Error handling changes including separation of client v. server

SASL to LDAP translation.  plus comments and other minor changes

diff --git a/include/ldap.h b/include/ldap.h
index 14325afb982a88739510fd8a49113b414b4c6cb2..3591417684aa97f83266e310e3811d0b07c51167 100644 (file)
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -102,6 +102,8 @@ LDAP_BEGIN_DECL
 
 /* 0x34 - 0x0fff not defined by current draft */
 
+#define LDAP_OPT_PRIVATE_EXTENSION_BASE 0x4000  /* to 0x7FFF inclusive */
+
 /* private and experimental options */
 #define LDAP_OPT_DNS                           0x4001  /* use DN & DNS */
 
@@ -112,7 +114,7 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_NETWORK_TIMEOUT        0x5005  /* socket level timeout */
 #define LDAP_OPT_URI                           0x5006
 
-/* TLS options */
+/* OpenLDAP TLS options */
 #define LDAP_OPT_X_TLS_CACERTFILE      0x6001
 #define LDAP_OPT_X_TLS_CACERTDIR       0x6002
 #define LDAP_OPT_X_TLS_CERT            0x6003
@@ -129,7 +131,7 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_X_TLS_ALLOW           3
 #define LDAP_OPT_X_TLS_TRY             4
 
-/* SASL options */
+/* OpenLDAP SASL options */
 #define LDAP_OPT_X_SASL_MINSSF         0x6100
 #define LDAP_OPT_X_SASL_MAXSSF         0x6101
 #define LDAP_OPT_X_SASL_ACTSSF         0x6102

diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 14b6a97bbe9f1e172d9d943612db6ca7298e6a99..6164c0574363a99aef3a3f64c8f2aaddc0ce87f3 100644 (file)
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -113,7 +113,6 @@ LIBLDAP_F (int) ldap_pvt_unhex( int c );
 
 LIBLDAP_F (int) ldap_pvt_sasl_init LDAP_P(( void )); /* clientside init */
 LIBLDAP_F (int) ldap_pvt_sasl_install LDAP_P(( Sockbuf *, void * ));
-LIBLDAP_F (int) ldap_pvt_sasl_err2ldap LDAP_P(( int ));
 LIBLDAP_F (int) ldap_pvt_sasl_bind LDAP_P(( LDAP *, LDAP_CONST char *,
        LDAP_CONST char *, LDAP_CONST sasl_callback_t *, LDAPControl **,
        LDAPControl ** ));

diff --git a/libraries/libldap/kbind.c b/libraries/libldap/kbind.c
index 191ef01a88dff97b027b9fd2acd74904e31c20cf..35a7e52224c60fd58e2f050c5ea1eed58f1b568c 100644 (file)
--- a/libraries/libldap/kbind.c
+++ b/libraries/libldap/kbind.c
@@ -269,7 +269,7 @@ ldap_get_kerberosv4_credentials(
                fprintf( stderr, "krb_get_tf_realm failed (%s)\n",
                    krb_err_txt[err] );
 #endif /* LDAP_LIBUI */
-               ld->ld_errno = LDAP_INVALID_CREDENTIALS;
+               ld->ld_errno = LDAP_AUTH_UNKNOWN;
                return( NULL );
        }
 
@@ -287,7 +287,7 @@ ldap_get_kerberosv4_credentials(
 #ifdef LDAP_LIBUI
                fprintf( stderr, "krb_mk_req failed (%s)\n", krb_err_txt[err] );
 #endif /* LDAP_LIBUI */
-               ld->ld_errno = LDAP_INVALID_CREDENTIALS;
+               ld->ld_errno = LDAP_AUTH_UNKNOWN;
                return( NULL );
        }
 

diff --git a/libraries/libldap/libldap.dsp b/libraries/libldap/libldap.dsp
index a10d119f3e6e88fa2f9f3b7a1364bdedd32ea808..be68c42fb21ea7ffc6543129516fd7d96528254d 100644 (file)
--- a/libraries/libldap/libldap.dsp
+++ b/libraries/libldap/libldap.dsp
@@ -355,6 +355,10 @@ SOURCE=.\string.c
 # End Source File
 # Begin Source File
 
+SOURCE=.\tls.c
+# End Source File
+# Begin Source File
+
 SOURCE=.\ufn.c
 # End Source File
 # Begin Source File

diff --git a/libraries/libldap/options.c b/libraries/libldap/options.c
index fcf7cc7ca5da4d2b9e358dea15c576f1a2023f50..d7db40b27e86fc4f787bb195e2b627b43bdeb92f 100644 (file)
--- a/libraries/libldap/options.c
+++ b/libraries/libldap/options.c
@@ -568,7 +568,7 @@ ldap_set_option(
        default:
 #ifdef HAVE_TLS
                if ( ldap_pvt_tls_set_option( lo, option, (void *)invalue ) == 0 )
-                       return LDAP_OPT_SUCCESS;
+               return LDAP_OPT_SUCCESS;
 #endif
 #ifdef HAVE_CYRUS_SASL
                if ( ldap_pvt_sasl_set_option( ld, option, (void *)invalue ) == 0 )

diff --git a/libraries/libldap/sasl.c b/libraries/libldap/sasl.c
index 31c9e063cb1a710cb2d0357c68d0afcdba4d6d14..062d10e3830ba6d26d7133b1eadf348ffbfb068a 100644 (file)
--- a/libraries/libldap/sasl.c
+++ b/libraries/libldap/sasl.c
@@ -497,42 +497,43 @@ static int sasl_close( Sockbuf *sb )
        (ber_pvt_sb_io_tcp.sbi_close)( sb );
 }
 
-int
-ldap_pvt_sasl_err2ldap( int saslerr )
+static int
+sasl_err2ldap( int saslerr )
 {
        int rc;
 
        switch (saslerr) {
                case SASL_CONTINUE:
-                       rc = LDAP_SASL_BIND_IN_PROGRESS;
+                       rc = LDAP_MORE_RESULTS_TO_RETURN;
                        break;
                case SASL_OK:
                        rc = LDAP_SUCCESS;
                        break;
                case SASL_FAIL:
-                       rc = LDAP_OPERATIONS_ERROR;
+                       rc = LDAP_LOCAL_ERROR;
                        break;
                case SASL_NOMEM:
                        rc = LDAP_NO_MEMORY;
                        break;
                case SASL_NOMECH:
-                       rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
+                       rc = LDAP_AUTH_UNKNOWN;
                        break;
                case SASL_BADAUTH:
-                       rc = LDAP_INVALID_CREDENTIALS;
+                       rc = LDAP_AUTH_UNKNOWN;
                        break;
                case SASL_NOAUTHZ:
-                       rc = LDAP_INSUFFICIENT_ACCESS;
+                       rc = LDAP_PARAM_ERROR;
                        break;
                case SASL_TOOWEAK:
                case SASL_ENCRYPT:
-                       rc = LDAP_INAPPROPRIATE_AUTH;
+                       rc = LDAP_AUTH_UNKNOWN;
                        break;
                default:
-                       rc = LDAP_OPERATIONS_ERROR;
+                       rc = LDAP_LOCAL_ERROR;
                        break;
        }
 
+       assert( rc == LDAP_SUCCESS || LDAP_API_ERROR( rc ) );
        return rc;
 }
 
@@ -656,7 +657,7 @@ ldap_pvt_sasl_bind(
 
        if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
                LDAP_FREE( mechlist );
-               ld->ld_errno = ldap_pvt_sasl_err2ldap( rc );
+               ld->ld_errno = sasl_err2ldap( rc );
                sasl_dispose( &ld->ld_sasl_context );
                return ld->ld_errno;
        }
@@ -675,7 +676,7 @@ ldap_pvt_sasl_bind(
        LDAP_FREE( mechlist );
 
        if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
-               ld->ld_errno = ldap_pvt_sasl_err2ldap( saslrc );
+               ld->ld_errno = sasl_err2ldap( saslrc );
                sasl_dispose( &ld->ld_sasl_context );
                return ld->ld_errno;
        }
@@ -711,7 +712,7 @@ ldap_pvt_sasl_bind(
                ber_bvfree( scred );
 
                if ( (saslrc != SASL_OK) && (saslrc != SASL_CONTINUE) ) {
-                       ld->ld_errno = ldap_pvt_sasl_err2ldap( saslrc );
+                       ld->ld_errno = sasl_err2ldap( saslrc );
                        sasl_dispose( &ld->ld_sasl_context );
                        return ld->ld_errno;
                }

diff --git a/libraries/libldap_r/libldap_r.dsp b/libraries/libldap_r/libldap_r.dsp
index 960a8237405f7dad37a83ae391f20bc9e76a2f25..76bdfdcf7e0240fd5419feb8ad4d21afb6072a09 100644 (file)
--- a/libraries/libldap_r/libldap_r.dsp
+++ b/libraries/libldap_r/libldap_r.dsp
@@ -348,6 +348,10 @@ SOURCE=.\thr_stub.c
 # End Source File
 # Begin Source File
 
+SOURCE=..\libldap\tls.c
+# End Source File
+# Begin Source File
+
 SOURCE=..\libldap\ufn.c
 # End Source File
 # Begin Source File

diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 677805fb1726a3f6c137c7a2338732d0bd4a175b..e51de293a9cb0d4dca6ed392bd12d7e1e848f993 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -19,33 +19,73 @@ char **supportedSASLMechanisms = NULL;
 char *sasl_host = NULL;
 
 #ifdef HAVE_CYRUS_SASL
-static void *sasl_pvt_mutex_new(void)
+static void *slap_sasl_mutex_new(void)
 {
        ldap_pvt_thread_mutex_t *mutex;
 
-       mutex = (ldap_pvt_thread_mutex_t *)ch_malloc( sizeof(ldap_pvt_thread_mutex_t) );
+       mutex = (ldap_pvt_thread_mutex_t *) ch_malloc( sizeof(ldap_pvt_thread_mutex_t) );
        if ( ldap_pvt_thread_mutex_init( mutex ) == 0 ) {
                return mutex;
        }
        return NULL;
 }
 
-static int sasl_pvt_mutex_lock(void *mutex)
+static int slap_sasl_mutex_lock(void *mutex)
 {
        return ldap_pvt_thread_mutex_lock( (ldap_pvt_thread_mutex_t *)mutex );
 }
 
-static int sasl_pvt_mutex_unlock(void *mutex)
+static int slap_sasl_mutex_unlock(void *mutex)
 {
        return ldap_pvt_thread_mutex_unlock( (ldap_pvt_thread_mutex_t *)mutex );
 }
 
-static void sasl_pvt_mutex_dispose(void *mutex)
+static void slap_sasl_mutex_dispose(void *mutex)
 {
        (void) ldap_pvt_thread_mutex_destroy( (ldap_pvt_thread_mutex_t *)mutex );
        free( mutex );
 }
 
+static int
+slap_sasl_err2ldap( int saslerr )
+{
+       int rc;
+
+       switch (saslerr) {
+               case SASL_CONTINUE:
+                       rc = LDAP_SASL_BIND_IN_PROGRESS;
+                       break;
+               case SASL_OK:
+                       rc = LDAP_SUCCESS;
+                       break;
+               case SASL_FAIL:
+                       rc = LDAP_OTHER;
+                       break;
+               case SASL_NOMEM:
+                       rc = LDAP_OTHER;
+                       break;
+               case SASL_NOMECH:
+                       rc = LDAP_AUTH_METHOD_NOT_SUPPORTED;
+                       break;
+               case SASL_BADAUTH:
+                       rc = LDAP_INVALID_CREDENTIALS;
+                       break;
+               case SASL_NOAUTHZ:
+                       rc = LDAP_INSUFFICIENT_ACCESS;
+                       break;
+               case SASL_TOOWEAK:
+               case SASL_ENCRYPT:
+                       rc = LDAP_INAPPROPRIATE_AUTH;
+                       break;
+               default:
+                       rc = LDAP_OTHER;
+                       break;
+       }
+
+       return rc;
+}
+
+
 int sasl_init( void )
 {
        int rc;
@@ -54,8 +94,11 @@ int sasl_init( void )
 
        sasl_set_alloc( ch_malloc, ch_calloc, ch_realloc, ch_free ); 
 
-       sasl_set_mutex( sasl_pvt_mutex_new, sasl_pvt_mutex_lock,
-               sasl_pvt_mutex_unlock, sasl_pvt_mutex_dispose );
+       sasl_set_mutex(
+               slap_sasl_mutex_new,
+               slap_sasl_mutex_lock,
+               slap_sasl_mutex_unlock,
+               slap_sasl_mutex_dispose );
 
        rc = sasl_server_init( NULL, "slapd" );
 
@@ -188,7 +231,7 @@ int sasl_bind(
                                cred->bv_val, cred->bv_len, (char **)&response.bv_val,
                                (unsigned *)&response.bv_len, &errstr );
                        if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
-                               send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ),
+                               send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
                                        NULL, errstr, NULL, NULL );
                        }
                }
@@ -196,7 +239,7 @@ int sasl_bind(
                sc = sasl_server_step( conn->c_sasl_bind_context, cred->bv_val, cred->bv_len,
                        (char **)&response.bv_val, (unsigned *)&response.bv_len, &errstr );
                if ( (sc != SASL_OK) && (sc != SASL_CONTINUE) ) {
-                       send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ),
+                       send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
                                NULL, errstr, NULL, NULL );
                }
        }
@@ -206,7 +249,7 @@ int sasl_bind(
 
                if ( ( sc = sasl_getprop( conn->c_sasl_bind_context, SASL_USERNAME,
                        (void **)&authzid ) ) != SASL_OK ) {
-                       send_ldap_result( conn, op, rc = ldap_pvt_sasl_err2ldap( sc ),
+                       send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ),
                                NULL, NULL, NULL, NULL );
 
                } else {