Add conn->c_sasl_authz_dn, store SASL authzDN separately from authcDN

diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index 4e7fb9bc5587d60226e852009bf46c5ca65e04ef..c6ef075ac06d0d7bf8e747c7180a05c22d6a8026 100644 (file)
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -609,6 +609,10 @@ void connection2anonymous( Connection *c )
                free(c->c_ndn.bv_val);
        }
        BER_BVZERO( &c->c_ndn );
+       if(c->c_sasl_authz_dn.bv_val != NULL) {
+               free(c->c_sasl_authz_dn.bv_val);
+       }
+       BER_BVZERO( &c->c_sasl_authz_dn );
 
        c->c_authz_backend = NULL;
 }
@@ -1598,8 +1602,13 @@ static int connection_op_activate( Operation *op )
 
        if (!op->o_dn.bv_len) {
                op->o_authz = op->o_conn->c_authz;
-               ber_dupbv( &op->o_dn, &op->o_conn->c_dn );
-               ber_dupbv( &op->o_ndn, &op->o_conn->c_ndn );
+               if ( BER_BVISNULL( &op->o_conn->c_sasl_authz_dn )) {
+                       ber_dupbv( &op->o_dn, &op->o_conn->c_dn );
+                       ber_dupbv( &op->o_ndn, &op->o_conn->c_ndn );
+               } else {
+                       ber_dupbv( &op->o_dn, &op->o_conn->c_sasl_authz_dn );
+                       ber_dupbv( &op->o_ndn, &op->o_conn->c_sasl_authz_dn );
+               }
        }
        op->o_authtype = op->o_conn->c_authtype;
        ber_dupbv( &op->o_authmech, &op->o_conn->c_authmech );

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index bf068e85c1d3b59f76cd296700deec480a8bf76e..112e37dcfd6da9aa463c7dbbe45a4c33b481ca95 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -576,7 +576,7 @@ slap_sasl_authorize(
 {
        Connection *conn = (Connection *)context;
        struct propval auxvals[3];
-       struct berval authcDN, authzDN;
+       struct berval authcDN, authzDN=BER_BVNULL;
        int rc;
 
        /* Simple Binds don't support proxy authorization, ignore it */
@@ -601,17 +601,16 @@ slap_sasl_authorize(
        }
 
        AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) );
+       conn->c_sasl_dn = authcDN;
 
        /* Nothing to do if no authzID was given */
        if ( !auxvals[1].name || !auxvals[1].values ) {
-               conn->c_sasl_dn = authcDN;
                goto ok;
        }
        
        AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
 
        rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN );
-       ch_free( authcDN.bv_val );
        if ( rc != LDAP_SUCCESS ) {
                Debug( LDAP_DEBUG_TRACE, "SASL Proxy Authorize [conn=%ld]: "
                        "proxy authorization disallowed (%d)\n",
@@ -622,18 +621,19 @@ slap_sasl_authorize(
                return SASL_NOAUTHZ;
        }
 
-       conn->c_sasl_dn = authzDN;
+       conn->c_sasl_authz_dn = authzDN;
 ok:
        if (conn->c_sasl_bindop) {
                Statslog( LDAP_DEBUG_STATS,
-                       "conn=%lu op=%lu BIND authcid=\"%s\"\n",
+                       "conn=%lu op=%lu BIND authcid=\"%s\" authzid=\"%s\"\n",
                        conn->c_connid, conn->c_sasl_bindop->o_opid, 
-                       auth_identity, 0, 0);
+                       auth_identity, requested_user, 0);
        }
 
        Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
-               " proxy authorization allowed\n",
-               (long) (conn ? conn->c_connid : -1), 0, 0 );
+               " proxy authorization allowed authzDN=\"%s\"\n",
+               (long) (conn ? conn->c_connid : -1), 
+               authzDN.bv_val ? authzDN.bv_val : "", 0 );
        return SASL_OK;
 } 
 #else
@@ -682,11 +682,11 @@ slap_sasl_authorize(
                *errstr = ldap_err2string( rc );
                return SASL_NOAUTHZ;
        }
+       conn->c_sasl_dn = authcDN;
        if( ( authzid == NULL ) || !strcmp( authcid, authzid ) ) {
                Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
                 "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 );
 
-               conn->c_sasl_dn = authcDN;
                goto ok;
        }
 
@@ -695,13 +695,11 @@ slap_sasl_authorize(
        rc = slap_sasl_getdn( conn, NULL, &bvauthzid, realm,
                &authzDN, SLAP_GETDN_AUTHZID );
        if( rc != LDAP_SUCCESS ) {
-               ch_free( authcDN.bv_val );
                *errstr = ldap_err2string( rc );
                return SASL_NOAUTHZ;
        }
 
        rc = slap_sasl_authorized(conn->c_sasl_bindop, &authcDN, &authzDN );
-       ch_free( authcDN.bv_val );
        if( rc ) {
                Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
                        "proxy authorization disallowed (%d)\n",
@@ -711,18 +709,19 @@ slap_sasl_authorize(
                ch_free( authzDN.bv_val );
                return SASL_NOAUTHZ;
        }
-       conn->c_sasl_dn = authzDN;
+       conn->c_sasl_authz_dn = authzDN;
 
 ok:
        Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: "
-               " authorization allowed\n",
-               (long) (conn ? conn->c_connid : -1), 0, 0 );
+               " authorization allowed authzDN=\"%s\"\n",
+               (long) (conn ? conn->c_connid : -1),
+               authzDN.bv_val ? authzDN.bv_val : "", 0 );
 
        if (conn->c_sasl_bindop) {
                Statslog( LDAP_DEBUG_STATS,
-                       "conn=%lu op=%lu BIND authcid=\"%s\"\n",
+                       "conn=%lu op=%lu BIND authcid=\"%s\" authzid=\"%s\"\n",
                        conn->c_connid, conn->c_sasl_bindop->o_opid, 
-                       authcid, 0, 0);
+                       authcid, authzid ? authzid : "", 0);
        }
 
        *errstr = NULL;

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index fb4403a500863da1ad7346b3e2c1c6ba6d894226..7daa0bfe05c16fc640fdf600046cef88c55f5072 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -2484,6 +2484,7 @@ typedef struct slap_conn {
        int             c_sasl_bind_in_progress;        /* multi-op bind in progress */
        struct berval   c_sasl_bind_mech;                       /* mech in progress */
        struct berval   c_sasl_dn;      /* temporary storage */
+       struct berval   c_sasl_authz_dn;        /* SASL proxy authz */
 
        /* authorization backend */
        Backend *c_authz_backend;