]> git.sur5r.net Git - openldap/commitdiff
Outline SASL interactive API (no meat)
authorKurt Zeilenga <kurt@openldap.org>
Thu, 6 Jan 2011 18:37:23 +0000 (18:37 +0000)
committerKurt Zeilenga <kurt@openldap.org>
Thu, 6 Jan 2011 18:37:23 +0000 (18:37 +0000)
clients/tools/ldapvc.c
include/ldap.h
libraries/libldap/vc.c

index 0094acf221cf2dc21a579394e0f4140d4fc9f0fa..9cdd44c90106c92036aa9378c716d613156fb80e 100644 (file)
 static int req_authzid = 0;
 static int req_pp = 0;
 
-static char * mech = NULL;
+#if defined(LDAP_API_FEATURES_VERIFY_CREDENTIALS_INTERACTIVE) && defined(HAVE_CYRUS_SASL)
+#define LDAP_SASL_NONE (~0U)
+static unsigned vc_sasl = LDAP_SASL_NONE;
+static char *vc_sasl_realm = NULL;
+static char *vc_sasl_authcid = NULL;
+static char *vc_sasl_authzid = NULL;
+static char *vc_sasl_mech = NULL;
+static char *vc_sasl_secprops = NULL;
+#endif
 static char * dn = NULL;
 static struct berval cred = {0, NULL};
 
@@ -59,27 +67,31 @@ void
 usage( void )
 {
        fprintf( stderr, _("Issue LDAP Verify Credentials operation to verify a user's credentials\n\n"));
-       fprintf( stderr, _("usage: %s [options] (-S mech|[DN [cred]])\n"), prog);
+       fprintf( stderr, _("usage: %s [options] [DN [cred]])\n"), prog);
        fprintf( stderr, _("where:\n"));
        fprintf( stderr, _("    DN\tDistinguished Name\n"));
        fprintf( stderr, _("    cred\tCredentials (prompt if not present)\n"));
        fprintf( stderr, _("options:\n"));
        fprintf( stderr, _("    -a\tRequest AuthzId\n"));
        fprintf( stderr, _("    -b\tRequest Password Policy Information\n"));
-       fprintf( stderr, _("    -S mech\tSASL mechanism (default "" e.g. Simple)\n"));
+       fprintf( stderr, _("    -E sasl=(a[utomatic]|i[nteractive]|q[uiet]>\tSASL mode (defaults to automatic if any other -E option provided, otherwise none))\n"));
+       fprintf( stderr, _("    -E mech=<mech>\tSASL mechanism (default "" e.g. Simple)\n"));
+       fprintf( stderr, _("    -E realm=<realm>\tSASL Realm (defaults to none)\n"));
+       fprintf( stderr, _("    -E authcid=<authcid>\tSASL Authenication Identity (defaults to USER)\n"));
+       fprintf( stderr, _("    -E authzid=<authzid>\tSASL Authorization Identity (defaults to none)\n"));
+       fprintf( stderr, _("    -E secprops=<secprops>\tSASL Security Properties (defaults to none)\n"));
        tool_common_usage();
        exit( EXIT_FAILURE );
 }
 
 
-const char options[] = "abS:"
+const char options[] = "abE:"
        "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
 
 int
 handle_private_option( int i )
 {
        switch ( i ) {
-#if 0
                char    *control, *cvalue;
                int             crit;
        case 'E': /* vc extension */
@@ -105,10 +117,145 @@ handle_private_option( int i )
                        *cvalue++ = '\0';
                }
 
-               fprintf( stderr, _("Invalid Verify Credentials extension name: %s\n"), control );
-               usage();
+               if (strcasecmp(control, "sasl") == 0) {
+#if defined(LDAP_API_FEATURES_VERIFY_CREDENTIALS_INTERACTIVE) && defined(HAVE_CYRUS_SASL)
+                       if (vc_sasl != LDAP_SASL_NONE) {
+                               fprintf(stderr,
+                                   _("SASL option previously specified\n"));
+                               exit(EXIT_FAILURE);
+                       }
+                       if (cvalue == NULL) {
+                               fprintf(stderr,
+                                       _("missing mode in SASL option\n"));
+                               exit(EXIT_FAILURE);
+                       }
+
+                       switch (*cvalue) {
+                       case 'a':
+                       case 'A':
+                               vc_sasl = LDAP_SASL_AUTOMATIC;
+                               break;
+                       case 'i':
+                       case 'I':
+                               vc_sasl = LDAP_SASL_INTERACTIVE;
+                               break;
+                       case 'q':
+                       case 'Q':
+                               vc_sasl = LDAP_SASL_QUIET;
+                               break;
+                       default:
+                               fprintf(stderr,
+                                       _("unknown mode %s in SASL option\n"), cvalue);
+                               exit(EXIT_FAILURE);
+                       }
+#else
+                       fprintf(stderr,
+                               _("%s: not compiled with SASL support\n"), prog);
+                       exit(EXIT_FAILURE);
+#endif
+
+               } else if (strcasecmp(control, "mech") == 0) {
+#if defined(LDAP_API_FEATURES_VERIFY_CREDENTIALS_INTERACTIVE) && defined(HAVE_CYRUS_SASL)
+                       if (vc_sasl_mech) {
+                               fprintf(stderr,
+                                   _("SASL mech previously specified\n"));
+                               exit(EXIT_FAILURE);
+                       }
+                       if (cvalue == NULL) {
+                               fprintf(stderr,
+                                       _("missing mech in SASL option\n"));
+                               exit(EXIT_FAILURE);
+                       }
+
+                       vc_sasl_mech = ber_strdup(cvalue);
+#else
+#endif
+
+               } else if (strcasecmp(control, "realm") == 0) {
+#if defined(LDAP_API_FEATURES_VERIFY_CREDENTIALS_INTERACTIVE) && defined(HAVE_CYRUS_SASL)
+                       if (vc_sasl_realm) {
+                               fprintf(stderr,
+                                   _("SASL realm previously specified\n"));
+                               exit(EXIT_FAILURE);
+                       }
+                       if (cvalue == NULL) {
+                               fprintf(stderr,
+                                       _("missing realm in SASL option\n"));
+                               exit(EXIT_FAILURE);
+                       }
+
+                       vc_sasl_realm = ber_strdup(cvalue);
+#else
+                       fprintf(stderr,
+                               _("%s: not compiled with SASL support\n"), prog);
+                       exit(EXIT_FAILURE);
+#endif
+
+               } else if (strcasecmp(control, "authcid") == 0) {
+#if defined(LDAP_API_FEATURES_VERIFY_CREDENTIALS_INTERACTIVE) && defined(HAVE_CYRUS_SASL)
+                       if (vc_sasl_authcid) {
+                               fprintf(stderr,
+                                   _("SASL authcid previously specified\n"));
+                               exit(EXIT_FAILURE);
+                       }
+                       if (cvalue == NULL) {
+                               fprintf(stderr,
+                                       _("missing authcid in SASL option\n"));
+                               exit(EXIT_FAILURE);
+                       }
+
+                       vc_sasl_authcid = ber_strdup(cvalue);
+#else
+                       fprintf(stderr,
+                               _("%s: not compiled with SASL support\n"), prog);
+                       exit(EXIT_FAILURE);
+#endif
+
+               } else if (strcasecmp(control, "authzid") == 0) {
+#if defined(LDAP_API_FEATURES_VERIFY_CREDENTIALS_INTERACTIVE) && defined(HAVE_CYRUS_SASL)
+                       if (vc_sasl_authzid) {
+                               fprintf(stderr,
+                                   _("SASL authzid previously specified\n"));
+                               exit(EXIT_FAILURE);
+                       }
+                       if (cvalue == NULL) {
+                               fprintf(stderr,
+                                       _("missing authzid in SASL option\n"));
+                               exit(EXIT_FAILURE);
+                       }
+
+                       vc_sasl_authzid = ber_strdup(cvalue);
+#else
+                       fprintf(stderr,
+                               _("%s: not compiled with SASL support\n"), prog);
+                       exit(EXIT_FAILURE);
 #endif
 
+               } else if (strcasecmp(control, "secprops") == 0) {
+#if defined(LDAP_API_FEATURES_VERIFY_CREDENTIALS_INTERACTIVE) && defined(HAVE_CYRUS_SASL)
+                       if (vc_sasl_secprops) {
+                               fprintf(stderr,
+                                   _("SASL secprops previously specified\n"));
+                               exit(EXIT_FAILURE);
+                       }
+                       if (cvalue == NULL) {
+                               fprintf(stderr,
+                                       _("missing secprops in SASL option\n"));
+                               exit(EXIT_FAILURE);
+                       }
+
+                       vc_sasl_secprops = ber_strdup(cvalue);
+#else
+                       fprintf(stderr,
+                               _("%s: not compiled with SASL support\n"), prog);
+                       exit(EXIT_FAILURE);
+#endif
+
+               } else {
+                   fprintf( stderr, _("Invalid Verify Credentials extension name: %s\n"), control );
+                   usage();
+               }
+
        case 'a':  /* request authzid */
                req_authzid++;
                break;
@@ -117,10 +264,6 @@ handle_private_option( int i )
                req_pp++;
                break;
 
-       case 'S':  /* SASL mechanism */
-               mech = optarg;
-               break;
-
        default:
                return 0;
        }
@@ -152,33 +295,31 @@ main( int argc, char *argv[] )
 
        tool_args( argc, argv );
 
-       if (mech) {
-               if (argc - optind > 0) {
-                       usage();
-               }
-
-               fprintf(stderr, "SASL credential verification not yet implemented!\n");
-               rc = EXIT_FAILURE;
-               goto skip;
-
-       } else {
-               if (argc - optind > 0) {
-                       dn = argv[optind++];
-               }
-               if (argc - optind > 0) {
-                       cred.bv_val = argv[optind++];
-                       cred.bv_len = strlen(cred.bv_val);
-               }
-
-               if (argc - optind > 0) {
-                   usage();
-           }
-
-           if (!cred.bv_val) {
-                   cred.bv_val = strdup(getpassphrase(_("User's password: ")));
-           }
+       if (argc - optind > 0) {
+               dn = argv[optind++];
+       }
+       if (argc - optind > 0) {
+               cred.bv_val = argv[optind++];
                cred.bv_len = strlen(cred.bv_val);
        }
+       if (argc - optind > 0) {
+               usage();
+       }
+       if (dn 
+#ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS_INTERACTIVE
+           && !vc_sasl_mech 
+#endif
+           && !cred.bv_val)
+       {
+               cred.bv_val = strdup(getpassphrase(_("User's password: ")));
+           cred.bv_len = strlen(cred.bv_val);
+       }
+
+#ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS_INTERACTIVE
+    if (vc_sasl_mech && (vc_sasl == LDAP_SASL_NONE)) {
+               vc_sasl = LDAP_SASL_AUTOMATIC;
+       }
+#endif
 
        ld = tool_conn_setup( 0, 0 );
 
@@ -211,49 +352,96 @@ main( int argc, char *argv[] )
                vcctrls[++nvcctrls] = NULL;
     }
 
-       rc = ldap_verify_credentials( ld,
-               NULL,
-               dn, mech, cred.bv_val ? &cred: NULL, vcctrls,
-               NULL, NULL, &id ); 
+#ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS_INTERACTIVE
+#ifdef HAVE_CYRUS_SASL
+    if (vc_sasl_mech) {
+               int msgid;
+               void * defaults;
+               void * context = NULL;
+               const char *rmech = NULL;
+
+               defaults = lutil_sasl_defaults(ld,
+                       vc_sasl_mech,
+                       vc_sasl_realm,
+                       vc_sasl_authcid,
+                       cred.bv_val,
+                       sasl_authz_id);
+
+               do {
+                       rc = ldap_verify_credentials_interactive(ld, dn, vc_sasl_mech,
+                               vcctrls, NULL, NULL,
+                               vc_sasl, lutil_sasl_interact, defaults, context,
+                               res, &rmech, &msgid); 
+
+                       if (rc != LDAP_SASL_BIND_IN_PROGRESS) break;
+
+                       ldap_msgfree(res);
+
+                       if (ldap_result(ld, msgid, LDAP_MSG_ALL, NULL, &res) == -1 || !res) {
+                               ldap_get_option(ld, LDAP_OPT_RESULT_CODE, (void*) &rc);
+                               ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*) &text);
+                               tool_perror( "ldap_verify_credentials_interactive", rc, NULL, NULL, text, NULL);
+                               ldap_memfree(text);
+                               exit(rc);
+                       }
+               } while (rc == LDAP_SASL_BIND_IN_PROGRESS);
 
-       if( rc != LDAP_SUCCESS ) {
-               tool_perror( "ldap_verify_credentials", rc, NULL, NULL, NULL, NULL );
-               rc = EXIT_FAILURE;
-               goto skip;
-       }
+           lutil_sasl_freedefs(defaults);
 
-       ldap_controls_free(vcctrls);
-       vcctrls = NULL;
+           if( rc != LDAP_SUCCESS ) {
+                       ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*) &text);
+                   tool_perror( "ldap_verify_credentials", rc, NULL, NULL, text, NULL );
+                   rc = EXIT_FAILURE;
+                   goto skip;
+           }
 
-       for ( ; ; ) {
-               struct timeval  tv;
+       } else
+#endif
+#endif
+    {
+           rc = ldap_verify_credentials( ld,
+                   NULL,
+                   dn, NULL, cred.bv_val ? &cred: NULL, vcctrls,
+                   NULL, NULL, &id ); 
+    
+           if( rc != LDAP_SUCCESS ) {
+                       ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*) &text);
+                   tool_perror( "ldap_verify_credentials", rc, NULL, NULL, text, NULL );
+                   rc = EXIT_FAILURE;
+                   goto skip;
+           }
 
-               if ( tool_check_abandon( ld, id ) ) {
-                       return LDAP_CANCELLED;
-               }
+           for ( ; ; ) {
+                   struct timeval      tv;
 
-               tv.tv_sec = 0;
-               tv.tv_usec = 100000;
+                   if ( tool_check_abandon( ld, id ) ) {
+                           return LDAP_CANCELLED;
+                   }
 
-               rc = ldap_result( ld, LDAP_RES_ANY, LDAP_MSG_ALL, &tv, &res );
-               if ( rc < 0 ) {
-                       tool_perror( "ldap_result", rc, NULL, NULL, NULL, NULL );
-                       return rc;
-               }
+                   tv.tv_sec = 0;
+                   tv.tv_usec = 100000;
 
-               if ( rc != 0 ) {
-                       break;
-               }
+                   rc = ldap_result( ld, LDAP_RES_ANY, LDAP_MSG_ALL, &tv, &res );
+                   if ( rc < 0 ) {
+                           tool_perror( "ldap_result", rc, NULL, NULL, NULL, NULL );
+                           return rc;
+                   }
+
+                   if ( rc != 0 ) {
+                           break;
+                   }
+           }
        }
 
+       ldap_controls_free(vcctrls);
+       vcctrls = NULL;
+
        rc = ldap_parse_result( ld, res,
                &code, &matcheddn, &text, &refs, &ctrls, 0 );
 
-       if ( rc == LDAP_SUCCESS ) {
-               rc = code;
-       }
+       if (rc == LDAP_SUCCESS) rc = code;
 
-       if ( rc != LDAP_SUCCESS ) {
+       if (rc != LDAP_SUCCESS) {
                tool_perror( "ldap_parse_result", rc, NULL, matcheddn, text, refs );
                rc = EXIT_FAILURE;
                goto skip;
@@ -262,7 +450,7 @@ main( int argc, char *argv[] )
        rc = ldap_parse_verify_credentials( ld, res, &rcode, &diag, &scookie, &scred, &vcctrls );
        ldap_msgfree(res);
 
-       if( rc != LDAP_SUCCESS ) {
+       if (rc != LDAP_SUCCESS) {
                tool_perror( "ldap_parse_verify_credentials", rc, NULL, NULL, NULL, NULL );
                rc = EXIT_FAILURE;
                goto skip;
index 21c8d09e00a50f9647c272953cd00e0eeb116d63..0cd3579d60cb3ca772fd9bb711009d6a513e76ce 100644 (file)
@@ -2268,6 +2268,32 @@ ldap_parse_verify_credentials LDAP_P((
        struct berval   **servercredp,
        LDAPControl     ***vcctrls));
 
+/* not yet implemented */
+/* #define LDAP_API_FEATURE_VERIFY_CREDENTIALS_INTERACTIVE 1000 */
+#ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS_INTERACTIVE
+LDAP_F( int )
+ldap_verify_credentials_interactive LDAP_P((
+       LDAP *ld,
+       LDAP_CONST char *dn, /* usually NULL */
+       LDAP_CONST char *saslMechanism,
+       LDAPControl **vcControls,
+       LDAPControl **serverControls,
+       LDAPControl **clientControls,
+
+       /* should be client controls */
+       unsigned flags,
+       LDAP_SASL_INTERACT_PROC *proc,
+       void *defaults,
+       void *context,
+       
+       /* as obtained from ldap_result() */
+       LDAPMessage *result,
+
+       /* returned during bind processing */
+       const char **rmech,
+       int *msgid ));
+#endif
+
 /*
  * LDAP Who Am I?
  *     in whoami.c
index 8902fe3206a87720898a0429b626df10c80b60c5..c5165e8dc2c1010f5a3b7814f0f3e62426566e6f 100644 (file)
@@ -314,3 +314,47 @@ ldap_verify_credentials_s(
 
        return( ldap_result2error(ld, res, 1));
 }
+
+#ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS_INTERACTIVE
+int
+ldap_verify_credentials_interactive (
+       LDAP *ld,
+       LDAP_CONST char *dn, /* usually NULL */
+       LDAP_CONST char *mech,
+       LDAPControl **vcControls,
+       LDAPControl **serverControls,
+       LDAPControl **clientControls,
+
+       /* should be client controls */
+       unsigned flags,
+       LDAP_SASL_INTERACT_PROC *proc,
+       void *defaults,
+    void *context;
+       
+       /* as obtained from ldap_result() */
+       LDAPMessage *result,
+
+       /* returned during bind processing */
+       const char **rmech,
+       int *msgid )
+{
+       if (!ld && context) {
+               assert(!dn);
+               assert(!mech);
+               assert(!vcControls);
+               assert(!serverControls);
+               assert(!defaults);
+               assert(!result);
+               assert(!rmech);
+               assert(!msgid);
+
+               /* special case to avoid having to expose a separate dispose context API */
+               sasl_dispose((sasl_conn_t)context);
+        return LDAP_SUCCESS;
+    }
+
+    ld->ld_errno = LDAP_NOT_SUPPORTED;
+    return ld->ld_errno;
+}
+#endif
+