From 1d2951bb5a0bdb5d7d8bf9c5fcc87a6afd6b2449 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Wed, 30 Apr 2003 14:13:58 +0000 Subject: [PATCH] For ITS#2424, move all SASL session management to ldap_int_sasl_bind. --- libraries/libldap/cyrus.c | 43 ++++++++++++++++++++++++++++++++++++--- libraries/libldap/open.c | 28 ------------------------- libraries/libldap/tls.c | 16 --------------- 3 files changed, 40 insertions(+), 47 deletions(-) diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c index 742d136417..f8e024c666 100644 --- a/libraries/libldap/cyrus.c +++ b/libraries/libldap/cyrus.c @@ -532,6 +532,7 @@ ldap_int_sasl_bind( unsigned credlen; struct berval ccred; ber_socket_t sd; + void *ssl; #ifdef NEW_LOGGING LDAP_LOG ( TRANSPORT, ARGS, "ldap_int_sasl_bind: %s\n", @@ -566,9 +567,45 @@ ldap_int_sasl_bind( ctx = ld->ld_defconn->lconn_sasl_ctx; - if( ctx == NULL ) { - ld->ld_errno = LDAP_LOCAL_ERROR; - return ld->ld_errno; + /* If we already have a context, shut it down */ + if( ctx ) { + /* Do an anonymous bind to kill the server's context */ + rc = ldap_simple_bind_s( ld, "", NULL ); + + /* dispose of the old context */ + ldap_int_sasl_close( ld, ld->ld_defconn ); + } + + rc = ldap_int_sasl_open( ld, ld->ld_defconn, + ld->ld_defconn->lconn_server->lud_host ? + ld->ld_defconn->lconn_server->lud_host : "localhost" ); + + if ( rc != LDAP_SUCCESS ) return rc; + + ctx = ld->ld_defconn->lconn_sasl_ctx; + + /* Check for TLS */ + ssl = ldap_pvt_tls_sb_ctx( ld->ld_sb ); + if ( ssl ) { + struct berval authid = { 0, NULL }; + ber_len_t fac; + + fac = ldap_pvt_tls_get_strength( ssl ); + /* failure is OK, we just can't use SASL EXTERNAL */ + (void) ldap_pvt_tls_get_my_dn( ssl, &authid, NULL, 0 ); + + (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac ); + LDAP_FREE( authid.bv_val ); + } + + /* Check for local */ + if ( ldap_pvt_url_scheme2proto( ld->ld_defconn->lconn_server->lud_scheme ) == LDAP_PROTO_IPC ) { + char authid[sizeof("uidNumber=4294967295+gidNumber=4294967295," + "cn=peercred,cn=external,cn=auth")]; + sprintf( authid, "uidNumber=%d+gidNumber=%d," + "cn=peercred,cn=external,cn=auth", + (int) geteuid(), (int) getegid() ); + (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid, LDAP_PVT_SASL_LOCAL_SSF ); } /* (re)set security properties */ diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c index 2b27a9ac3f..7f60452a9d 100644 --- a/libraries/libldap/open.c +++ b/libraries/libldap/open.c @@ -237,9 +237,6 @@ ldap_int_open_connection( int async ) { int rc = -1; -#ifdef HAVE_CYRUS_SASL - char *sasl_host = NULL; -#endif char *host; int port, proto; @@ -279,9 +276,6 @@ ldap_int_open_connection( ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_tcp, LBER_SBIOD_LEVEL_PROVIDER, NULL ); -#ifdef HAVE_CYRUS_SASL - sasl_host = ldap_host_connected_to( conn->lconn_sb, host ); -#endif break; #ifdef LDAP_CONNECTIONLESS @@ -326,9 +320,6 @@ ldap_int_open_connection( ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_fd, LBER_SBIOD_LEVEL_PROVIDER, NULL ); -#ifdef HAVE_CYRUS_SASL - sasl_host = ldap_host_connected_to( conn->lconn_sb, "localhost" ); -#endif break; #endif /* LDAP_PF_LOCAL */ default: @@ -345,25 +336,6 @@ ldap_int_open_connection( if( proto == LDAP_PROTO_UDP ) return 0; #endif -#ifdef HAVE_CYRUS_SASL - /* establish Cyrus SASL context prior to starting TLS so - that SASL EXTERNAL might be used */ - if( sasl_host != NULL ) { - ldap_int_sasl_open( ld, conn, sasl_host ); - LDAP_FREE( sasl_host ); - } -#ifdef LDAP_PF_LOCAL - if( proto == LDAP_PROTO_IPC ) { - char authid[sizeof("uidNumber=4294967295+gidNumber=4294967295," - "cn=peercred,cn=external,cn=auth")]; - sprintf( authid, "uidNumber=%d+gidNumber=%d," - "cn=peercred,cn=external,cn=auth", - (int) geteuid(), (int) getegid() ); - ldap_int_sasl_external( ld, conn, authid, LDAP_PVT_SASL_LOCAL_SSF ); - } -#endif -#endif - #ifdef HAVE_TLS if (ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD || strcmp( srv->lud_scheme, "ldaps" ) == 0 ) diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index 5c0ca1a52a..e355d25a6e 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -1403,22 +1403,6 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) } } - /* - * set SASL properties to TLS ssf and authid - */ - { - struct berval authid = { 0, NULL }; - ber_len_t ssf; - - /* we need to let SASL know */ - ssf = ldap_pvt_tls_get_strength( ssl ); - /* failure is OK, we just can't use SASL EXTERNAL */ - (void) ldap_pvt_tls_get_my_dn( ssl, &authid, NULL, 0 ); - - (void) ldap_int_sasl_external( ld, conn, authid.bv_val, ssf ); - LDAP_FREE( authid.bv_val ); - } - return LDAP_SUCCESS; } -- 2.39.5