From: Howard Chu Date: Wed, 12 Jun 2002 04:05:48 +0000 (+0000) Subject: Finished slap_sasl_setpass for Cyrus 1.5; Cyrus 2.1 is incomplete. X-Git-Tag: NO_SLAP_OP_BLOCKS~1478 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=6d1a322f739a2737b1a828675754cd9bba38b6ee;p=openldap Finished slap_sasl_setpass for Cyrus 1.5; Cyrus 2.1 is incomplete. Added conn->c_sasl_dn, streamlined slap_sasl_bind. --- diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 9ca2035751..86b6a3d9da 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -602,17 +602,26 @@ slap_sasl_authorize( "authcid=\"%s\" authzid=\"%s\"\n", conn ? conn->c_connid : -1, auth_identity, requested_user ); #endif + if ( conn->c_sasl_dn.bv_val ) { + ch_free( conn->c_sasl_dn.bv_val ); + conn->c_sasl_dn.bv_val = NULL; + conn->c_sasl_dn.bv_len = 0; + } prop_getnames( props, slap_propnames, auxvals ); + AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) ); + /* Nothing to do if no authzID was given */ - if ( !auxvals[1].name || !auxvals[1].values ) + if ( !auxvals[1].name || !auxvals[1].values ) { + conn->c_sasl_dn = authcDN; return SASL_OK; + } - AC_MEMCPY( &authcDN, auxvals[0].values[0], sizeof(authcDN) ); AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) ); rc = slap_sasl_authorized( &authcDN, &authzDN ); + ch_free( authcDN.bv_val ); if ( rc != LDAP_SUCCESS ) { #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, @@ -625,9 +634,12 @@ slap_sasl_authorize( #endif sasl_seterror( sconn, 0, "not authorized" ); + ch_free( authzDN.bv_val ); return SASL_NOAUTHZ; } + conn->c_sasl_sdn = authzDN; + #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, "slap_sasl_authorize: conn %d authorization allowed\n", @@ -654,6 +666,11 @@ slap_sasl_authorize( char *realm; *user = NULL; + if ( conn->c_sasl_dn.bv_val ) { + ch_free( conn->c_sasl_dn.bv_val ); + conn->c_sasl_dn.bv_val = NULL; + conn->c_sasl_dn.bv_len = 0; + } #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, @@ -700,7 +717,7 @@ slap_sasl_authorize( "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 ); #endif - *user = authcDN.bv_val; + conn->c_sasl_dn = authcDN; *errstr = NULL; return SASL_OK; } @@ -712,6 +729,7 @@ slap_sasl_authorize( } rc = slap_sasl_authorized( &authcDN, &authzDN ); + ch_free( authcDN.bv_val ); if( rc ) { #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, @@ -724,7 +742,6 @@ slap_sasl_authorize( #endif *errstr = "not authorized"; - ch_free( authcDN.bv_val ); ch_free( authzDN.bv_val ); return SASL_NOAUTHZ; } @@ -739,9 +756,7 @@ slap_sasl_authorize( (long) (conn ? conn->c_connid : -1), 0, 0 ); #endif - - ch_free( authcDN.bv_val ); - *user = authzDN.bv_val; + conn->c_sasl_dn = authzDN; *errstr = NULL; return SASL_OK; } @@ -1169,18 +1184,11 @@ int slap_sasl_bind( response.bv_len = reslen; if ( sc == SASL_OK ) { -#if SASL_VERSION_MAJOR >= 2 - struct propctx *props = sasl_auxprop_getctx( ctx ); - struct propval vals[3]; sasl_ssf_t *ssf = NULL; - prop_getnames( props, slap_propnames, vals ); - - AC_MEMCPY( edn, vals[0].values[0], sizeof(*edn) ); - if ( vals[1].name && vals[1].values ) { - ch_free( edn->bv_val ); - AC_MEMCPY( edn, vals[1].values[0], sizeof(*edn) ); - } + *edn = conn->c_sasl_dn; + conn->c_sasl_dn.bv_val = NULL; + conn->c_sasl_dn.bv_len = 0; rc = LDAP_SUCCESS; @@ -1196,46 +1204,6 @@ int slap_sasl_bind( send_ldap_sasl( conn, op, rc, NULL, NULL, NULL, NULL, response.bv_len ? &response : NULL ); -#else - char *username = NULL; - - sc = sasl_getprop( ctx, - SASL_USERNAME, (SASL_CONST void **)&username ); - - if ( sc != SASL_OK ) { -#ifdef NEW_LOGGING - LDAP_LOG(( "sasl", LDAP_LEVEL_ERR, - "slap_sasl_bind: getprop(USERNAME) failed: %d\n", sc )); -#else - Debug(LDAP_DEBUG_TRACE, - "slap_sasl_bind: getprop(USERNAME) failed!\n", - 0, 0, 0); -#endif - - - send_ldap_result( conn, op, rc = slap_sasl_err2ldap( sc ), - NULL, "no SASL username", NULL, NULL ); - - } else { - sasl_ssf_t *ssf = NULL; - - rc = LDAP_SUCCESS; - ber_str2bv( username, 0, 1, edn ); - - (void) sasl_getprop( ctx, SASL_SSF, (void *)&ssf ); - *ssfp = ssf ? *ssf : 0; - - if( *ssfp ) { - ldap_pvt_thread_mutex_lock( &conn->c_mutex ); - conn->c_sasl_layers++; - ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); - } - - send_ldap_sasl( conn, op, rc, - NULL, NULL, NULL, NULL, - response.bv_len ? &response : NULL ); - } -#endif } else if ( sc == SASL_CONTINUE ) { send_ldap_sasl( conn, op, rc = LDAP_SASL_BIND_IN_PROGRESS, @@ -1297,13 +1265,18 @@ slap_sasl_setpass( int rc; struct berval id = { 0, NULL }; /* needs to come from connection */ struct berval new = { 0, NULL }; + struct berval old = { 0, NULL }; assert( reqoid != NULL ); assert( strcmp( LDAP_EXOP_MODIFY_PASSWD, reqoid ) == 0 ); - if( id.bv_len == 0 ) { - *text = "not yet implemented"; + rc = sasl_getprop( conn->c_sasl_context, SASL_USERNAME, + (SASL_CONST void **)&id.bv_val ); + + if( rc != SASL_OK ) { + *text = "unable to retrieve SASL username"; rc = LDAP_OTHER; + goto done; } #ifdef NEW_LOGGING @@ -1316,7 +1289,7 @@ slap_sasl_setpass( #endif rc = slap_passwd_parse( reqdata, - NULL, NULL, &new, text ); + NULL, &old, &new, text ); if( rc != LDAP_SUCCESS ) { goto done; @@ -1334,10 +1307,16 @@ slap_sasl_setpass( *rspdata = slap_passwd_return( &new ); } +#if SASL_VERSION_MAJOR < 2 rc = sasl_setpass( conn->c_sasl_context, - id.bv_val, new.bv_val, new.bv_len, SASL_SET_CREATE, - text ); - + id.bv_val, new.bv_val, new.bv_len, 0, text ); +#else + rc = sasl_setpass( conn->c_sasl_context, id.bv_val, + old.bv_val, old.bv_len, new.bv_val, new.bv_len, 0 ); + if( rc != SASL_OK ) { + *text = sasl_errdetail( conn->c_sasl_context ); + } +#endif switch(rc) { case SASL_OK: rc = LDAP_SUCCESS; diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 949a01441c..f6009fee69 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1549,6 +1549,7 @@ typedef struct slap_conn { /* only can be changed by binding thread */ int c_sasl_bind_in_progress; /* multi-op bind in progress */ struct berval c_sasl_bind_mech; /* mech in progress */ + struct berval c_sasl_dn; /* temporary storage */ struct berval c_cdn; /* authorization backend */