( authzDN.bv_val );
-               return SASL_BUFOVER;
-       }
+       
+       AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) );
+       AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
 
        rc = slap_sasl_authorized( &authcDN, &authzDN );
-       free( authcDN.bv_val );
        if ( rc != LDAP_SUCCESS ) {
 #ifdef NEW_LOGGING
                LDAP_LOG(( "sasl", LDAP_LEVEL_INFO,
@@ -516,11 +605,8 @@ slap_sasl_authorize(
 #endif
 
                sasl_seterror( sconn, 0, "not authorized" );
-               free( authzDN.bv_val );
                return SASL_NOAUTHZ;
        }
-       AC_MEMCPY( requested_user, authzDN.bv_val, authzDN.bv_len );
-       free( authzDN.bv_val );
 
 #ifdef NEW_LOGGING
        LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY,
@@ -531,7 +617,6 @@ slap_sasl_authorize(
                " authorization allowed\n",
                (long) (conn ? conn->c_connid : -1), 0, 0 );
 #endif
-
        return SASL_OK;
 } 
 #else
@@ -717,6 +802,9 @@ int slap_sasl_init( void )
                ldap_pvt_sasl_mutex_unlock,
                ldap_pvt_sasl_mutex_dispose );
 
+#if SASL_VERSION_MAJOR >= 2
+       sasl_auxprop_add_plugin( "slapd", slap_auxprop_init );
+#endif
        /* should provide callbacks for logging */
        /* server name should be configurable */
        rc = sasl_server_init( server_callbacks, "slapd" );
@@ -796,11 +884,9 @@ int slap_sasl_open( Connection *conn )
        session_callbacks[cb++].context = conn;
 
 #if SASL_VERSION_MAJOR >= 2
-#if 0  /* CANON isn't for what you think it does. */
        session_callbacks[cb].id = SASL_CB_CANON_USER;
        session_callbacks[cb].proc = &slap_sasl_canonicalize;
        session_callbacks[cb++].context = conn;
-#endif
 
        /* XXXX: this should be conditional */
        session_callbacks[cb].id = SASL_CB_SERVER_USERDB_CHECKPASS;
@@ -1079,6 +1165,34 @@ int slap_sasl_bind(
        response.bv_len = reslen;
 
        if ( sc == SASL_OK ) {
+#if SASL_VERSION_MAJOR >= 2
+               struct propctx *props = sasl_auxprop_getctx( ctx );
+               struct propval vals[3];
+               sasl_ssf_t *ssf = NULL;
+
+               prop_getnames( props, slap_propnames, vals );
+
+               AC_MEMCPY( edn, vals[0].values[0], sizeof(*edn) );
+               if ( vals[1].name ) {
+                       ch_free( edn->bv_val );
+                       AC_MEMCPY( edn, vals[1].values[0], sizeof(*edn) );
+               }
+
+               rc = LDAP_SUCCESS;
+
+               (void) sasl_getprop( ctx, SASL_SSF, (void *)&ssf );
+               *ssfp = ssf ? *ssf : 0;
+
+               if( *ssfp ) {
+                       ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+                       conn->c_sasl_layers++;
+                       ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+               }
+
+               send_ldap_sasl( conn, op, rc,
+                       NULL, NULL, NULL, NULL,
+                       response.bv_len ? &response : NULL );
+#else
                char *username = NULL;
 
                sc = sasl_getprop( ctx,
@@ -1117,6 +1231,7 @@ int slap_sasl_bind(
                                NULL, NULL, NULL, NULL,
                                response.bv_len ? &response : NULL );
                }
+#endif
 
        } else if ( sc == SASL_CONTINUE ) {
                send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS,

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index ef0b67b899ca324da735a0a7d3651204a92d1421..d196a4f084ba1d4c1de2e9278fccc3d43d3dc513 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -383,7 +383,7 @@ static int sasl_sc_sasl2dn( BackendDB *be, Connection *conn, Operation *o,
  * entry, return the DN of that one entry.
  */
 
-void slap_sasl2dn( struct berval *saslname, struct berval *dn )
+void slap_sasl2dn( Connection *conn, struct berval *saslname, struct berval *dn )
 {
        int rc;
        Backend *be;
@@ -410,11 +410,12 @@ void slap_sasl2dn( struct berval *saslname, struct berval *dn )
        if ( uri.filter.bv_val )
                filter = str2filter( uri.filter.bv_val );
 
-       /* FIXME: move this check to after select_backend, and set
-        * the selected backend in conn->c_authz_backend, to allow
-        * passwd_extop to be used on in-directory SASL secrets.
-        *   ... when all of that gets implemented...
-        */
+       /* Must do an internal search */
+
+       be = select_backend( &uri.dn, 0, 1 );
+
+       conn->c_authz_backend = be;
+
        /* Massive shortcut: search scope == base */
        if( uri.scope == LDAP_SCOPE_BASE ) {
                *dn = uri.dn;
@@ -423,8 +424,6 @@ void slap_sasl2dn( struct berval *saslname, struct berval *dn )
                goto FINISHED;
        }
 
-       /* Must do an internal search */
-
 #ifdef NEW_LOGGING
        LDAP_LOG(( "sasl", LDAP_LEVEL_DETAIL1,
                   "slap_sasl2dn: performing internal search (base=%s, scope=%d)\n",
@@ -435,7 +434,6 @@ void slap_sasl2dn( struct berval *saslname, struct berval *dn )
           uri.dn.bv_val, uri.scope, 0 );
 #endif
 
-       be = select_backend( &uri.dn, 0, 1 );
        if(( be == NULL ) || ( be->be_search == NULL))
                goto FINISHED;
        suffix_alias( be, &uri.dn );