static int ldapport = 0;
static int prune = 0;
#ifdef HAVE_CYRUS_SASL
+static unsigned sasl_flags = LUTIL_SASL_AUTOMATIC;
+static char *sasl_mech = NULL;
+static char *sasl_realm = NULL;
static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL;
-static char *sasl_mech = NULL;
static char *sasl_secprops = NULL;
#endif
static int use_tls = 0;
" -D binddn\tbind DN\n"
" -f file\t\tread operations from `file'\n"
" -h host\t\tLDAP server\n"
+" -I\t\tuse SASL Interactive mode\n"
" -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
" -M\t\tenable Manage DSA IT control (-MM to make it critical)\n"
" -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n"
" -P version\tprocotol version (default: 3)\n"
+" -Q\t\tuse SASL Quiet mode\n"
+" -R realm\tSASL realm\n"
" -U user\t\tSASL authentication identity (username)\n"
" -v\t\trun in verbose mode (diagnostics to standard output)\n"
" -w passwd\tbind passwd (for simple authentication)\n"
prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog;
- while (( i = getopt( argc, argv, "cf:r" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) {
+ while (( i = getopt( argc, argv, "cf:r" "Cd:D:h:IkKMnO:p:P:QRU:vw:WxX:Y:Z" )) != EOF ) {
switch( i ) {
/* Delete Specific Options */
case 'c': /* continuous operation mode */
++contoper;
break;
case 'f': /* read DNs from a file */
+ if( fp != NULL ) {
+ fprintf( stderr, "%s: -f previously specified\n" );
+ return EXIT_FAILURE;
+ }
if (( fp = fopen( optarg, "r" )) == NULL ) {
perror( optarg );
exit( EXIT_FAILURE );
debug |= atoi( optarg );
break;
case 'D': /* bind DN */
+ if( binddn != NULL ) {
+ fprintf( stderr, "%s: -D previously specified\n" );
+ return EXIT_FAILURE;
+ }
binddn = strdup( optarg );
break;
case 'h': /* ldap host */
+ if( ldaphost != NULL ) {
+ fprintf( stderr, "%s: -h previously specified\n" );
+ return EXIT_FAILURE;
+ }
ldaphost = strdup( optarg );
break;
case 'k': /* kerberos bind */
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_secprops != NULL ) {
+ fprintf( stderr, "%s: -O previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
- fprintf( stderr, "%s -O incompatible with LDAPv%d\n",
+ fprintf( stderr, "%s: -O incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
"authentication choice\n", prog );
return EXIT_FAILURE;
}
- sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
+ sasl_secprops = strdup( optarg );
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
#endif
break;
case 'p':
+ if( ldapport ) {
+ fprintf( stderr, "%s: -p previously specified\n" );
+ return EXIT_FAILURE;
+ }
ldapport = atoi( optarg );
break;
case 'P':
usage( prog );
return( EXIT_FAILURE );
} break;
+ case 'Q':
+#ifdef HAVE_CYRUS_SASL
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -Q incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n",
+ prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_flags = LUTIL_SASL_QUIET;
+#else
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
+#endif
+ case 'R':
+#ifdef HAVE_CYRUS_SASL
+ if( sasl_realm != NULL ) {
+ fprintf( stderr, "%s: -R previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -R incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n",
+ prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_realm = strdup( optarg );
+#else
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
+#endif
+ break;
case 'U':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_authc_id != NULL ) {
+ fprintf( stderr, "%s: -U previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version );
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
-
sasl_authc_id = strdup( optarg );
- authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
char* p;
for( p = optarg; *p == '\0'; p++ ) {
- *p = '*';
+ *p = '\0';
}
}
passwd.bv_len = strlen( passwd.bv_val );
break;
case 'Y':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_mech != NULL ) {
+ fprintf( stderr, "%s: -Y previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version );
fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE;
}
-
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
+ sasl_mech = strdup( optarg );
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
break;
case 'X':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_authz_id != NULL ) {
+ fprintf( stderr, "%s: -X previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version );
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
-
sasl_authz_id = strdup( optarg );
- authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
+ void *defaults;
+
if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops );
}
}
+ defaults = lutil_sasl_defaults( ld, sasl_flags,
+ sasl_mech,
+ sasl_realm,
+ sasl_authc_id,
+ passwd.bv_val,
+ sasl_authz_id );
+
rc = ldap_sasl_interactive_bind_s( ld, binddn,
- sasl_mech, NULL, NULL, lutil_sasl_interact );
+ sasl_mech, NULL, NULL,
+ lutil_sasl_interact, defaults );
if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
static char *ldaphost = NULL;
static int ldapport = 0;
#ifdef HAVE_CYRUS_SASL
+static unsigned sasl_flags = LUTIL_SASL_AUTOMATIC;
+static char *sasl_realm = NULL;
static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL;
static char *sasl_mech = NULL;
" -D dn\t\tbind DN\n"
" -f file\t\tread operations from `file'\n"
" -h host\t\tLDAP server\n"
+" -I\t\tuse SASL Interactive mode\n"
" -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
" -M\t\tenable Manage DSA IT control (-MM to make it critical)\n"
" -n\t\tprint changes, don't actually do them\n"
" -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n"
+" -Q\t\tuse SASL Quiet mode\n"
+" -R realm\tSASL realm\n"
" -U user\t\tSASL authentication identity (username)\n"
" -v\t\tverbose mode\n"
" -w passwd\tbind password (for Simple authentication)\n"
authmethod = -1;
version = -1;
- while (( i = getopt( argc, argv, "acrf:F" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) {
+ while (( i = getopt( argc, argv, "acrf:F" "Cd:D:h:IkKMnO:p:P:QRU:vw:WxX:Y:Z" )) != EOF ) {
switch( i ) {
/* Modify Options */
case 'a': /* add */
contoper = 1;
break;
case 'f': /* read from file */
+ if( infile != NULL ) {
+ fprintf( stderr, "%s: -f previously specified\n" );
+ return EXIT_FAILURE;
+ }
infile = strdup( optarg );
break;
case 'F': /* force all changes records to be used */
debug |= atoi( optarg );
break;
case 'D': /* bind DN */
+ if( binddn != NULL ) {
+ fprintf( stderr, "%s: -D previously specified\n" );
+ return EXIT_FAILURE;
+ }
binddn = strdup( optarg );
break;
case 'h': /* ldap host */
+ if( ldaphost != NULL ) {
+ fprintf( stderr, "%s: -h previously specified\n" );
+ return EXIT_FAILURE;
+ }
ldaphost = strdup( optarg );
break;
case 'k': /* kerberos bind */
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_secprops != NULL ) {
+ fprintf( stderr, "%s: -O previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
- fprintf( stderr, "%s -O incompatible with LDAPv%d\n",
+ fprintf( stderr, "%s: -O incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
"authentication choice\n", prog );
return EXIT_FAILURE;
}
- sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
+ sasl_secprops = strdup( optarg );
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
#endif
break;
case 'p':
+ if( ldapport ) {
+ fprintf( stderr, "%s: -p previously specified\n" );
+ return EXIT_FAILURE;
+ }
ldapport = atoi( optarg );
break;
case 'P':
usage( prog );
return( EXIT_FAILURE );
} break;
+ case 'Q':
+#ifdef HAVE_CYRUS_SASL
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -Q incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n",
+ prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_flags = LUTIL_SASL_QUIET;
+#else
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
+#endif
+ case 'R':
+#ifdef HAVE_CYRUS_SASL
+ if( sasl_realm != NULL ) {
+ fprintf( stderr, "%s: -R previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -R incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n",
+ prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_realm = strdup( optarg );
+#else
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
+#endif
+ break;
case 'U':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_authc_id != NULL ) {
+ fprintf( stderr, "%s: -U previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version );
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
-
sasl_authc_id = strdup( optarg );
- authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
char* p;
for( p = optarg; *p == '\0'; p++ ) {
- *p = '*';
+ *p = '\0';
}
}
passwd.bv_len = strlen( passwd.bv_val );
break;
case 'Y':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_mech != NULL ) {
+ fprintf( stderr, "%s: -Y previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version );
fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE;
}
-
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
+ sasl_mech = strdup( optarg );
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
break;
case 'X':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_authz_id != NULL ) {
+ fprintf( stderr, "%s: -X previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version );
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
-
sasl_authz_id = strdup( optarg );
- authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
+ void *defaults;
+
if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops );
}
}
+ defaults = lutil_sasl_defaults( ld, sasl_flags,
+ sasl_mech,
+ sasl_realm,
+ sasl_authc_id,
+ passwd.bv_val,
+ sasl_authz_id );
+
rc = ldap_sasl_interactive_bind_s( ld, binddn,
- sasl_mech, NULL, NULL, lutil_sasl_interact );
+ sasl_mech, NULL, NULL,
+ lutil_sasl_interact, defaults );
if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
static char *ldaphost = NULL;
static int ldapport = 0;
#ifdef HAVE_CYRUS_SASL
+static unsigned sasl_flags = LUTIL_SASL_AUTOMATIC;
+static char *sasl_realm = NULL;
static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL;
static char *sasl_mech = NULL;
" -d level\tset LDAP debugging level to `level'\n"
" -D binddn\tbind DN\n"
" -h host\t\tLDAP server\n"
+" -I\t\tuse SASL Interactive mode\n"
" -k\t\tuse Kerberos authentication\n"
" -K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
" -M\t\tenable Manage DSA IT control (-MM to make it critical)\n"
" -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n"
" -P version\tprocotol version (default: 3)\n"
+" -Q\t\tuse SASL Quiet mode\n"
+" -R realm\tSASL realm\n"
" -U user\t\tSASL authentication identity (username)\n"
" -v\t\trun in verbose mode (diagnostics to standard output)\n"
" -w passwd\tbind passwd (for simple authentication)\n"
prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog;
- while (( i = getopt( argc, argv, "cf:rs:" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z" )) != EOF ) {
+ while (( i = getopt( argc, argv, "cf:rs:" "Cd:D:h:IkKMnO:p:P:QRU:vw:WxX:Y:Z" )) != EOF ) {
switch( i ) {
/* Modrdn Options */
case 'c':
contoper++;
break;
+ case 'f': /* read from file */
+ if( infile != NULL ) {
+ fprintf( stderr, "%s: -f previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ infile = strdup( optarg );
+ break;
+ case 'r': /* remove old RDN */
+ remove++;
+ break;
case 's': /* newSuperior */
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
newSuperior = strdup( optarg );
version = LDAP_VERSION3;
break;
- case 'r': /* remove old RDN */
- remove++;
- break;
/* Common Options */
case 'C':
debug |= atoi( optarg );
break;
case 'D': /* bind DN */
+ if( binddn != NULL ) {
+ fprintf( stderr, "%s: -D previously specified\n" );
+ return EXIT_FAILURE;
+ }
binddn = strdup( optarg );
break;
case 'h': /* ldap host */
+ if( ldaphost != NULL ) {
+ fprintf( stderr, "%s: -h previously specified\n" );
+ return EXIT_FAILURE;
+ }
ldaphost = strdup( optarg );
break;
case 'k': /* kerberos bind */
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_secprops != NULL ) {
+ fprintf( stderr, "%s: -O previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
- fprintf( stderr, "%s -O incompatible with LDAPv%d\n",
+ fprintf( stderr, "%s: -O incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
"authentication choice\n", prog );
return EXIT_FAILURE;
}
- sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
+ sasl_secprops = strdup( optarg );
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
#endif
break;
case 'p':
+ if( ldapport ) {
+ fprintf( stderr, "%s: -p previously specified\n" );
+ return EXIT_FAILURE;
+ }
ldapport = atoi( optarg );
break;
case 'P':
usage( prog );
return( EXIT_FAILURE );
} break;
+ case 'Q':
+#ifdef HAVE_CYRUS_SASL
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -Q incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n",
+ prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_flags = LUTIL_SASL_QUIET;
+#else
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
+#endif
+ case 'R':
+#ifdef HAVE_CYRUS_SASL
+ if( sasl_realm != NULL ) {
+ fprintf( stderr, "%s: -R previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -R incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n",
+ prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_realm = strdup( optarg );
+#else
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
+#endif
+ break;
case 'U':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_authc_id != NULL ) {
+ fprintf( stderr, "%s: -U previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version );
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
-
sasl_authc_id = strdup( optarg );
- authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
char* p;
for( p = optarg; *p == '\0'; p++ ) {
- *p = '*';
+ *p = '\0';
}
}
passwd.bv_len = strlen( passwd.bv_val );
break;
case 'Y':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_mech != NULL ) {
+ fprintf( stderr, "%s: -Y previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version );
fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE;
}
-
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
+ sasl_mech = strdup( optarg );
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
break;
case 'X':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_authz_id != NULL ) {
+ fprintf( stderr, "%s: -X previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version );
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
-
sasl_authz_id = strdup( optarg );
- authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
+ void *defaults;
+
if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops );
}
}
+ defaults = lutil_sasl_defaults( ld, sasl_flags,
+ sasl_mech,
+ sasl_realm,
+ sasl_authc_id,
+ passwd.bv_val,
+ sasl_authz_id );
+
rc = ldap_sasl_interactive_bind_s( ld, binddn,
- sasl_mech, NULL, NULL, lutil_sasl_interact );
+ sasl_mech, NULL, NULL,
+ lutil_sasl_interact, defaults );
if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
" -C\t\tchase referrals\n"
" -D binddn\tbind DN\n"
" -h host\t\tLDAP server (default: localhost)\n"
+" -I\t\tuse SASL Interactive mode\n"
" -n\t\tmake no modifications\n"
" -O secprops\tSASL security properties\n"
" -p port\t\tport on LDAP server\n"
+" -Q\t\tuse SASL Quiet mode\n"
+" -R realm\tSASL realm\n"
" -U user\t\tSASL authentication identity (username)\n"
" -v\t\tverbose mode\n"
" -w passwd\tbind password (for simple authentication)\n"
int want_newpw = 0;
int want_oldpw = 0;
- int noupdates = 0;
+ int not = 0;
int i;
int ldapport = 0;
int debug = 0;
int version = -1;
int authmethod = -1;
+ int manageDSAit = 0;
#ifdef HAVE_CYRUS_SASL
+ unsigned sasl_flags = LUTIL_SASL_AUTOMATIC;
+ char *sasl_realm = NULL;
char *sasl_authc_id = NULL;
char *sasl_authz_id = NULL;
char *sasl_mech = NULL;
usage (argv[0]);
while( (i = getopt( argc, argv,
- "Aa:Ss:" "Cd:D:h:nO:p:U:vw:WxX:Y:Z" )) != EOF )
+ "Aa:Ss:" "Cd:D:h:InO:p:QRU:vw:WxX:Y:Z" )) != EOF )
{
switch (i) {
/* Password Options */
char* p;
for( p = optarg; *p == '\0'; p++ ) {
- *p = '*';
+ *p = '\0';
}
}
break;
char* p;
for( p = optarg; *p == '\0'; p++ ) {
- *p = '*';
+ *p = '\0';
}
}
break;
- /* Common Options */
- case 'C':
- referrals++;
- break;
-
- case 'D': /* bind distinguished name */
- binddn = strdup (optarg);
- break;
-
- case 'd': /* debugging option */
- debug |= atoi (optarg);
- break;
-
- case 'h': /* ldap host */
- ldaphost = strdup (optarg);
- break;
-
- case 'n': /* don't update entry(s) */
- noupdates++;
- break;
-
- case 'p': /* ldap port */
- ldapport = strtol( optarg, NULL, 10 );
- break;
+ /* Common Options (including options we don't use) */
+ case 'C':
+ referrals++;
+ break;
+ case 'd':
+ debug |= atoi( optarg );
+ break;
+ case 'D': /* bind DN */
+ if( binddn != NULL ) {
+ fprintf( stderr, "%s: -D previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ binddn = strdup( optarg );
+ break;
+ case 'h': /* ldap host */
+ if( ldaphost != NULL ) {
+ fprintf( stderr, "%s: -h previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ ldaphost = strdup( optarg );
+ break;
+ case 'k': /* kerberos bind */
+#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
+ if( version > LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
- case 'v': /* verbose */
- verbose++;
- break;
+ if( authmethod != -1 ) {
+ fprintf( stderr, "%s: -k incompatible with previous "
+ "authentication choice\n", prog );
+ return EXIT_FAILURE;
+ }
+
+ authmethod = LDAP_AUTH_KRBV4;
+#else
+ fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
+ return EXIT_FAILURE;
+#endif
+ break;
+ case 'K': /* kerberos bind, part one only */
+#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
+ if( version > LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -k incompatible with LDAPv%d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 ) {
+ fprintf( stderr, "%s: incompatible with previous "
+ "authentication choice\n", prog );
+ return EXIT_FAILURE;
+ }
- case 'W': /* prompt for bind password */
- want_bindpw++;
+ authmethod = LDAP_AUTH_KRBV41;
+#else
+ fprintf( stderr, "%s: not compiled with Kerberos support\n", prog );
+ return( EXIT_FAILURE );
+#endif
+ break;
+ case 'M':
+ /* enable Manage DSA IT */
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -M incompatible with LDAPv%d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ manageDSAit++;
+ version = LDAP_VERSION3;
+ break;
+ case 'n': /* print deletes, don't actually do them */
+ ++not;
+ break;
+ case 'O':
+#ifdef HAVE_CYRUS_SASL
+ if( sasl_secprops != NULL ) {
+ fprintf( stderr, "%s: -O previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -O incompatible with LDAPv%d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n", prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_secprops = strdup( optarg );
+#else
+ fprintf( stderr, "%s: not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
+#endif
+ break;
+ case 'p':
+ if( ldapport ) {
+ fprintf( stderr, "%s: -p previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ ldapport = atoi( optarg );
+ break;
+ case 'P':
+ switch( atoi(optarg) ) {
+ case 2:
+ if( version == LDAP_VERSION3 ) {
+ fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ version = LDAP_VERSION2;
break;
-
- case 'w': /* bind password */
- passwd.bv_val = strdup (optarg);
- {
- char* p;
-
- for( p = optarg; *p == '\0'; p++ ) {
- *p = '*';
- }
+ case 3:
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -P 2 incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
}
- passwd.bv_len = strlen( passwd.bv_val );
+ version = LDAP_VERSION3;
break;
-
- case 'O':
+ default:
+ fprintf( stderr, "%s: protocol version should be 2 or 3\n",
+ prog );
+ usage( prog );
+ return( EXIT_FAILURE );
+ } break;
+ case 'Q':
#ifdef HAVE_CYRUS_SASL
- sasl_secprops = strdup( optarg );
- authmethod = LDAP_AUTH_SASL;
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -Q incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n",
+ prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_flags = LUTIL_SASL_QUIET;
#else
- fprintf( stderr, "%s was not compiled with SASL support\n",
- argv[0] );
- return( EXIT_FAILURE );
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
#endif
- break;
- case 'Y':
+ case 'R':
#ifdef HAVE_CYRUS_SASL
- if ( strcasecmp( optarg, "any" ) &&
- strcmp( optarg, "*" ) ) {
- sasl_mech = strdup( optarg );
- }
- authmethod = LDAP_AUTH_SASL;
+ if( sasl_realm != NULL ) {
+ fprintf( stderr, "%s: -R previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -R incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n",
+ prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_realm = strdup( optarg );
#else
- fprintf( stderr, "%s was not compiled with SASL "
- "support\n", argv[0] );
- return( EXIT_FAILURE );
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
#endif
- break;
- case 'U':
+ break;
+ case 'U':
#ifdef HAVE_CYRUS_SASL
- sasl_authc_id = strdup( optarg );
- authmethod = LDAP_AUTH_SASL;
+ if( sasl_authc_id != NULL ) {
+ fprintf( stderr, "%s: -U previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -U incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n",
+ prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_authc_id = strdup( optarg );
#else
- fprintf( stderr, "%s was not compiled with SASL "
- "support\n", argv[0] );
- return( EXIT_FAILURE );
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
#endif
- break;
- case 'x':
- if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) {
- fprintf( stderr, "%s: incompatible with previous "
- "authentication choice\n", prog );
- return EXIT_FAILURE;
+ break;
+ case 'v': /* verbose mode */
+ verbose++;
+ break;
+ case 'w': /* password */
+ passwd.bv_val = strdup( optarg );
+ {
+ char* p;
+
+ for( p = optarg; *p == '\0'; p++ ) {
+ *p = '\0';
}
- authmethod = LDAP_AUTH_SIMPLE;
- break;
- case 'X':
+ }
+ passwd.bv_len = strlen( passwd.bv_val );
+ break;
+ case 'W':
+ want_bindpw++;
+ break;
+ case 'Y':
+#ifdef HAVE_CYRUS_SASL
+ if( sasl_mech != NULL ) {
+ fprintf( stderr, "%s: -Y previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -Y incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_mech = strdup( optarg );
+#else
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
+#endif
+ break;
+ case 'x':
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SIMPLE ) {
+ fprintf( stderr, "%s: incompatible with previous "
+ "authentication choice\n", prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SIMPLE;
+ break;
+ case 'X':
#ifdef HAVE_CYRUS_SASL
- sasl_authz_id = strdup( optarg );
- authmethod = LDAP_AUTH_SASL;
+ if( sasl_authz_id != NULL ) {
+ fprintf( stderr, "%s: -X previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: -X incompatible with "
+ "authentication choice\n", prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_authz_id = strdup( optarg );
#else
- fprintf( stderr, "%s was not compiled with SASL "
- "support\n", argv[0] );
- return( EXIT_FAILURE );
+ fprintf( stderr, "%s: not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
#endif
- break;
- case 'Z':
+ break;
+ case 'Z':
#ifdef HAVE_TLS
- use_tls++;
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s -Z incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ version = LDAP_VERSION3;
+ use_tls++;
#else
- fprintf( stderr, "%s was not compiled with TLS "
- "support\n", argv[0] );
- return( EXIT_FAILURE );
+ fprintf( stderr, "%s: not compiled with TLS support\n",
+ prog );
+ return( EXIT_FAILURE );
#endif
- break;
+ break;
+
default:
fprintf( stderr, "%s: unrecongized option -%c\n",
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
+ void *defaults;
+
if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops );
}
}
+ defaults = lutil_sasl_defaults( ld, sasl_flags,
+ sasl_mech,
+ sasl_realm,
+ sasl_authc_id,
+ passwd.bv_val,
+ sasl_authz_id );
+
rc = ldap_sasl_interactive_bind_s( ld, binddn,
- sasl_mech, NULL, NULL, lutil_sasl_interact );
+ sasl_mech, NULL, NULL,
+ lutil_sasl_interact, defaults );
if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
ber_free( ber, 1 );
}
- if ( noupdates ) {
+ if ( not ) {
rc = LDAP_SUCCESS;
goto skip;
}
"\t-D binddn\tbind DN\n"
"\t-f file\t\tread operations from `file'\n"
"\t-h host\t\tLDAP server\n"
+"\t-I\t\tuse SASL Interactive mode\n"
"\t-k\t\tuse Kerberos authentication\n"
"\t-K\t\tlike -k, but do only step 1 of the Kerberos bind\n"
"\t-M\t\tenable Manage DSA IT control (-MM to make critical)\n"
"\t-O secprops\tSASL security properties\n"
"\t-p port\t\tport on LDAP server\n"
"\t-P version\tprocotol version (default: 3)\n"
+"\t-Q\t\tuse SASL Quiet mode\n"
+"\t-R realm\tSASL realm\n"
"\t-U user\t\tSASL authentication identity (username)\n"
"\t-v\t\trun in verbose mode (diagnostics to standard output)\n"
"\t-V prefix\tURL prefix for files (default: \"" LDAP_FILE_URI_PREFIX ")\n"
static char *ldaphost = NULL;
static int ldapport = 0;
#ifdef HAVE_CYRUS_SASL
+static unsigned sasl_flags = LUTIL_SASL_AUTOMATIC;
+static char *sasl_realm = NULL;
static char *sasl_authc_id = NULL;
static char *sasl_authz_id = NULL;
static char *sasl_mech = NULL;
prog = (prog = strrchr(argv[0], *LDAP_DIRSEP)) == NULL ? argv[0] : ++prog;
while (( i = getopt( argc, argv,
- "Aa:b:f:Ll:S:s:T:tuV:z:" "Cd:D:h:kKMnO:p:P:U:vw:WxX:Y:Z")) != EOF )
+ "Aa:b:f:Ll:S:s:T:tuV:z:" "Cd:D:h:IkKMnO:p:P:QRU:vw:WxX:Y:Z")) != EOF )
{
switch( i ) {
/* Search Options */
base = strdup( optarg );
break;
case 'f': /* input file */
+ if( infile != NULL ) {
+ fprintf( stderr, "%s: -f previously specified\n" );
+ return EXIT_FAILURE;
+ }
infile = strdup( optarg );
break;
case 'l': /* time limit */
debug |= atoi( optarg );
break;
case 'D': /* bind DN */
+ if( binddn != NULL ) {
+ fprintf( stderr, "%s: -D previously specified\n" );
+ return EXIT_FAILURE;
+ }
binddn = strdup( optarg );
break;
case 'h': /* ldap host */
+ if( ldaphost != NULL ) {
+ fprintf( stderr, "%s: -h previously specified\n" );
+ return EXIT_FAILURE;
+ }
ldaphost = strdup( optarg );
break;
case 'k': /* kerberos bind */
break;
case 'O':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_secprops != NULL ) {
+ fprintf( stderr, "%s: -O previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
- fprintf( stderr, "%s -O incompatible with LDAPv%d\n",
+ fprintf( stderr, "%s: -O incompatible with LDAPv%d\n",
prog, version );
return EXIT_FAILURE;
}
"authentication choice\n", prog );
return EXIT_FAILURE;
}
- sasl_secprops = strdup( optarg );
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
+ sasl_secprops = strdup( optarg );
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
#endif
break;
case 'p':
+ if( ldapport ) {
+ fprintf( stderr, "%s: -p previously specified\n" );
+ return EXIT_FAILURE;
+ }
ldapport = atoi( optarg );
break;
case 'P':
usage( prog );
return( EXIT_FAILURE );
} break;
+ case 'Q':
+#ifdef HAVE_CYRUS_SASL
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -Q incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n",
+ prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_flags = LUTIL_SASL_QUIET;
+#else
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
+#endif
+ case 'R':
+#ifdef HAVE_CYRUS_SASL
+ if( sasl_realm != NULL ) {
+ fprintf( stderr, "%s: -R previously specified\n" );
+ return EXIT_FAILURE;
+ }
+ if( version == LDAP_VERSION2 ) {
+ fprintf( stderr, "%s: -R incompatible with version %d\n",
+ prog, version );
+ return EXIT_FAILURE;
+ }
+ if( authmethod != -1 && authmethod != LDAP_AUTH_SASL ) {
+ fprintf( stderr, "%s: incompatible previous "
+ "authentication choice\n",
+ prog );
+ return EXIT_FAILURE;
+ }
+ authmethod = LDAP_AUTH_SASL;
+ version = LDAP_VERSION3;
+ sasl_realm = strdup( optarg );
+#else
+ fprintf( stderr, "%s: was not compiled with SASL support\n",
+ prog );
+ return( EXIT_FAILURE );
+#endif
+ break;
case 'U':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_authc_id != NULL ) {
+ fprintf( stderr, "%s: -U previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -U incompatible with version %d\n",
prog, version );
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
-
sasl_authc_id = strdup( optarg );
- authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
char* p;
for( p = optarg; *p == '\0'; p++ ) {
- *p = '*';
+ *p = '\0';
}
}
passwd.bv_len = strlen( passwd.bv_val );
break;
case 'Y':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_mech != NULL ) {
+ fprintf( stderr, "%s: -Y previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -Y incompatible with version %d\n",
prog, version );
fprintf( stderr, "%s: incompatible with authentication choice\n", prog );
return EXIT_FAILURE;
}
-
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
+ sasl_mech = strdup( optarg );
#else
fprintf( stderr, "%s: was not compiled with SASL support\n",
prog );
break;
case 'X':
#ifdef HAVE_CYRUS_SASL
+ if( sasl_authz_id != NULL ) {
+ fprintf( stderr, "%s: -X previously specified\n" );
+ return EXIT_FAILURE;
+ }
if( version == LDAP_VERSION2 ) {
fprintf( stderr, "%s: -X incompatible with LDAPv%d\n",
prog, version );
}
authmethod = LDAP_AUTH_SASL;
version = LDAP_VERSION3;
-
sasl_authz_id = strdup( optarg );
- authmethod = LDAP_AUTH_SASL;
#else
fprintf( stderr, "%s: not compiled with SASL support\n",
prog );
if ( authmethod == LDAP_AUTH_SASL ) {
#ifdef HAVE_CYRUS_SASL
+ void *defaults;
+
if( sasl_secprops != NULL ) {
rc = ldap_set_option( ld, LDAP_OPT_X_SASL_SECPROPS,
(void *) sasl_secprops );
}
}
+ defaults = lutil_sasl_defaults( ld, sasl_flags,
+ sasl_mech,
+ sasl_realm,
+ sasl_authc_id,
+ passwd.bv_val,
+ sasl_authz_id );
+
rc = ldap_sasl_interactive_bind_s( ld, binddn,
- sasl_mech, NULL, NULL, lutil_sasl_interact );
+ sasl_mech, NULL, NULL,
+ lutil_sasl_interact, defaults );
if( rc != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_sasl_interactive_bind_s" );
#define LDAP_OPT_X_TLS_TRY 4
/* OpenLDAP SASL options */
-#define LDAP_OPT_X_SASL_SSF 0x6100 /* read-only */
-#define LDAP_OPT_X_SASL_SSF_EXTERNAL 0x6101 /* write-only */
-#define LDAP_OPT_X_SASL_SECPROPS 0x6102 /* write-only */
-
-#define LDAP_OPT_X_SASL_SSF_MIN 0x6103
-#define LDAP_OPT_X_SASL_SSF_MAX 0x6104
-#define LDAP_OPT_X_SASL_MAXBUFSIZE 0x6105
+#define LDAP_OPT_X_SASL_MECH 0x6100
+#define LDAP_OPT_X_SASL_REALM 0x6101
+#define LDAP_OPT_X_SASL_AUTHCID 0x6102
+#define LDAP_OPT_X_SASL_AUTHZID 0x6103
+#define LDAP_OPT_X_SASL_SSF 0x6104 /* read-only */
+#define LDAP_OPT_X_SASL_SSF_EXTERNAL 0x6105 /* write-only */
+#define LDAP_OPT_X_SASL_SECPROPS 0x6106 /* write-only */
+#define LDAP_OPT_X_SASL_SSF_MIN 0x6107
+#define LDAP_OPT_X_SASL_SSF_MAX 0x6108
+#define LDAP_OPT_X_SASL_MAXBUFSIZE 0x6109
/* on/off values */
/* V3 SASL Interaction Function Callback Prototype */
/* when using Cyrus SASL, interact is pointer to sasl_interact_t */
typedef int (LDAP_SASL_INTERACT_PROC) LDAP_P((
- LDAP *ld, void *interact ));
+ LDAP *ld, void* defaults, void *interact ));
LDAP_F( int )
ldap_sasl_interactive_bind_s LDAP_P((
LDAP_CONST char *saslMechanism,
LDAPControl **serverControls,
LDAPControl **clientControls,
- LDAP_SASL_INTERACT_PROC *proc ));
+ LDAP_SASL_INTERACT_PROC *proc,
+ LDAP_CONST void *defaults ));
LDAP_F( int )
ldap_sasl_bind_s LDAP_P((
LDAP_BEGIN_DECL
+/*
+ * Automatic (default): use defaults, prompt otherwise
+ * Interactive: prompt always
+ * Quiet: never prompt
+ */
+#define LUTIL_SASL_AUTOMATIC 0U
+#define LUTIL_SASL_INTERACTIVE 1U
+#define LUTIL_SASL_QUIET 2U
+
+LDAP_LUTIL_F( void * )
+lutil_sasl_defaults LDAP_P((
+ LDAP *ld,
+ unsigned flags,
+ char *mech,
+ char *realm,
+ char *authcid,
+ char *passwd,
+ char *authzid ));
+
LDAP_LUTIL_F( int )
lutil_sasl_interact LDAP_P((
- LDAP *ld, void *p ));
+ LDAP *ld, void *defaults, void *p ));
LDAP_END_DECL
const char *mechs,
LDAPControl **sctrls,
LDAPControl **cctrls,
- LDAP_SASL_INTERACT_PROC *interact )
+ LDAP_SASL_INTERACT_PROC *interact,
+ void * defaults )
{
char *data;
const char *mech = NULL;
if( saslrc == SASL_INTERACT ) {
if( !interact ) break;
- rc = (interact)( ld, prompts );
+ rc = (interact)( ld, defaults, prompts );
if( rc != LDAP_SUCCESS ) {
break;
}
if( saslrc == SASL_INTERACT ) {
int res;
if( !interact ) break;
- res = (interact)( ld, prompts );
+ res = (interact)( ld, defaults, prompts );
if( res != LDAP_SUCCESS ) {
break;
}
return -1;
switch ( option ) {
+ case LDAP_OPT_X_SASL_MECH: {
+ *(char **)arg = ld->ld_options.ldo_def_sasl_mech
+ ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_mech ) : NULL;
+ } break;
+ case LDAP_OPT_X_SASL_REALM: {
+ *(char **)arg = ld->ld_options.ldo_def_sasl_realm
+ ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_realm ) : NULL;
+ } break;
+ case LDAP_OPT_X_SASL_AUTHCID: {
+ *(char **)arg = ld->ld_options.ldo_def_sasl_authcid
+ ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authcid ) : NULL;
+ } break;
+ case LDAP_OPT_X_SASL_AUTHZID: {
+ *(char **)arg = ld->ld_options.ldo_def_sasl_authzid
+ ? LDAP_STRDUP( ld->ld_options.ldo_def_sasl_authzid ) : NULL;
+ } break;
+
case LDAP_OPT_X_SASL_SSF: {
int sc;
sasl_ssf_t *ssf;
{0, ATTR_BOOL, "RESTART", NULL, LDAP_BOOL_RESTART},
#ifdef HAVE_CYRUS_SASL
- {0, ATTR_SASL, "SASL_SECPROPS",NULL, LDAP_OPT_X_SASL_SECPROPS},
+ {1, ATTR_STRING, "SASL_MECH", NULL,
+ offsetof(struct ldapoptions, ldo_def_sasl_mech)},
+ {1, ATTR_STRING, "SASL_REALM", NULL,
+ offsetof(struct ldapoptions, ldo_def_sasl_realm)},
+ {1, ATTR_STRING, "SASL_AUTHCID", NULL,
+ offsetof(struct ldapoptions, ldo_def_sasl_authcid)},
+ {1, ATTR_STRING, "SASL_AUTHZID", NULL,
+ offsetof(struct ldapoptions, ldo_def_sasl_authzid)},
+ {0, ATTR_SASL, "SASL_SECPROPS", NULL, LDAP_OPT_X_SASL_SECPROPS},
#endif
#ifdef HAVE_TLS
{0, ATTR_TLS, "TLS", NULL, LDAP_OPT_X_TLS},
- {0, ATTR_TLS, "TLS_CERT", NULL, LDAP_OPT_X_TLS_CERTFILE},
- {0, ATTR_TLS, "TLS_KEY", NULL, LDAP_OPT_X_TLS_KEYFILE},
+ {1, ATTR_TLS, "TLS_CERT", NULL, LDAP_OPT_X_TLS_CERTFILE},
+ {1, ATTR_TLS, "TLS_KEY", NULL, LDAP_OPT_X_TLS_KEYFILE},
{0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE},
{0, ATTR_TLS, "TLS_CACERTDIR",NULL, LDAP_OPT_X_TLS_CACERTDIR},
- {0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT},
- {0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE},
+ {1, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT},
+ {1, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE},
#endif
{0, ATTR_NONE, NULL, NULL, 0}
LDAP_BOOL_SET(gopts, LDAP_BOOL_REFERRALS);
-#ifdef HAVE_TLS
- gopts->ldo_tls_ctx = NULL;
-#endif
#ifdef HAVE_CYRUS_SASL
+ gopts->ldo_def_sasl_mech = NULL;
+ gopts->ldo_def_sasl_realm = NULL;
+ gopts->ldo_def_sasl_authcid = NULL;
+ gopts->ldo_def_sasl_authzid = NULL;
+
memset( &gopts->ldo_sasl_secprops, '\0', sizeof(gopts->ldo_sasl_secprops) );
gopts->ldo_sasl_secprops.max_ssf = INT_MAX;
gopts->ldo_sasl_secprops.security_flags = SASL_SEC_NOPLAINTEXT|SASL_SEC_NOANONYMOUS;
#endif
+#ifdef HAVE_TLS
+ gopts->ldo_tls_ctx = NULL;
+#endif
+
gopts->ldo_valid = LDAP_INITIALIZED;
return;
return;
}
+#ifdef HAVE_CYRUS_SASL
+ {
+ /* set authentication identity to current user name */
+ char *user = getenv("USER");
+
+ if( user == NULL ) user = getenv("USERNAME");
+ if( user == NULL ) user = getenv("LOGNAME");
+
+ if( user != NULL ) {
+ /* this value is leaked, need at_exit() handler */
+ gopts->ldo_def_sasl_authcid = LDAP_STRDUP( user );
+ }
+ }
+#endif
+
openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
openldap_ldap_init_w_userconf(LDAP_USERRC_FILE);
LDAPURLDesc *ldo_defludp;
int ldo_defport;
char* ldo_defbase;
- char* ldo_defbinddn; /* simple bind dn */
+ char* ldo_defbinddn; /* bind dn */
+
+#ifdef HAVE_CYRUS_SASL
+ char* ldo_def_sasl_mech; /* SASL Mechanism(s) */
+ char* ldo_def_sasl_realm; /* SASL realm */
+ char* ldo_def_sasl_authcid; /* SASL authentication identity */
+ char* ldo_def_sasl_authzid; /* SASL authorization identity */
+
+ /* SASL Security Properties */
+ struct sasl_security_properties ldo_sasl_secprops;
+#endif
#ifdef LDAP_CONNECTIONLESS
int ldo_cldaptries; /* connectionless search retry count */
/* tls context */
void *ldo_tls_ctx;
int ldo_tls_mode;
-#endif
-#ifdef HAVE_CYRUS_SASL
- struct sasl_security_properties ldo_sasl_secprops;
#endif
LDAP_BOOLEANS ldo_booleans; /* boolean options */
};
int option, const char *arg ));
LDAP_F (int) ldap_int_sasl_bind LDAP_P((
- struct ldap *, LDAP_CONST char *,
- const char *, LDAPControl **, LDAPControl **,
- LDAP_SASL_INTERACT_PROC *interact ));
+ struct ldap *ld,
+ const char *,
+ const char *,
+ LDAPControl **, LDAPControl **,
+ LDAP_SASL_INTERACT_PROC *interact,
+ void *defaults));
/*
* in tls.c
ld->ld_valid = LDAP_VALID_SESSION;
/* but not pointers to malloc'ed items */
- ld->ld_options.ldo_defludp = NULL;
ld->ld_options.ldo_sctrls = NULL;
ld->ld_options.ldo_cctrls = NULL;
+#ifdef HAVE_CYRUS_SASL
+ ld->ld_options.ldo_def_sasl_mech = gopts->ldo_def_sasl_mech
+ ? LDAP_STRDUP( gopts->ldo_def_sasl_mech ) : NULL;
+ ld->ld_options.ldo_def_sasl_realm = gopts->ldo_def_sasl_realm
+ ? LDAP_STRDUP( gopts->ldo_def_sasl_realm ) : NULL;
+ ld->ld_options.ldo_def_sasl_authcid = gopts->ldo_def_sasl_authcid
+ ? LDAP_STRDUP( gopts->ldo_def_sasl_authcid ) : NULL;
+ ld->ld_options.ldo_def_sasl_authzid = gopts->ldo_def_sasl_authzid
+ ? LDAP_STRDUP( gopts->ldo_def_sasl_authzid ) : NULL;
+#endif
+
ld->ld_options.ldo_defludp = ldap_url_duplist(gopts->ldo_defludp);
if ( ld->ld_options.ldo_defludp == NULL ) {
LDAP_CONST char *mechs,
LDAPControl **serverControls,
LDAPControl **clientControls,
- LDAP_SASL_INTERACT_PROC *interact )
+ LDAP_SASL_INTERACT_PROC *interact,
+ void *defaults )
{
int rc;
}
rc = ldap_int_sasl_bind( ld, dn, mechs,
- serverControls, clientControls, interact );
+ serverControls, clientControls,
+ interact, defaults );
return rc;
}
#include <ldap.h>
#include "lutil_ldap.h"
+
+typedef struct lutil_sasl_defaults_s {
+ unsigned flags;
+ char *mech;
+ char *realm;
+ char *authcid;
+ char *passwd;
+ char *authzid;
+} lutilSASLdefaults;
+
+
+void *
+lutil_sasl_defaults(
+ LDAP *ld,
+ unsigned flags,
+ char *mech,
+ char *realm,
+ char *authcid,
+ char *passwd,
+ char *authzid )
+{
+ lutilSASLdefaults *defaults;
+
+ defaults = ber_memalloc( sizeof( lutilSASLdefaults ) );
+
+ if( defaults == NULL ) return NULL;
+
+ defaults->flags = flags;
+ defaults->mech = mech;
+ defaults->realm = realm;
+ defaults->authcid = authcid;
+ defaults->passwd = passwd;
+ defaults->authzid = authzid;
+
+ if( defaults->mech == NULL ) {
+ ldap_get_option( ld, LDAP_OPT_X_SASL_MECH, &defaults->mech );
+ }
+ if( defaults->realm == NULL ) {
+ ldap_get_option( ld, LDAP_OPT_X_SASL_REALM, &defaults->realm );
+ }
+ if( defaults->authcid == NULL ) {
+ ldap_get_option( ld, LDAP_OPT_X_SASL_AUTHCID, &defaults->authcid );
+ }
+ if( defaults->authzid == NULL ) {
+ ldap_get_option( ld, LDAP_OPT_X_SASL_AUTHZID, &defaults->authzid );
+ }
+
+ return defaults;
+}
+
static int interaction(
- sasl_interact_t *interact )
+ sasl_interact_t *interact, lutilSASLdefaults *defaults )
{
+ unsigned flags = defaults ? defaults->flags : 0;
+ const char *dflt = interact->defresult;
char input[1024];
int noecho=0;
int challenge=0;
switch( interact->id ) {
+ case SASL_CB_GETREALM:
+ if( defaults ) dflt = defaults->realm;
+ break;
+ case SASL_CB_AUTHNAME:
+ if( defaults ) dflt = defaults->authcid;
+ break;
+ case SASL_CB_PASS:
+ if( defaults ) dflt = defaults->passwd;
+ noecho = 1;
+ break;
+ case SASL_CB_USER:
+ if( defaults ) dflt = defaults->authzid;
+ break;
case SASL_CB_NOECHOPROMPT:
noecho = 1;
challenge = 1;
case SASL_CB_ECHOPROMPT:
challenge = 1;
break;
- case SASL_CB_PASS:
- noecho = 1;
- break;
+ }
+
+ if( dflt && !*dflt ) dflt = NULL;
+
+ if( flags != LUTIL_SASL_INTERACTIVE && dflt ) {
+ goto use_default;
+ }
+
+ if( flags == LUTIL_SASL_QUIET ) {
+ /* don't prompt */
+ return LDAP_OTHER;
}
if( challenge ) {
if( interact->challenge ) {
fprintf( stderr, "Challenge: %s\n", interact->challenge );
}
- if( interact->defresult ) {
- fprintf( stderr, "Default Result: %s\n", interact->defresult );
- }
+ }
+
+ if( dflt ) {
+ fprintf( stderr, "Default: %s\n", dflt );
}
sprintf( input, "%s: ",
- interact->prompt ? interact->prompt : "Interaction required" );
+ interact->prompt ? interact->prompt : "Interact" );
if( noecho ) {
interact->result = (char *) getpassphrase( input );
memset( p, '\0', interact->len );
} else {
+use_default:
/* must be empty */
- interact->result = strdup("");
+ interact->result = strdup( (dflt && *dflt) ? dflt : "" );
+ interact->len = interact->result
+ ? strlen( interact->result ) : 0;
+ }
+
+ if( defaults && defaults->passwd && interact->id == SASL_CB_PASS ) {
+ /* zap password after first use */
+ memset( defaults->passwd, '\0', strlen(defaults->passwd) );
+ defaults->passwd = NULL;
}
return LDAP_SUCCESS;
int lutil_sasl_interact(
LDAP *ld,
+ void *defaults,
void *in )
{
sasl_interact_t *interact = in;
fputs( "SASL Interaction\n", stderr );
while( interact->id != SASL_CB_LIST_END ) {
- int rc = interaction( interact );
+ int rc = interaction( interact, defaults );
if( rc ) return rc;
interact++;
return LDAP_SUCCESS;
}
-
#endif
char* p;
for( p = optarg; *p == '\0'; p++ ) {
- *p = '*';
+ *p = '\0';
}
}
break;
projects / openldap / commitdiff