From 28d1dbd8ac8caa0d3a4c9a1482f2c59deb4f1406 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Fri, 19 Jan 2001 00:47:32 +0000 Subject: [PATCH] Add "sasl-external-x509dn-convert" configuration option aimed at providing authid TLS/X.509 to LDAP DN mapping. Experimental. --- servers/slapd/config.c | 4 ++++ servers/slapd/proto-slap.h | 1 + servers/slapd/sasl.c | 41 ++++++++++++++++++++++++++++---------- 3 files changed, 36 insertions(+), 10 deletions(-) diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 02c1ebfe2e..34c99d3e45 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -46,6 +46,7 @@ char *slapd_args_file = NULL; int nSaslRegexp = 0; SaslRegexp_t *SaslRegexp = NULL; +int sasl_external_x509dn_convert; static char *fp_getline(FILE *fp, int *lineno); static void fp_getline_init(int *lineno); @@ -550,6 +551,9 @@ read_config( const char *fname ) return 1; } + } else if ( strcasecmp( cargv[0], "sasl-external-x509dn-convert" ) == 0 ) { + sasl_external_x509dn_convert++; + /* set UCDATA path */ } else if ( strcasecmp( cargv[0], "ucdata-path" ) == 0 ) { int err; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 110b27fcf2..63e509143d 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -811,6 +811,7 @@ LDAP_SLAPD_F (int) global_idletimeout; LDAP_SLAPD_F (int) global_schemacheck; LDAP_SLAPD_F (char) *global_host; LDAP_SLAPD_F (char) *global_realm; +LDAP_SLAPD_F (int) sasl_external_x509dn_convert; LDAP_SLAPD_F (char) *default_passwd_hash; LDAP_SLAPD_F (int) lber_debug; LDAP_SLAPD_F (int) ldap_syslog; diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 0606345133..1034f2f2a2 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -27,7 +27,6 @@ static sasl_security_properties_t sasl_secprops; - static int slap_sasl_log( void *context, @@ -107,21 +106,43 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) return( LDAP_SUCCESS ); } ctx = conn->c_sasl_context; - dn = ch_strdup( id ); len = strlen( id ); - /* An authcID will need to be prefixed with u: */ + /* An authcID needs to be converted to authzID form */ if( flags & FLAG_GETDN_AUTHCID ) { - dn = ch_realloc( dn, len+3 ); - memmove( dn+2, dn, len+1 ); - dn[0] = 'u'; - dn[1] = ':'; - len += 2; + if( sasl_external_x509dn_convert && conn->c_sasl_bind_mech + && ( strcasecmp( LDAP_SASL_EXTERNAL, conn->c_sasl_bind_mech ) == 0 ) + && len && dn[0] == '/' and dn[len-1]== '/' ) + { + /* check SASL external for X.509 style DN and */ + /* convert to dn: form */ + char *tmpdn = ldap_dcedn2dn( id ); + len = strlen( tmpdn ); + + dn = ch_malloc( dn, len+4 ); + dn[0] = 'd'; + dn[1] = 'n'; + dn[2] = ':'; + memmove( &dn[3], tmpdn, len+1 ); + len += 3; + + } else { + /* convert to u: form */ + dn = ch_malloc( dn, len+3 ); + dn[0] = 'u'; + dn[1] = ':'; + memmove( &dn[2], id, len+1 ); + len += 2; + } + } else { + dn = ch_strdup( id ); } /* An authzID must be properly prefixed */ - if( flags & FLAG_GETDN_AUTHZID && strncasecmp( dn, "u:", 2 ) && - strncasecmp( dn, "dn:", 3 ) ) { + if( flags & FLAG_GETDN_AUTHZID + && strncasecmp( dn, "u:", 2 ) + && strncasecmp( dn, "dn:", 3 ) ) + { ch_free( dn ); *dnptr = NULL; return( LDAP_INAPPROPRIATE_AUTH ); -- 2.39.5