ITS#3419: values in built auth DNs may need DN escaping, so build them via ldap_dn2bv

diff --git a/doc/man/man8/slapauth.8 b/doc/man/man8/slapauth.8
index 2575b0e1748472b38afe0e4df60bd56f5e5f1c68..2e838b654008f93ae8a5a38e89894cc6007dd3da 100644 (file)
--- a/doc/man/man8/slapauth.8
+++ b/doc/man/man8/slapauth.8
@@ -8,6 +8,8 @@ slapauth \- Check a list of string-represented IDs for authc/authz.
 .B [\-v]
 .B [\-d level]
 .B [\-f slapd.conf]
+.B [\-M mech]
+.B [\-R realm]
 .B [\-U authcID]
 .B [\-X authzID]
 .B ID [...]
@@ -42,6 +44,12 @@ specify an alternative
 .BR slapd.conf (5)
 file.
 .TP
+.BI \-M " mech"
+specify a mechanism.
+.TP
+.BI \-R " realm"
+specify a realm.
+.TP
 .BI \-U " authcID"
 specify an ID to be used as 
 .I authcID

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 61c003ac321f640ccb9c8e881a0976e3914f41c2..1dcd8bbe95930ceb5f7283ad83f9bb332b095151 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -1600,44 +1600,63 @@ int slap_sasl_getdn( Connection *conn, Operation *op, struct berval *id,
 
        /* Username strings */
        if( is_dn == SET_U ) {
-               char            *p;
-               struct berval   realm = BER_BVNULL, c1 = *dn;
-               ber_len_t       len;
-
-               len = dn->bv_len + STRLENOF( "uid=" ) + STRLENOF( ",cn=auth" );
-
-               if( user_realm && *user_realm ) {
-                       ber_str2bv( user_realm, 0, 0, &realm );
-                       len += realm.bv_len + STRLENOF( ",cn=" );
+               /* ITS#3419: values may need escape */
+               LDAPRDN         DN[ 5 ];
+               LDAPAVA         *RDNs[ 4 ][ 2 ];
+               LDAPAVA         AVAs[ 4 ];
+               int             irdn;
+
+               irdn = 0;
+               DN[ irdn ] = RDNs[ irdn ];
+               RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+               BER_BVSTR( &AVAs[ irdn ].la_attr, "uid" );
+               AVAs[ irdn ].la_value = *dn;
+               AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+               AVAs[ irdn ].la_private = NULL;
+               RDNs[ irdn ][ 1 ] = NULL;
+
+               if ( user_realm && *user_realm ) {
+                       irdn++;
+                       DN[ irdn ] = RDNs[ irdn ];
+                       RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+                       BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" );
+                       ber_str2bv( user_realm, 0, 0, &AVAs[ irdn ].la_value );
+                       AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+                       AVAs[ irdn ].la_private = NULL;
+                       RDNs[ irdn ][ 1 ] = NULL;
                }
 
-               if( mech->bv_len ) {
-                       len += mech->bv_len + STRLENOF( ",cn=" );
+               if ( !BER_BVISNULL( mech ) ) {
+                       irdn++;
+                       DN[ irdn ] = RDNs[ irdn ];
+                       RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+                       BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" );
+                       AVAs[ irdn ].la_value = *mech;
+                       AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+                       AVAs[ irdn ].la_private = NULL;
+                       RDNs[ irdn ][ 1 ] = NULL;
                }
 
-               /* Build the new dn */
-               dn->bv_val = slap_sl_malloc( len + 1, op->o_tmpmemctx );
-               if( dn->bv_val == NULL ) {
-                       Debug( LDAP_DEBUG_ANY, 
-                               "slap_sasl_getdn: SLAP_MALLOC failed", 0, 0, 0 );
-                       return LDAP_OTHER;
-               }
-               p = lutil_strcopy( dn->bv_val, "uid=" );
-               p = lutil_strncopy( p, c1.bv_val, c1.bv_len );
+               irdn++;
+               DN[ irdn ] = RDNs[ irdn ];
+               RDNs[ irdn ][ 0 ] = &AVAs[ irdn ];
+               BER_BVSTR( &AVAs[ irdn ].la_attr, "cn" );
+               BER_BVSTR( &AVAs[ irdn ].la_value, "auth" );
+               AVAs[ irdn ].la_flags = LDAP_AVA_NULL;
+               AVAs[ irdn ].la_private = NULL;
+               RDNs[ irdn ][ 1 ] = NULL;
 
-               if( realm.bv_len ) {
-                       p = lutil_strcopy( p, ",cn=" );
-                       p = lutil_strncopy( p, realm.bv_val, realm.bv_len );
-               }
+               irdn++;
+               DN[ irdn ] = NULL;
 
-               if( mech->bv_len ) {
-                       p = lutil_strcopy( p, ",cn=" );
-                       p = lutil_strcopy( p, mech->bv_val );
+               rc = ldap_dn2bv_x( DN, dn, LDAP_DN_FORMAT_LDAPV3, op->o_tmpmemctx );
+               if ( rc != LDAP_SUCCESS ) {
+                       BER_BVZERO( dn );
+                       return rc;
                }
-               p = lutil_strcopy( p, ",cn=auth" );
-               dn->bv_len = p - dn->bv_val;
 
                Debug( LDAP_DEBUG_TRACE, "slap_sasl_getdn: u:id converted to %s\n", dn->bv_val,0,0 );
+
        } else {
                
                /* Dup the DN in any case, so we don't risk 

diff --git a/servers/slapd/slapauth.c b/servers/slapd/slapauth.c
index 73b2ceb93da12d5e7509ce91d998fa06af863251..ec19742bd60930b1c8e23d66dc6b7299015b4c06 100644 (file)
--- a/servers/slapd/slapauth.c
+++ b/servers/slapd/slapauth.c
@@ -40,7 +40,7 @@ do_check( Connection *c, Operation *op, struct berval *id )
        struct berval   authcdn;
        int             rc;
 
-       rc = slap_sasl_getdn( c, op, id, NULL, &authcdn, SLAP_GETDN_AUTHCID );
+       rc = slap_sasl_getdn( c, op, id, realm, &authcdn, SLAP_GETDN_AUTHCID );
        if ( rc != LDAP_SUCCESS ) {
                fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
                                id->bv_val, rc,
@@ -91,6 +91,8 @@ slapauth( int argc, char **argv )
        op = (Operation *)opbuf;
        connection_fake_init( &conn, op, &conn );
 
+       conn.c_sasl_bind_mech = mech;
+
        if ( !BER_BVISNULL( &authzID ) ) {
                struct berval   authzdn;
                

diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
index c185c08ef088d453bb0c52094c76df4786ba2aa7..fbae61c2abbdd0267db5dc5839e08a31dcfaffef 100644 (file)
--- a/servers/slapd/slapcommon.c
+++ b/servers/slapd/slapcommon.c
@@ -72,7 +72,7 @@ usage( int tool, const char *progname )
                break;
 
        case SLAPAUTH:
-               options = "\t[-U authcID] [-X authzID] ID [...]\n";
+               options = "\t[-U authcID] [-X authzID] [-R realm] [-M mech] ID [...]\n";
                break;
 
        case SLAPACL:
@@ -138,7 +138,7 @@ slap_tool_init(
                break;
 
        case SLAPAUTH:
-               options = "d:f:U:vX:";
+               options = "d:f:M:R:U:vX:";
                mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
                break;
 
@@ -217,6 +217,10 @@ slap_tool_init(
                        retrieve_ctxcsn = 1;
                        break;
 
+               case 'M':
+                       ber_str2bv( optarg, 0, 0, &mech );
+                       break;
+
                case 'n':       /* which config file db to index */
                        dbnum = atoi( optarg ) - 1;
                        break;
@@ -229,6 +233,10 @@ slap_tool_init(
                        replica_demotion = 1;           
                        break;
 
+               case 'R':
+                       realm = optarg;
+                       break;
+
                case 's':       /* dump subtree */
                        subtree = strdup( optarg );
                        break;

diff --git a/servers/slapd/slapcommon.h b/servers/slapd/slapcommon.h
index 9dcd3eb936c31372304731bfe4f268ea429149e2..ab3d0aa0c3c14f0d9c31a610a6b19510ed8d41e8 100644 (file)
--- a/servers/slapd/slapcommon.h
+++ b/servers/slapd/slapcommon.h
@@ -57,6 +57,8 @@ typedef struct tool_vars {
        struct berval tv_baseDN;
        struct berval tv_authcID;
        struct berval tv_authzID;
+       struct berval tv_mech;
+       char    *tv_realm;
 } tool_vars;
 
 extern tool_vars tool_globals;
@@ -81,6 +83,8 @@ extern tool_vars tool_globals;
 #define baseDN tool_globals.tv_baseDN
 #define authcID tool_globals.tv_authcID
 #define authzID tool_globals.tv_authzID
+#define mech tool_globals.tv_mech
+#define realm tool_globals.tv_realm
 
 void slap_tool_init LDAP_P((
        const char* name,