From: Howard Chu Date: Sun, 14 Aug 2005 08:00:54 +0000 (+0000) Subject: ITS#3845 allow rootpw to be used for rootdn SASL binds, based on X-Git-Tag: OPENLDAP_REL_ENG_2_2_MP~709 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=9326c2b3130ab0f6264daa7e30a2602ee95b8afe;p=openldap ITS#3845 allow rootpw to be used for rootdn SASL binds, based on patch from Jason Townsend --- diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index e92780132f..66c591a956 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -202,6 +202,14 @@ sasl_ap_lookup( Operation *op, SlapReply *rs ) "slap_ap_lookup: str2ad(%s): %s\n", name, text, 0 ); continue; } + + /* If it's the rootdn and a rootpw was present, we already set + * it so don't override it here. + */ + if ( ad == slap_schema.si_ad_userPassword && sl->list[i].values && + be_isroot_dn( op->o_bd, &op->o_req_ndn )) + continue; + a = attr_find( rs->sr_entry->e_attrs, ad ); if ( !a ) continue; if ( ! access_allowed( op, rs->sr_entry, ad, NULL, ACL_AUTH, NULL ) ) { @@ -318,26 +326,69 @@ slap_auxprop_lookup( op.o_bd = select_backend( &op.o_req_ndn, 0, 1 ); - if ( op.o_bd && op.o_bd->be_search ) { - SlapReply rs = {REP_RESULT}; - op.o_hdr = conn->c_sasl_bindop->o_hdr; - op.o_tag = LDAP_REQ_SEARCH; - op.o_ndn = conn->c_ndn; - op.o_callback = &cb; - op.o_time = slap_get_time(); - op.o_do_not_cache = 1; - op.o_is_auth_check = 1; - op.o_req_dn = op.o_req_ndn; - op.ors_scope = LDAP_SCOPE_BASE; - op.ors_deref = LDAP_DEREF_NEVER; - op.ors_tlimit = SLAP_NO_LIMIT; - op.ors_slimit = 1; - op.ors_filter = &generic_filter; - op.ors_filterstr = generic_filterstr; - /* FIXME: we want all attributes, right? */ - op.ors_attrs = NULL; - - op.o_bd->be_search( &op, &rs ); + if ( op.o_bd ) { + /* For rootdn, see if we can use the rootpw */ + if ( be_isroot_dn( op.o_bd, &op.o_req_ndn ) && + !BER_BVISEMPTY( &op.o_bd->be_rootpw )) { + struct berval cbv = BER_BVNULL; + + /* If there's a recognized scheme, see if it's CLEARTEXT */ + if ( lutil_passwd_scheme( op.o_bd->be_rootpw.bv_val )) { + if ( !strncasecmp( op.o_bd->be_rootpw.bv_val, + sc_cleartext.bv_val, sc_cleartext.bv_len )) { + + /* If it's CLEARTEXT, skip past scheme spec */ + cbv.bv_len = op.o_bd->be_rootpw.bv_len - + sc_cleartext.bv_len; + if ( cbv.bv_len ) { + cbv.bv_val = op.o_bd->be_rootpw.bv_val + + sc_cleartext.bv_len; + } + } + /* No scheme, use the whole value */ + } else { + cbv = op.o_bd->be_rootpw; + } + if ( !BER_BVISEMPTY( &cbv )) { + for( i = 0; sl.list[i].name; i++ ) { + const char *name = sl.list[i].name; + + if ( name[0] == '*' ) { + if ( flags & SASL_AUXPROP_AUTHZID ) continue; + name++; + } else if ( !(flags & SASL_AUXPROP_AUTHZID ) ) + continue; + + if ( !strcasecmp(name,"userPassword") ) { + sl.sparams->utils->prop_set( sl.sparams->propctx, + sl.list[i].name, cbv.bv_val, cbv.bv_len ); + break; + } + } + } + } + + if ( op.o_bd->be_search ) { + SlapReply rs = {REP_RESULT}; + op.o_hdr = conn->c_sasl_bindop->o_hdr; + op.o_tag = LDAP_REQ_SEARCH; + op.o_ndn = conn->c_ndn; + op.o_callback = &cb; + op.o_time = slap_get_time(); + op.o_do_not_cache = 1; + op.o_is_auth_check = 1; + op.o_req_dn = op.o_req_ndn; + op.ors_scope = LDAP_SCOPE_BASE; + op.ors_deref = LDAP_DEREF_NEVER; + op.ors_tlimit = SLAP_NO_LIMIT; + op.ors_slimit = 1; + op.ors_filter = &generic_filter; + op.ors_filterstr = generic_filterstr; + /* FIXME: we want all attributes, right? */ + op.ors_attrs = NULL; + + op.o_bd->be_search( &op, &rs ); + } } } }