#if SASL_VERSION_MAJOR >= 2
static const char *slap_propnames[] = {
- "*slapConn", "*slapAuthcDN", "*slapAuthzDN", NULL };
+ "*slapConn", "*slapAuthcDNlen", "*slapAuthcDN",
+ "*slapAuthzDNlen", "*slapAuthzDN", NULL };
static Filter generic_filter = { LDAP_FILTER_PRESENT, { 0 }, NULL };
static struct berval generic_filterstr = BER_BVC("(objectclass=*)");
#define SLAP_SASL_PROP_CONN 0
-#define SLAP_SASL_PROP_AUTHC 1
-#define SLAP_SASL_PROP_AUTHZ 2
-#define SLAP_SASL_PROP_COUNT 3 /* Number of properties we used */
+#define SLAP_SASL_PROP_AUTHCLEN 1
+#define SLAP_SASL_PROP_AUTHC 2
+#define SLAP_SASL_PROP_AUTHZLEN 3
+#define SLAP_SASL_PROP_AUTHZ 4
+#define SLAP_SASL_PROP_COUNT 5 /* Number of properties we used */
typedef struct lookup_info {
int flags;
AC_MEMCPY( &conn, sl.list[i].values[0], sizeof( conn ) );
continue;
}
- if ( (flags & SASL_AUXPROP_AUTHZID) &&
- !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHZ] ) ) {
+ if ( flags & SASL_AUXPROP_AUTHZID ) {
+ if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHZLEN] )) {
+ if ( sl.list[i].values && sl.list[i].values[0] )
+ AC_MEMCPY( &op.o_req_ndn.bv_len, sl.list[i].values[0],
+ sizeof( op.o_req_ndn.bv_len ) );
+ } else if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHZ] )) {
+ if ( sl.list[i].values )
+ op.o_req_ndn.bv_val = (char *)sl.list[i].values[0];
+ break;
+ }
+ }
+ if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHCLEN] )) {
if ( sl.list[i].values && sl.list[i].values[0] )
- AC_MEMCPY( &op.o_req_ndn, sl.list[i].values[0], sizeof( struct berval ) );
- break;
- }
- if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) {
- if ( sl.list[i].values && sl.list[i].values[0] ) {
- AC_MEMCPY( &op.o_req_ndn, sl.list[i].values[0], sizeof( struct berval ) );
+ AC_MEMCPY( &op.o_req_ndn.bv_len, sl.list[i].values[0],
+ sizeof( op.o_req_ndn.bv_len ) );
+ } else if ( !strcmp( sl.list[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) {
+ if ( sl.list[i].values ) {
+ op.o_req_ndn.bv_val = (char *)sl.list[i].values[0];
if ( !(flags & SASL_AUXPROP_AUTHZID) )
break;
}
AC_MEMCPY( &conn, pr[i].values[0], sizeof( conn ) );
continue;
}
- if ( !strcmp( pr[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) {
- if ( pr[i].values && pr[i].values[0] ) {
- AC_MEMCPY( &op.o_req_ndn, pr[i].values[0], sizeof( struct berval ) );
- }
+ if ( !strcmp( pr[i].name, slap_propnames[SLAP_SASL_PROP_AUTHCLEN] )) {
+ if ( pr[i].values && pr[i].values[0] )
+ AC_MEMCPY( &op.o_req_ndn.bv_len, pr[i].values[0],
+ sizeof( op.o_req_ndn.bv_len ) );
+ } else if ( !strcmp( pr[i].name, slap_propnames[SLAP_SASL_PROP_AUTHC] ) ) {
+ if ( pr[i].values )
+ op.o_req_ndn.bv_val = (char *)pr[i].values[0];
}
}
}
prop_request( props, slap_propnames );
if ( flags & SASL_CU_AUTHID )
- which = SLAP_SASL_PROP_AUTHC;
+ which = SLAP_SASL_PROP_AUTHCLEN;
else
- which = SLAP_SASL_PROP_AUTHZ;
+ which = SLAP_SASL_PROP_AUTHZLEN;
/* Need to store the Connection for auxprop_lookup */
if ( !auxvals[SLAP_SASL_PROP_CONN].values ) {
names[0] = slap_propnames[which];
names[1] = NULL;
+ prop_set( props, names[0], (char *)&dn.bv_len, sizeof( dn.bv_len ) );
- prop_set( props, names[0], (char *)&dn, sizeof( dn ) );
+ which++;
+ names[0] = slap_propnames[which];
+ prop_set( props, names[0], dn.bv_val, dn.bv_len );
Debug( LDAP_DEBUG_ARGS, "SASL Canonicalize [conn=%ld]: %s=\"%s\"\n",
conn ? conn->c_connid : -1, names[0]+1,
dn.bv_val ? dn.bv_val : "<EMPTY>" );
+ /* Not needed any more, SASL has copied it */
+ if ( conn && conn->c_sasl_bindop )
+ conn->c_sasl_bindop->o_tmpfree( dn.bv_val, conn->c_sasl_bindop->o_tmpmemctx );
+
done:
AC_MEMCPY( out, in, inlen );
out[inlen] = '\0';
"authcid=\"%s\" authzid=\"%s\"\n",
conn ? conn->c_connid : -1, auth_identity, requested_user );
if ( conn->c_sasl_dn.bv_val ) {
- ch_free( conn->c_sasl_dn.bv_val );
BER_BVZERO( &conn->c_sasl_dn );
}
return SASL_NOAUTHZ;
}
- AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) );
+ AC_MEMCPY( &authcDN.bv_len, auxvals[0].values[0], sizeof(authcDN.bv_len) );
+ authcDN.bv_val = auxvals[1].values ? (char *)auxvals[1].values[0] : NULL;
conn->c_sasl_dn = authcDN;
/* Nothing to do if no authzID was given */
- if ( !auxvals[1].name || !auxvals[1].values ) {
+ if ( !auxvals[2].name || !auxvals[2].values ) {
goto ok;
}
- AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
+ AC_MEMCPY( &authzDN.bv_len, auxvals[2].values[0], sizeof(authzDN.bv_len) );
+ authzDN.bv_val = auxvals[3].values ? (char *)auxvals[3].values[0] : NULL;
rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN );
if ( rc != LDAP_SUCCESS ) {
(long) (conn ? conn->c_connid : -1), rc, 0 );
sasl_seterror( sconn, 0, "not authorized" );
- ch_free( authzDN.bv_val );
return SASL_NOAUTHZ;
}
/* FIXME: we need yet another dup because slap_sasl_getdn()
* is using the bind operation slab */
- if ( conn->c_sasl_bindop ) {
- ber_dupbv( &conn->c_sasl_authz_dn, &authzDN );
- slap_sl_free( authzDN.bv_val,
- conn->c_sasl_bindop->o_tmpmemctx );
-
- } else {
- conn->c_sasl_authz_dn = authzDN;
- }
+ ber_dupbv( &conn->c_sasl_authz_dn, &authzDN );
ok:
if (conn->c_sasl_bindop) {
if ( sc == SASL_OK ) {
sasl_ssf_t *ssf = NULL;
- op->orb_edn = op->o_conn->c_sasl_dn;
+ ber_dupbv_x( &op->orb_edn, &op->o_conn->c_sasl_dn, op->o_tmpmemctx );
BER_BVZERO( &op->o_conn->c_sasl_dn );
op->o_conn->c_sasl_done = 1;
send_ldap_sasl( op, rs );
} else {
- if ( op->o_conn->c_sasl_dn.bv_len )
- ch_free( op->o_conn->c_sasl_dn.bv_val );
BER_BVZERO( &op->o_conn->c_sasl_dn );
#if SASL_VERSION_MAJOR >= 2
rs->sr_text = sasl_errdetail( ctx );
projects / openldap / commitdiff