From: Howard Chu Date: Thu, 26 Feb 2004 11:48:34 +0000 (+0000) Subject: ITS#2934 - don't touch conn->c_sasl_dn for Simple Binds X-Git-Tag: OPENLDAP_REL_ENG_2_2_BP~407 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=2d0af83c71ccad7dc39480cb473269f993e297a3;p=openldap ITS#2934 - don't touch conn->c_sasl_dn for Simple Binds --- diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 461c83f151..5c9552825e 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -46,7 +46,6 @@ do_bind( { BerElement *ber = op->o_ber; ber_int_t version; - ber_tag_t method; struct berval mech = { 0, NULL }; struct berval dn = { 0, NULL }; ber_tag_t tag; @@ -107,7 +106,7 @@ do_bind( * } */ - tag = ber_scanf( ber, "{imt" /*}*/, &version, &dn, &method ); + tag = ber_scanf( ber, "{imt" /*}*/, &version, &dn, &op->orb_method ); if ( tag == LBER_ERROR ) { #ifdef NEW_LOGGING @@ -123,7 +122,7 @@ do_bind( op->o_protocol = version; - if( method != LDAP_AUTH_SASL ) { + if( op->orb_method != LDAP_AUTH_SASL ) { tag = ber_scanf( ber, /*{*/ "m}", &op->orb_cred ); } else { @@ -182,7 +181,7 @@ do_bind( goto cleanup; } - if( method == LDAP_AUTH_SASL ) { + if( op->orb_method == LDAP_AUTH_SASL ) { #ifdef NEW_LOGGING LDAP_LOG( OPERATION, DETAIL1, "do_sasl_bind: conn %d dn (%s) mech %s\n", @@ -197,17 +196,17 @@ do_bind( LDAP_LOG( OPERATION, DETAIL1, "do_bind: version=%ld dn=\"%s\" method=%ld\n", (unsigned long) version, op->o_req_dn.bv_val, - (unsigned long) method ); + (unsigned long) op->orb_method ); #else Debug( LDAP_DEBUG_TRACE, "do_bind: version=%ld dn=\"%s\" method=%ld\n", (unsigned long) version, op->o_req_dn.bv_val, - (unsigned long) method ); + (unsigned long) op->orb_method ); #endif } Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu BIND dn=\"%s\" method=%ld\n", - op->o_connid, op->o_opid, op->o_req_dn.bv_val, (unsigned long) method, + op->o_connid, op->o_opid, op->o_req_dn.bv_val, (unsigned long) op->orb_method, 0 ); if ( version < LDAP_VERSION_MIN || version > LDAP_VERSION_MAX ) { @@ -249,7 +248,7 @@ do_bind( /* Set the bindop for the benefit of in-directory SASL lookups */ op->o_conn->c_sasl_bindop = op; - if ( method == LDAP_AUTH_SASL ) { + if ( op->orb_method == LDAP_AUTH_SASL ) { if ( version < LDAP_VERSION3 ) { #ifdef NEW_LOGGING LDAP_LOG( OPERATION, INFO, @@ -370,7 +369,7 @@ do_bind( if ( pb ) { slapi_int_pblock_set_operation( pb, op ); slapi_pblock_set( pb, SLAPI_BIND_TARGET, (void *)dn.bv_val ); - slapi_pblock_set( pb, SLAPI_BIND_METHOD, (void *)method ); + slapi_pblock_set( pb, SLAPI_BIND_METHOD, (void *)op->orb_method ); slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, (void *)&op->orb_cred ); slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, (void *)(0) ); (void) slapi_int_call_plugins( op->o_bd, SLAPI_PLUGIN_POST_BIND_FN, pb ); @@ -396,7 +395,7 @@ do_bind( ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); } - if ( method == LDAP_AUTH_SIMPLE ) { + if ( op->orb_method == LDAP_AUTH_SIMPLE ) { ber_str2bv( "SIMPLE", sizeof("SIMPLE")-1, 0, &mech ); /* accept "anonymous" binds */ if ( op->orb_cred.bv_len == 0 || op->o_req_ndn.bv_len == 0 ) { @@ -459,7 +458,7 @@ do_bind( } #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - } else if ( method == LDAP_AUTH_KRBV41 || method == LDAP_AUTH_KRBV42 ) { + } else if ( op->orb_method == LDAP_AUTH_KRBV41 || op->orb_method == LDAP_AUTH_KRBV42 ) { if ( global_disallows & SLAP_DISALLOW_BIND_KRBV4 ) { /* disallow simple authentication */ rs->sr_err = LDAP_UNWILLING_TO_PERFORM; @@ -487,11 +486,11 @@ do_bind( #ifdef NEW_LOGGING LDAP_LOG( OPERATION, INFO, "do_bind: conn %ld v%d unknown authentication method (%ld)\n", - op->o_connid, version, method ); + op->o_connid, version, op->orb_method ); #else Debug( LDAP_DEBUG_TRACE, "do_bind: v%d unknown authentication method (%ld)\n", - version, method, 0 ); + version, op->orb_method, 0 ); #endif goto cleanup; } @@ -533,7 +532,7 @@ do_bind( int rc; slapi_int_pblock_set_operation( pb, op ); slapi_pblock_set( pb, SLAPI_BIND_TARGET, (void *)dn.bv_val ); - slapi_pblock_set( pb, SLAPI_BIND_METHOD, (void *)method ); + slapi_pblock_set( pb, SLAPI_BIND_METHOD, (void *)op->orb_method ); slapi_pblock_set( pb, SLAPI_BIND_CREDENTIALS, (void *)&op->orb_cred ); slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, (void *)(0) ); slapi_pblock_set( pb, SLAPI_CONN_DN, (void *)(0) ); @@ -614,7 +613,6 @@ do_bind( #endif /* defined( LDAP_SLAPI ) */ if( op->o_bd->be_bind ) { - op->orb_method = method; rs->sr_err = (op->o_bd->be_bind)( op, rs ); if ( rs->sr_err == 0 ) { @@ -685,10 +683,10 @@ do_bind( cleanup: if ( rs->sr_err == LDAP_SUCCESS ) { - if ( method != LDAP_AUTH_SASL ) { + if ( op->orb_method != LDAP_AUTH_SASL ) { ber_dupbv( &op->o_conn->c_authmech, &mech ); } - op->o_conn->c_authtype = method; + op->o_conn->c_authtype = op->orb_method; } op->o_conn->c_sasl_bindop = NULL; diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index e266b0e406..6ebb5d1cf6 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -773,6 +773,14 @@ slap_sasl_canonicalize( if ( inlen > out_max ) inlen = out_max-1; + /* This is a Simple Bind using SPASSWD. That means the in-directory + * userPassword of the Binding user already points at SASL, so it + * cannot be used to actually satisfy a password comparison. Just + * ignore it, some other mech will process it. + */ + if ( !conn->c_sasl_bindop || + conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL ) goto done; + /* See if we need to add request, can only do it once */ prop_getnames( props, slap_propnames, auxvals ); if ( !auxvals[0].name ) @@ -867,6 +875,10 @@ slap_sasl_authorize( struct berval authcDN, authzDN; int rc; + /* Simple Binds don't support proxy authorization, ignore it */ + if ( !conn->c_sasl_bindop || + conn->c_sasl_bindop->orb_method != LDAP_AUTH_SASL ) return SASL_OK; + #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, ENTRY, "slap_sasl_authorize: conn %d authcid=\"%s\" authzid=\"%s\"\n",