normalized LDAP DNs now.
Changed dnDCEnormalize to dnX509normalize, added dnX509peerNormalize,
based on new ldap_X509dn2bv() etc.
int nSaslRegexp = 0;
SaslRegexp_t *SaslRegexp = NULL;
-int sasl_external_x509dn_convert;
#ifdef SLAPD_RLOOKUPS
int use_reverse_lookup = 1;
return 1;
}
- } else if ( strcasecmp( cargv[0], "sasl-external-x509dn-convert" ) == 0 ) {
- sasl_external_x509dn_convert++;
-
/* set UCDATA path */
} else if ( strcasecmp( cargv[0], "ucdata-path" ) == 0 ) {
int err;
c->c_ssf = c->c_tls_ssf;
}
- authid = (char *)ldap_pvt_tls_get_peer( ssl );
+ authid = dnX509peerNormalize( ssl );
slap_sasl_external( c, c->c_tls_ssf, authid );
}
connection_return( c );
}
/*
- * Convert a DN from X.500 format into a normalized DN
+ * Convert an X.509 DN into a normalized LDAP DN
*/
int
-dnDCEnormalize( char *dce, struct berval *out )
+dnX509normalize( void *x509_name, struct berval *out )
{
- int rc;
- LDAPDN *dn = NULL;
-
- out->bv_val = NULL;
- out->bv_len = 0;
-
- rc = ldap_str2dn( dce, &dn, LDAP_DN_FORMAT_DCE );
- if ( rc != LDAP_SUCCESS )
- return rc;
-
- /*
- * Schema-aware rewrite
- */
- if ( LDAPDN_rewrite( dn, 0 ) != LDAP_SUCCESS ) {
- ldap_dnfree( dn );
- return LDAP_INVALID_SYNTAX;
- }
-
- /*
- * Back to string representation
- */
- rc = ldap_dn2bv( dn, out, LDAP_DN_FORMAT_LDAPV3 );
-
- ldap_dnfree( dn );
+ /* Invoke the LDAP library's converter with our schema-rewriter */
+ return ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 );
+}
- if ( rc != LDAP_SUCCESS ) {
- rc = LDAP_INVALID_SYNTAX;
- }
- return rc;
+/*
+ * Get the TLS session's peer's DN into a normalized LDAP DN
+ */
+char *
+dnX509peerNormalize( void *ssl )
+{
+ return ldap_pvt_tls_get_peer_dn( ssl, (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 );
}
LDAP_SLAPD_F (void) dnParent LDAP_P(( struct berval *dn, struct berval *pdn ));
-LDAP_SLAPD_F (int) dnDCEnormalize LDAP_P(( char *dce, struct berval *out ));
+LDAP_SLAPD_F (int) dnX509normalize LDAP_P(( void *x509_name, struct berval *out ));
+
+LDAP_SLAPD_F (char *) dnX509peerNormalize LDAP_P(( void *ssl ));
/*
* entry.c
LDAP_SLAPD_V (int) global_schemacheck;
LDAP_SLAPD_V (char *) global_host;
LDAP_SLAPD_V (char *) global_realm;
-LDAP_SLAPD_V (int) sasl_external_x509dn_convert;
LDAP_SLAPD_V (char *) default_passwd_hash;
LDAP_SLAPD_V (int) lber_debug;
LDAP_SLAPD_V (int) ldap_syslog;
/* An authcID needs to be converted to authzID form */
if( flags & FLAG_GETDN_AUTHCID ) {
- if( sasl_external_x509dn_convert
- && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
- && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 )
- && id[0] == '/' )
- {
- /* check SASL external for X.509 style DN and */
- /* convert to dn:<dn> form, result is normalized */
- dnDCEnormalize( id, dn );
+ if( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
+ && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) {
+ /* X.509 DN is already normalized */
do_norm = 0;
is_dn = SET_DN;
} else {
/* convert to u:<username> form */
- ber_str2bv( id, len, 1, dn );
is_dn = SET_U;
}
+ ber_str2bv( id, len, 1, dn );
}
if( !is_dn ) {
if( !strncasecmp( id, "u:", sizeof("u:")-1 )) {
equal = !strcmp( auth_identity, requested_user );
/* If using SASL-EXTERNAL, don't modify the ID in any way */
- if ( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
- && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 )
- && auth_identity[0] == '/' ) {
+ if ( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
+ && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) {
ext = 1;
realm = NULL;
} else {
/* Convert the identities to DN's. If no authzid was given, client will
be bound as the DN matching their username */
- if ( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
- && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 )
- && authcid[0] == '/' ) {
+ if ( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len
+ && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) {
ext = 1;
xrealm = NULL;
} else {
return ber_str2bv( p, 0, 1, bv );
}
-/* Get a DN in RFC2253 format from a X509_NAME internal struct */
-int
-dn_openssl2ldap(X509_NAME *name, struct berval *out)
-{
- char buf[2048], *p;
-
- p = X509_NAME_oneline( name, buf, sizeof( buf ) );
- return dnDCEnormalize( p, out );
-}
-
/*
* Given a certificate in DER format, extract the corresponding
* assertion value for certificateExactMatch
X509_free(xcert);
return LDAP_INVALID_SYNTAX;
}
- if ( dn_openssl2ldap(X509_get_issuer_name(xcert), &issuer_dn ) != LDAP_SUCCESS ) {
+ if ( dnX509normalize(X509_get_issuer_name(xcert), &issuer_dn ) != LDAP_SUCCESS ) {
X509_free(xcert);
ber_memfree(serial.bv_val);
return LDAP_INVALID_SYNTAX;
}
asn1_integer2str(xcert->cert_info->serialNumber, &serial);
- dn_openssl2ldap(X509_get_issuer_name(xcert), &issuer_dn);
+ dnX509normalize(X509_get_issuer_name(xcert), &issuer_dn);
X509_free(xcert);
projects / openldap / commitdiff