From: Pierangelo Masarati <ando@openldap.org>
Date: Mon, 31 Jan 2011 22:07:04 +0000 (+0000)
Subject: first cut at SASL bind issues in idassert (related to ITS#6817)
X-Git-Tag: MIGRATION_CVS2GIT~148
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=293b5e51a5f6cc11c3ea173392662449388b46bb;p=openldap

first cut at SASL bind issues in idassert (related to ITS#6817)
---

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index 9e9e4fd7f6..2fec6fe287 100644
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -338,6 +338,15 @@ permissions, or the asserted identities must have appropriate
 .I authzFrom 
 permissions.  Note, however, that the ID assertion feature is mostly 
 useful when the asserted identities do not exist on the remote server.
+When
+.I bindmethod
+is
+.BR SASL ,
+the 
+.I authcDN
+must be specified in addition to the
+.IR authcID ,
+although it is not used within the authentication process.
 
 Flags can be
 
diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5
index 2d984d5f37..8c996b6428 100644
--- a/doc/man/man5/slapd-meta.5
+++ b/doc/man/man5/slapd-meta.5
@@ -480,6 +480,15 @@ permissions, or the asserted identities must have appropriate
 .I authzFrom 
 permissions.  Note, however, that the ID assertion feature is mostly 
 useful when the asserted identities do not exist on the remote server.
+When
+.I bindmethod
+is
+.BR SASL ,
+the 
+.I authcDN
+must be specified in addition to the
+.IR authcID ,
+although it is not used within the authentication process.
 
 Flags can be
 
diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h
index f06c34eb20..e8b352212a 100644
--- a/servers/slapd/back-ldap/back-ldap.h
+++ b/servers/slapd/back-ldap/back-ldap.h
@@ -235,6 +235,9 @@ typedef struct slap_idassert_t {
 #define	LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND	(0x10U)
 #define	LDAP_BACK_AUTH_AUTHZ_ALL			(0x20U)
 #define	LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL		(0x40U)
+#define LDAP_BACK_AUTH_DN_AUTHZID			(0x100U)
+#define LDAP_BACK_AUTH_DN_WHOAMI			(0x200U)
+#define LDAP_BACK_AUTH_DN_MASK				(LDAP_BACK_AUTH_DN_AUTHZID|LDAP_BACK_AUTH_DN_WHOAMI)
 #define	li_idassert_flags	li_idassert.si_flags
 
 	BerVarray	si_authz;
diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index 8dba7b0942..1719490625 100644
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -866,6 +866,17 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si )
 				} else if ( strcasecmp( flags[ j ], "proxy-authz-non-critical" ) == 0 ) {
 					si->si_flags &= ~LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL;
 
+				} else if ( strcasecmp( flags[ j ], "dn-none" ) == 0 ) {
+					si->si_flags &= ~LDAP_BACK_AUTH_DN_MASK;
+
+				} else if ( strcasecmp( flags[ j ], "dn-authzid" ) == 0 ) {
+					si->si_flags &= ~LDAP_BACK_AUTH_DN_MASK;
+					si->si_flags |= LDAP_BACK_AUTH_DN_AUTHZID;
+
+				} else if ( strcasecmp( flags[ j ], "dn-whoami" ) == 0 ) {
+					si->si_flags &= ~LDAP_BACK_AUTH_DN_MASK;
+					si->si_flags |= LDAP_BACK_AUTH_DN_WHOAMI;
+
 				} else {
 					snprintf( c->cr_msg, sizeof( c->cr_msg ),
 						"\"idassert-bind <args>\": "
@@ -902,6 +913,17 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si )
 			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
 			return 1;
 		}
+
+	} else if ( si->si_bc.sb_method == LDAP_AUTH_SASL ) {
+		if ( BER_BVISNULL( &si->si_bc.sb_binddn ) &&
+			!(si->si_flags & LDAP_BACK_AUTH_DN_MASK) )
+		{
+			snprintf( c->cr_msg, sizeof( c->cr_msg ),
+				"\"idassert-bind <args>\": "
+				"SASL needs \"binddn\" or either \"dn-authzid\" or \"dn-whoami\" in flags" );
+			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
+			return 1;
+		}
 	}
 
 	bindconf_tls_defaults( &si->si_bc );
@@ -1140,7 +1162,7 @@ ldap_back_cf_gen( ConfigArgs *c )
 					(void)lutil_strcopy( ptr, "authz=native" );
 				}
 
-				len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround,proxy-authz-non-critical" );
+				len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround,proxy-authz-non-critical,dn-authzid" );
 				/* flags */
 				if ( !BER_BVISEMPTY( &bv ) ) {
 					len += STRLENOF( " " );
@@ -1180,6 +1202,20 @@ ldap_back_cf_gen( ConfigArgs *c )
 					ptr = lutil_strcopy( ptr, ",proxy-authz-non-critical" );
 				}
 
+				switch ( li->li_idassert_flags & LDAP_BACK_AUTH_DN_MASK ) {
+				case LDAP_BACK_AUTH_DN_AUTHZID:
+					ptr = lutil_strcopy( ptr, ",dn-authzid" );
+					break;
+
+				case LDAP_BACK_AUTH_DN_WHOAMI:
+					ptr = lutil_strcopy( ptr, ",dn-whoami" );
+					break;
+
+				default:
+					ptr = lutil_strcopy( ptr, ",dn-none" );
+					break;
+				}
+
 				bv.bv_len = ( ptr - bv.bv_val );
 				/* end-of-flags */
 			}