From 293b5e51a5f6cc11c3ea173392662449388b46bb Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Mon, 31 Jan 2011 22:07:04 +0000 Subject: [PATCH] first cut at SASL bind issues in idassert (related to ITS#6817) --- doc/man/man5/slapd-ldap.5 | 9 +++++++ doc/man/man5/slapd-meta.5 | 9 +++++++ servers/slapd/back-ldap/back-ldap.h | 3 +++ servers/slapd/back-ldap/config.c | 38 ++++++++++++++++++++++++++++- 4 files changed, 58 insertions(+), 1 deletion(-) diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index 9e9e4fd7f6..2fec6fe287 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -338,6 +338,15 @@ permissions, or the asserted identities must have appropriate .I authzFrom permissions. Note, however, that the ID assertion feature is mostly useful when the asserted identities do not exist on the remote server. +When +.I bindmethod +is +.BR SASL , +the +.I authcDN +must be specified in addition to the +.IR authcID , +although it is not used within the authentication process. Flags can be diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5 index 2d984d5f37..8c996b6428 100644 --- a/doc/man/man5/slapd-meta.5 +++ b/doc/man/man5/slapd-meta.5 @@ -480,6 +480,15 @@ permissions, or the asserted identities must have appropriate .I authzFrom permissions. Note, however, that the ID assertion feature is mostly useful when the asserted identities do not exist on the remote server. +When +.I bindmethod +is +.BR SASL , +the +.I authcDN +must be specified in addition to the +.IR authcID , +although it is not used within the authentication process. Flags can be diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h index f06c34eb20..e8b352212a 100644 --- a/servers/slapd/back-ldap/back-ldap.h +++ b/servers/slapd/back-ldap/back-ldap.h @@ -235,6 +235,9 @@ typedef struct slap_idassert_t { #define LDAP_BACK_AUTH_OBSOLETE_ENCODING_WORKAROUND (0x10U) #define LDAP_BACK_AUTH_AUTHZ_ALL (0x20U) #define LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL (0x40U) +#define LDAP_BACK_AUTH_DN_AUTHZID (0x100U) +#define LDAP_BACK_AUTH_DN_WHOAMI (0x200U) +#define LDAP_BACK_AUTH_DN_MASK (LDAP_BACK_AUTH_DN_AUTHZID|LDAP_BACK_AUTH_DN_WHOAMI) #define li_idassert_flags li_idassert.si_flags BerVarray si_authz; diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index 8dba7b0942..1719490625 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -866,6 +866,17 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si ) } else if ( strcasecmp( flags[ j ], "proxy-authz-non-critical" ) == 0 ) { si->si_flags &= ~LDAP_BACK_AUTH_PROXYAUTHZ_CRITICAL; + } else if ( strcasecmp( flags[ j ], "dn-none" ) == 0 ) { + si->si_flags &= ~LDAP_BACK_AUTH_DN_MASK; + + } else if ( strcasecmp( flags[ j ], "dn-authzid" ) == 0 ) { + si->si_flags &= ~LDAP_BACK_AUTH_DN_MASK; + si->si_flags |= LDAP_BACK_AUTH_DN_AUTHZID; + + } else if ( strcasecmp( flags[ j ], "dn-whoami" ) == 0 ) { + si->si_flags &= ~LDAP_BACK_AUTH_DN_MASK; + si->si_flags |= LDAP_BACK_AUTH_DN_WHOAMI; + } else { snprintf( c->cr_msg, sizeof( c->cr_msg ), "\"idassert-bind \": " @@ -902,6 +913,17 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si ) Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 ); return 1; } + + } else if ( si->si_bc.sb_method == LDAP_AUTH_SASL ) { + if ( BER_BVISNULL( &si->si_bc.sb_binddn ) && + !(si->si_flags & LDAP_BACK_AUTH_DN_MASK) ) + { + snprintf( c->cr_msg, sizeof( c->cr_msg ), + "\"idassert-bind \": " + "SASL needs \"binddn\" or either \"dn-authzid\" or \"dn-whoami\" in flags" ); + Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 ); + return 1; + } } bindconf_tls_defaults( &si->si_bc ); @@ -1140,7 +1162,7 @@ ldap_back_cf_gen( ConfigArgs *c ) (void)lutil_strcopy( ptr, "authz=native" ); } - len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround,proxy-authz-non-critical" ); + len = bv.bv_len + STRLENOF( "flags=non-prescriptive,override,obsolete-encoding-workaround,proxy-authz-non-critical,dn-authzid" ); /* flags */ if ( !BER_BVISEMPTY( &bv ) ) { len += STRLENOF( " " ); @@ -1180,6 +1202,20 @@ ldap_back_cf_gen( ConfigArgs *c ) ptr = lutil_strcopy( ptr, ",proxy-authz-non-critical" ); } + switch ( li->li_idassert_flags & LDAP_BACK_AUTH_DN_MASK ) { + case LDAP_BACK_AUTH_DN_AUTHZID: + ptr = lutil_strcopy( ptr, ",dn-authzid" ); + break; + + case LDAP_BACK_AUTH_DN_WHOAMI: + ptr = lutil_strcopy( ptr, ",dn-whoami" ); + break; + + default: + ptr = lutil_strcopy( ptr, ",dn-none" ); + break; + } + bv.bv_len = ( ptr - bv.bv_val ); /* end-of-flags */ } -- 2.39.5