socklen_t len = sizeof(from);
long id;
slap_ssf_t ssf = 0;
- char *authid = NULL;
+ struct berval authid = { 0, NULL };
#ifdef SLAPD_RLOOKUPS
char hbuf[NI_MAXHOST];
#endif
char *dnsname = NULL;
char *peeraddr = NULL;
#ifdef LDAP_PF_LOCAL
- char peername[MAXPATHLEN + sizeof("PATH=")];
+ char peername[MAXPATHLEN + sizeof("PATH=")];
#elif defined(LDAP_PF_INET6)
- char peername[sizeof("IP=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 65535")];
+ char peername[sizeof(
+ "IP=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 65535")];
#else
- char peername[sizeof("IP=255.255.255.255:65336")];
+ char peername[sizeof("IP=255.255.255.255:65336")];
#endif /* LDAP_PF_LOCAL */
peername[0] = '\0';
* of the slapd.
*/
if ( slap_listeners[l]->sl_is_udp < 2 ) {
- id = connection_init(
- slap_listeners[l]->sl_sd,
- slap_listeners[l], "", "",
- CONN_IS_UDP, ssf, authid );
+ id = connection_init(
+ slap_listeners[l]->sl_sd,
+ slap_listeners[l], "", "",
+ CONN_IS_UDP, ssf, NULL );
slap_listeners[l]->sl_is_udp++;
}
continue;
gid_t gid;
if( getpeereid( s, &uid, &gid ) == 0 ) {
- authid = ch_malloc(
+ authid.bv_val = ch_malloc(
sizeof("uidnumber=4294967295+gidnumber=4294967295,"
- "cn=peercred,cn=external,cn=auth"));
- sprintf(authid, "uidnumber=%d+gidnumber=%d,"
+ "cn=peercred,cn=external,cn=auth"));
+ authid.bv_len = sprintf( authid.bv_val,
+ "uidnumber=%d+gidnumber=%d,"
"cn=peercred,cn=external,cn=auth",
(int) uid, (int) gid);
}
0,
#endif
ssf,
- authid );
+ authid.bv_val ? &authid : NULL );
- if( authid ) ch_free(authid);
+ if( authid.bv_val ) ch_free(authid.bv_val);
if( id < 0 ) {
#ifdef NEW_LOGGING
# define SASL_CONST
# endif
-static sasl_security_properties_t sasl_secprops;
-
#define SASL_VERSION_FULL ((SASL_VERSION_MAJOR << 16) |\
(SASL_VERSION_MINOR << 8) | SASL_VERSION_STEP)
-#endif /* HAVE_CYRUS_SASL */
+static sasl_security_properties_t sasl_secprops;
+#else
+/*
+ * built-in SASL implementation
+ * only supports EXTERNAL
+ */
+typedef struct sasl_ctx {
+ slap_ssf_t sc_external_ssf;
+ struct berval sc_external_id;
+} SASL_CTX;
+
+#endif
#include "ldap_pvt.h"
#include "lber_pvt.h"
#include <lutil.h>
+static struct berval ext_bv = BER_BVC( "EXTERNAL" );
+
int slap_sasl_config( int cargc, char **cargv, char *line,
const char *fname, int lineno )
{
sasl_version( NULL, &rc );
if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
- (rc & 0xffff) < SASL_VERSION_STEP) {
+ (rc & 0xffff) < SASL_VERSION_STEP)
+ {
char version[sizeof("xxx.xxx.xxxxx")];
sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
rc & 0xffff );
0, 0, 0 );
#endif
-
/* default security properties */
memset( &sasl_secprops, '\0', sizeof(sasl_secprops) );
sasl_secprops.max_ssf = INT_MAX;
int slap_sasl_open( Connection *conn, int reopen )
{
- int cb, sc = LDAP_SUCCESS;
-#if SASL_VERSION_MAJOR >= 2
- char *ipremoteport = NULL, *iplocalport = NULL;
-#endif
-
+ int sc = LDAP_SUCCESS;
#ifdef HAVE_CYRUS_SASL
+ int cb;
+
sasl_conn_t *ctx = NULL;
sasl_callback_t *session_callbacks;
+#if SASL_VERSION_MAJOR >= 2
+ char *ipremoteport = NULL, *iplocalport = NULL;
+#endif
+
assert( conn->c_sasl_authctx == NULL );
if ( !reopen ) {
}
sc = slap_sasl_err2ldap( sc );
+
+#else
+ /* built-in SASL implementation */
+ SASL_CTX *ctx = (SASL_CTX *) SLAP_MALLOC(sizeof(SASL_CTX));
+ if( ctx == NULL ) return -1;
+
+ ctx->sc_external_ssf = 0;
+ ctx->sc_external_id.bv_len = 0;
+ ctx->sc_external_id.bv_val = NULL;
+
+ conn->c_sasl_authctx = ctx;
#endif
+
return sc;
}
int slap_sasl_external(
Connection *conn,
slap_ssf_t ssf,
- const char *auth_id )
+ struct berval *auth_id )
{
#if SASL_VERSION_MAJOR >= 2
int sc;
return LDAP_OTHER;
}
- sc = sasl_setprop( ctx, SASL_AUTH_EXTERNAL, auth_id );
+ sc = sasl_setprop( ctx, SASL_AUTH_EXTERNAL,
+ auth_id ? auth_id->bv_val : NULL );
if ( sc != SASL_OK ) {
return LDAP_OTHER;
memset( &extprops, '\0', sizeof(extprops) );
extprops.ssf = ssf;
- extprops.auth_id = (char *) auth_id;
+ extprops.auth_id = auth_id ? auth_id->bv_val : NULL;
sc = sasl_setprop( ctx, SASL_SSF_EXTERNAL,
(void *) &extprops );
if ( sc != SASL_OK ) {
return LDAP_OTHER;
}
+#else
+ /* built-in SASL implementation */
+ SASL_CTX *ctx = conn->c_sasl_authctx;
+ if ( ctx == NULL ) return LDAP_UNAVAILABLE;
+
+ ctx->sc_external_ssf = ssf;
+ if( auth_id ) {
+ ctx->sc_external_id = *auth_id;
+ auth_id->bv_len = 0;
+ auth_id->bv_val = NULL;
+ } else {
+ ctx->sc_external_id.bv_len = 0;
+ ctx->sc_external_id.bv_val = NULL;
+ }
#endif
return LDAP_SUCCESS;
ch_free( mechstr );
#endif
}
+#else
+ /* builtin SASL implementation */
+ SASL_CTX *ctx = conn->c_sasl_authctx;
+ if ( ctx != NULL && ctx->sc_external_id.bv_val ) {
+ /* should check ssf */
+ mechs = ldap_str2charray( "EXTERNAL", "," );
+ }
#endif
return mechs;
if( ctx != NULL ) {
sasl_dispose( &ctx );
}
- if ( conn->c_sasl_sockctx && conn->c_sasl_authctx != conn->c_sasl_sockctx ) {
+ if ( conn->c_sasl_sockctx &&
+ conn->c_sasl_authctx != conn->c_sasl_sockctx )
+ {
ctx = conn->c_sasl_sockctx;
sasl_dispose( &ctx );
}
free( conn->c_sasl_extra );
conn->c_sasl_extra = NULL;
+
+#else
+ SASL_CTX *ctx = conn->c_sasl_authctx;
+ if( ctx ) {
+ if( ctx->sc_external_id.bv_val ) {
+ free( ctx->sc_external_id.bv_val );
+ ctx->sc_external_id.bv_val = NULL;
+ }
+ free( ctx );
+ conn->c_sasl_authctx = NULL;
+ }
#endif
return LDAP_SUCCESS;
op->orb_cred.bv_len );
#endif
-
if( ctx == NULL ) {
send_ldap_error( op, rs, LDAP_UNAVAILABLE,
"SASL unavailable on this session" );
#else
- send_ldap_error( op, rs, LDAP_UNAVAILABLE,
- "SASL not supported" );
+ /* built-in SASL implementation */
+ SASL_CTX *ctx = op->o_conn->c_sasl_authctx;
+
+ if ( ctx == NULL ) {
+ send_ldap_error( op, rs, LDAP_OTHER,
+ "Internal SASL Error" );
+
+ } else if ( bvmatch( &ext_bv, &op->o_conn->c_sasl_bind_mech ) ) {
+ /* EXTERNAL */
+
+ if( op->orb_cred.bv_len ) {
+ rs->sr_text = "proxy authorization not support";
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ send_ldap_result( op, rs );
+
+ } else {
+ op->orb_edn = ctx->sc_external_id;
+ rs->sr_err = LDAP_SUCCESS;
+ rs->sr_sasldata = NULL;
+ send_ldap_sasl( op, rs );
+ }
+
+ } else {
+ send_ldap_error( op, rs, LDAP_AUTH_METHOD_NOT_SUPPORTED,
+ "requested SASL mechanism not supported" );
+ }
#endif
return rs->sr_err;
#define SET_DN 1
#define SET_U 2
-static struct berval ext_bv = BER_BVC( "EXTERNAL" );
-
int slap_sasl_getdn( Connection *conn, Operation *op, char *id, int len,
char *user_realm, struct berval *dn, int flags )
{
* is already normalized, so copy it and skip normalization.
*/
if( flags & SLAP_GETDN_AUTHCID ) {
- if( mech->bv_len == ext_bv.bv_len &&
- strcasecmp( ext_bv.bv_val, mech->bv_val ) == 0 )
- {
+ if( bvmatch( mech, &ext_bv )) {
/* EXTERNAL DNs are already normalized */
do_norm = 0;
is_dn = SET_DN;
projects / openldap / commitdiff