From 4191f390370fbbf2a0805d7642e14fa24a4580fa Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sat, 26 Jan 2002 13:57:41 +0000 Subject: [PATCH] Changed slap_authz_info.sai_mech to struct berval. Changed sasl_* to use struct bervals. --- servers/slapd/backend.c | 4 +- servers/slapd/bind.c | 53 ++++++----- servers/slapd/connection.c | 33 ++++--- servers/slapd/operation.c | 4 +- servers/slapd/proto-slap.h | 10 +- servers/slapd/sasl.c | 188 +++++++++++++++++++------------------ servers/slapd/saslauthz.c | 52 +++++----- servers/slapd/slap.h | 4 +- 8 files changed, 181 insertions(+), 167 deletions(-) diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index d2d3f5976c..5e8c0726d3 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -892,7 +892,7 @@ backend_check_restrictions( if( requires & SLAP_REQUIRE_STRONG ) { /* should check mechanism */ - if( op->o_authmech == NULL || op->o_dn.bv_len == 0 ) + if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) { *text = "strong authentication required"; return LDAP_STRONG_AUTH_REQUIRED; @@ -900,7 +900,7 @@ backend_check_restrictions( } if( requires & SLAP_REQUIRE_SASL ) { - if( op->o_authmech == NULL || op->o_dn.bv_len == 0 ) + if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) { *text = "SASL authentication required"; return LDAP_STRONG_AUTH_REQUIRED; diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 11b9d07247..142bf0f7a9 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -36,10 +36,11 @@ do_bind( BerElement *ber = op->o_ber; ber_int_t version; ber_tag_t method; - char *mech = NULL; + struct berval mech = { 0, NULL }; struct berval dn = { 0, NULL }; struct berval pdn = { 0, NULL }; struct berval ndn = { 0, NULL }; + struct berval edn = { 0, NULL }; ber_tag_t tag; int rc = LDAP_SUCCESS; const char *text; @@ -113,7 +114,7 @@ do_bind( tag = ber_scanf( ber, /*{*/ "m}", &cred ); } else { - tag = ber_scanf( ber, "{a" /*}*/, &mech ); + tag = ber_scanf( ber, "{o" /*}*/, &mech ); if ( tag != LBER_ERROR ) { ber_len_t len; @@ -170,10 +171,10 @@ do_bind( #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_DETAIL1, "do_sasl_bind: conn %d dn (%s) mech %s\n", conn->c_connid, - pdn.bv_val, mech )); + pdn.bv_val, mech.bv_val )); #else Debug( LDAP_DEBUG_TRACE, "do_sasl_bind: dn (%s) mech %s\n", - pdn.bv_val, mech, NULL ); + pdn.bv_val, mech.bv_val, NULL ); #endif } else { @@ -231,7 +232,6 @@ do_bind( } if ( method == LDAP_AUTH_SASL ) { - char *edn; slap_ssf_t ssf = 0; if ( version < LDAP_VERSION3 ) { @@ -249,7 +249,7 @@ do_bind( goto cleanup; } - if( mech == NULL || mech[0] == '\0' ) { + if( mech.bv_len == 0 ) { #ifdef NEW_LOGGING LDAP_LOG(( "operation", LDAP_LEVEL_INFO, "do_bind: conn %d no SASL mechanism provided\n", @@ -265,7 +265,7 @@ do_bind( } /* check restrictions */ - rc = backend_check_restrictions( NULL, conn, op, mech, &text ); + rc = backend_check_restrictions( NULL, conn, op, mech.bv_val, &text ); if( rc != LDAP_SUCCESS ) { send_ldap_result( conn, op, rc, NULL, text, NULL, NULL ); @@ -274,30 +274,31 @@ do_bind( ldap_pvt_thread_mutex_lock( &conn->c_mutex ); if ( conn->c_sasl_bind_in_progress ) { - if((strcmp(conn->c_sasl_bind_mech, mech) != 0)) { + if((ber_bvcmp(&conn->c_sasl_bind_mech, &mech) != 0)) { /* mechanism changed between bind steps */ slap_sasl_reset(conn); } } else { conn->c_sasl_bind_mech = mech; - mech = NULL; + mech.bv_val = NULL; + mech.bv_len = 0; } ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); - edn = NULL; rc = slap_sasl_bind( conn, op, &pdn, &ndn, &cred, &edn, &ssf ); ldap_pvt_thread_mutex_lock( &conn->c_mutex ); if( rc == LDAP_SUCCESS ) { - conn->c_dn.bv_val = edn; - if( edn != NULL ) { - conn->c_dn.bv_len = strlen( edn ); - dnNormalize2( NULL, &conn->c_dn, &conn->c_ndn ); + conn->c_dn = edn; + if( edn.bv_len != 0 ) { + /* edn is always normalized already */ + ber_dupbv( &conn->c_ndn, &conn->c_dn ); } conn->c_authmech = conn->c_sasl_bind_mech; - conn->c_sasl_bind_mech = NULL; + conn->c_sasl_bind_mech.bv_val = NULL; + conn->c_sasl_bind_mech.bv_len = 0; conn->c_sasl_bind_in_progress = 0; conn->c_sasl_ssf = ssf; @@ -315,9 +316,10 @@ do_bind( conn->c_sasl_bind_in_progress = 1; } else { - if ( conn->c_sasl_bind_mech ) { - free( conn->c_sasl_bind_mech ); - conn->c_sasl_bind_mech = NULL; + if ( conn->c_sasl_bind_mech.bv_val ) { + free( conn->c_sasl_bind_mech.bv_val ); + conn->c_sasl_bind_mech.bv_val = NULL; + conn->c_sasl_bind_mech.bv_len = 0; } conn->c_sasl_bind_in_progress = 0; } @@ -329,9 +331,10 @@ do_bind( /* Not SASL, cancel any in-progress bind */ ldap_pvt_thread_mutex_lock( &conn->c_mutex ); - if ( conn->c_sasl_bind_mech != NULL ) { - free(conn->c_sasl_bind_mech); - conn->c_sasl_bind_mech = NULL; + if ( conn->c_sasl_bind_mech.bv_val != NULL ) { + free(conn->c_sasl_bind_mech.bv_val); + conn->c_sasl_bind_mech.bv_val = NULL; + conn->c_sasl_bind_mech.bv_len = 0; } conn->c_sasl_bind_in_progress = 0; @@ -364,7 +367,7 @@ do_bind( text = "anonymous bind disallowed"; } else { - rc = backend_check_restrictions( NULL, conn, op, mech, &text ); + rc = backend_check_restrictions( NULL, conn, op, mech.bv_val, &text ); } /* @@ -478,8 +481,6 @@ do_bind( if ( be->be_bind ) { int ret; - /* alias suffix */ - struct berval edn = { 0, NULL }; /* deref suffix alias if appropriate */ suffix_alias( be, &ndn ); @@ -542,8 +543,8 @@ cleanup: if( ndn.bv_val != NULL ) { free( ndn.bv_val ); } - if ( mech != NULL ) { - free( mech ); + if ( mech.bv_val != NULL ) { + free( mech.bv_val ); } return rc; diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index a252370a28..ce4f7f0861 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -412,7 +412,8 @@ long connection_init( assert( c != NULL ); if( c->c_struct_state == SLAP_C_UNINITIALIZED ) { - c->c_authmech = NULL; + c->c_authmech.bv_val = NULL; + c->c_authmech.bv_len = 0; c->c_dn.bv_val = NULL; c->c_dn.bv_len = 0; c->c_ndn.bv_val = NULL; @@ -429,7 +430,8 @@ long connection_init( LDAP_STAILQ_INIT(&c->c_ops); LDAP_STAILQ_INIT(&c->c_pending_ops); - c->c_sasl_bind_mech = NULL; + c->c_sasl_bind_mech.bv_val = NULL; + c->c_sasl_bind_mech.bv_len = 0; c->c_sasl_context = NULL; c->c_sasl_extra = NULL; @@ -453,10 +455,10 @@ long connection_init( ldap_pvt_thread_mutex_lock( &c->c_mutex ); assert( c->c_struct_state == SLAP_C_UNUSED ); - assert( c->c_authmech == NULL ); - assert( c->c_dn.bv_val == NULL ); - assert( c->c_ndn.bv_val == NULL ); - assert( c->c_cdn.bv_val == NULL ); + assert( c->c_authmech.bv_val == NULL ); + assert( c->c_dn.bv_val == NULL ); + assert( c->c_ndn.bv_val == NULL ); + assert( c->c_cdn.bv_val == NULL ); assert( c->c_groups == NULL ); assert( c->c_listener_url == NULL ); assert( c->c_peer_domain == NULL ); @@ -464,7 +466,7 @@ long connection_init( assert( c->c_sock_name == NULL ); assert( LDAP_STAILQ_EMPTY(&c->c_ops) ); assert( LDAP_STAILQ_EMPTY(&c->c_pending_ops) ); - assert( c->c_sasl_bind_mech == NULL ); + assert( c->c_sasl_bind_mech.bv_val == NULL ); assert( c->c_sasl_context == NULL ); assert( c->c_sasl_extra == NULL ); assert( c->c_currentber == NULL ); @@ -576,10 +578,11 @@ void connection2anonymous( Connection *c ) ber_sockbuf_ctrl( c->c_sb, LBER_SB_OPT_SET_MAX_INCOMING, &max ); } - if(c->c_authmech != NULL ) { - free(c->c_authmech); - c->c_authmech = NULL; + if(c->c_authmech.bv_val != NULL ) { + free(c->c_authmech.bv_val); + c->c_authmech.bv_val = NULL; } + c->c_authmech.bv_len = 0; if(c->c_dn.bv_val != NULL) { free(c->c_dn.bv_val); @@ -667,10 +670,11 @@ connection_destroy( Connection *c ) } c->c_sasl_bind_in_progress = 0; - if(c->c_sasl_bind_mech != NULL) { - free(c->c_sasl_bind_mech); - c->c_sasl_bind_mech = NULL; + if(c->c_sasl_bind_mech.bv_val != NULL) { + free(c->c_sasl_bind_mech.bv_val); + c->c_sasl_bind_mech.bv_val = NULL; } + c->c_sasl_bind_mech.bv_len = 0; slap_sasl_close( c ); @@ -1476,8 +1480,7 @@ static int connection_op_activate( Connection *conn, Operation *op ) conn->c_ndn.bv_val : "" ); } arg->co_op->o_authtype = conn->c_authtype; - arg->co_op->o_authmech = conn->c_authmech != NULL - ? ch_strdup( conn->c_authmech ) : NULL; + ber_dupbv( &arg->co_op->o_authmech, &conn->c_authmech ); if (!arg->co_op->o_protocol) { arg->co_op->o_protocol = conn->c_protocol diff --git a/servers/slapd/operation.c b/servers/slapd/operation.c index 859a88acee..aee5ef9b55 100644 --- a/servers/slapd/operation.c +++ b/servers/slapd/operation.c @@ -29,8 +29,8 @@ slap_op_free( Operation *op ) if ( op->o_ndn.bv_val != NULL ) { free( op->o_ndn.bv_val ); } - if ( op->o_authmech != NULL ) { - free( op->o_authmech ); + if ( op->o_authmech.bv_val != NULL ) { + free( op->o_authmech.bv_val ); } if ( op->o_ctrls != NULL ) { ldap_controls_free( op->o_ctrls ); diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 98a880be92..e0c0db726d 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -818,15 +818,17 @@ LDAP_SLAPD_F (int) slap_sasl_bind LDAP_P(( Connection *conn, Operation *op, struct berval *dn, struct berval *ndn, struct berval *cred, - char **edn, slap_ssf_t *ssf )); + struct berval *edn, slap_ssf_t *ssf )); /* * saslauthz.c */ -LDAP_SLAPD_F (char *) slap_sasl2dn LDAP_P(( char *saslname )); +LDAP_SLAPD_F (void) slap_sasl2dn LDAP_P(( + struct berval *saslname, + struct berval *dn )); LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P(( - char *authcid, - char *authzid )); + struct berval *authcid, + struct berval *authzid )); LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P(( const char *match, const char *replace )); diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index ec86ede0f1..251098fb98 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -80,17 +80,22 @@ slap_sasl_log( /* Take any sort of identity string and return a DN with the "dn:" prefix. The - string returned in *dnptr is in its own allocated memory, and must be free'd + string returned in *dn is in its own allocated memory, and must be free'd by the calling process. -Mark Adamson, Carnegie Mellon */ -int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) +#define SET_DN 1 +#define SET_U 2 + +static struct berval ext_bv = { sizeof("EXTERNAL")-1, "EXTERNAL" }; + +int slap_sasl_getdn( Connection *conn, char *id, struct berval *dn, int flags ) { - char *c=NULL, *c1, *dn=NULL; - int rc, len; + char *c=NULL, *c1; + int rc, len, is_dn = 0; sasl_conn_t *ctx; - + struct berval dn2; #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, @@ -102,13 +107,14 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) id?(*id?id:""):"NULL",0,0 ); #endif + dn->bv_val = NULL; + dn->bv_len = 0; /* Blatantly anonymous ID */ if( id && ( id[sizeof( "anonymous" )-1] == '\0' || id[sizeof( "anonymous" )-1] == '@' ) && !strncasecmp( id, "anonymous", sizeof( "anonymous" )-1) ) { - *dnptr = NULL; return( LDAP_SUCCESS ); } ctx = conn->c_sasl_context; @@ -116,47 +122,45 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) /* An authcID needs to be converted to authzID form */ if( flags & FLAG_GETDN_AUTHCID ) { - if( sasl_external_x509dn_convert && conn->c_sasl_bind_mech - && ( strcasecmp( "EXTERNAL", conn->c_sasl_bind_mech ) == 0 ) - && len && id[0] == '/' /* && id[len-1]== '/' */) + if( sasl_external_x509dn_convert + && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len + && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) + && id[0] == '/' ) { /* check SASL external for X.509 style DN and */ /* convert to dn: form */ - char *tmpdn = ldap_dcedn2dn( id ); - len = strlen( tmpdn ); - - dn = ch_malloc( len+4 ); - dn[0] = 'd'; - dn[1] = 'n'; - dn[2] = ':'; - AC_MEMCPY( &dn[3], tmpdn, len+1 ); - len += 3; + dn->bv_val = ldap_dcedn2dn( id ); + dn->bv_len = strlen(dn->bv_val); + is_dn = SET_DN; } else { /* convert to u: form */ - dn = ch_malloc( len+3 ); - dn[0] = 'u'; - dn[1] = ':'; - AC_MEMCPY( &dn[2], id, len+1 ); - len += 2; + ber_str2bv( id, len, 1, dn ); + is_dn = SET_U; + } + } + if( !is_dn ) { + if( !strncasecmp( id, "u:", sizeof("u:")-1 )) { + is_dn = SET_U; + ber_str2bv( id+2, len-2, 1, dn ); + } else if ( !strncasecmp( id, "dn:", sizeof("dn:")-1) ) { + is_dn = SET_DN; + ber_str2bv( id+3, len-3, 1, dn ); } - } else { - dn = ch_strdup( id ); } /* An authzID must be properly prefixed */ - if( flags & FLAG_GETDN_AUTHZID - && strncasecmp( dn, "u:", sizeof("u:")-1 ) - && strncasecmp( dn, "dn:", sizeof("dn:")-1 ) ) - { - ch_free( dn ); - *dnptr = NULL; + if( (flags & FLAG_GETDN_AUTHZID) && !is_dn ) { + free( dn->bv_val ); + dn->bv_val = NULL; + dn->bv_len = 0; return( LDAP_INAPPROPRIATE_AUTH ); } /* Username strings */ - if( !strncasecmp( dn, "u:", sizeof("u:")-1 ) ) { - len += (sizeof("dn:uid=")-1) + (sizeof(",cn=auth")-1); + if( is_dn == SET_U ) { + char *p; + len = dn->bv_len + sizeof("uid=")-1 + sizeof(",cn=auth")-1; /* Figure out how much data we have for the dn */ rc = sasl_getprop( ctx, SASL_REALM, (void **)&c ); @@ -169,73 +173,86 @@ int slap_sasl_getdn( Connection *conn, char *id, char **dnptr, int flags ) "getdn: getprop(REALM) failed!\n", 0,0,0); #endif - ch_free( dn ); - *dnptr = NULL; + ch_free( dn->bv_val ); + *dn = slap_empty_bv; return( LDAP_OPERATIONS_ERROR ); } if( c && *c ) { - len += strlen( c ) + (sizeof(",cn=")-1); + len += strlen( c ) + sizeof(",cn=")-1; } - if( conn->c_sasl_bind_mech ) { - len += strlen( conn->c_sasl_bind_mech ) + (sizeof(",cn=")-1); + if( conn->c_sasl_bind_mech.bv_len ) { + len += conn->c_sasl_bind_mech.bv_len + sizeof(",cn=")-1; } /* Build the new dn */ - c1 = dn; - dn = ch_malloc( len ); - len = sprintf( dn, "dn:uid=%s", c1+2 ); + c1 = dn->bv_val; + dn->bv_val = ch_malloc( len ); + p = slap_strcopy( dn->bv_val, "uid=" ); + p = slap_strcopy( p, c1 ); ch_free( c1 ); if( c ) { - len += sprintf( dn+len, ",cn=%s", c ); + p = slap_strcopy( p, ",cn=" ); + p = slap_strcopy( p, c ); } - if( conn->c_sasl_bind_mech ) { - len += sprintf( dn+len, ",cn=%s", conn->c_sasl_bind_mech ); + if( conn->c_sasl_bind_mech.bv_len ) { + p = slap_strcopy( p, ",cn=" ); + p = slap_strcopy( p, conn->c_sasl_bind_mech.bv_val ); } - strcpy( dn+len, ",cn=auth" ); - len += (sizeof(",cn=auth")-1); + p = slap_strcopy( p, ",cn=auth" ); + dn->bv_len = p - dn->bv_val; + is_dn = SET_DN; #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_getdn: u:id converted to %s.\n", dn )); + "slap_sasl_getdn: u:id converted to %s.\n", dn->bv_val )); #else - Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn,0,0 ); + Debug( LDAP_DEBUG_TRACE, "getdn: u:id converted to %s\n", dn->bv_val,0,0 ); #endif } /* DN strings that are a cn=auth identity to run through regexp */ - if( !strncasecmp( dn, "dn:", sizeof("dn:")-1) && - ( ( flags & FLAG_GETDN_FINAL ) == 0 ) ) + if( is_dn == SET_DN && ( ( flags & FLAG_GETDN_FINAL ) == 0 ) ) { - c1 = slap_sasl2dn( dn + (sizeof("dn:")-1) ); - if( c1 ) { - ch_free( dn ); - dn = c1; - /* Reaffix the dn: prefix if it was removed */ - if( strncasecmp( dn, "dn:", sizeof("dn:")-1) ) { - c1 = dn; - dn = ch_malloc( strlen( c1 ) + sizeof("dn:") ); - sprintf( dn, "dn:%s", c1 ); - ch_free( c1 ); - } - + slap_sasl2dn( dn, &dn2 ); + if( dn2.bv_val ) { + ch_free( dn->bv_val ); + *dn = dn2; #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_getdn: dn:id converted to %s.\n", dn )); + "slap_sasl_getdn: dn:id converted to %s.\n", dn->bv_val )); #else Debug( LDAP_DEBUG_TRACE, "getdn: dn:id converted to %s\n", - dn, 0, 0 ); + dn->bv_val, 0, 0 ); #endif } } - if( ( flags & FLAG_GETDN_FINAL ) == 0 ) { - dn_normalize( dn+(sizeof("dn:")-1) ); + if( flags & FLAG_GETDN_FINAL ) { + /* omit "dn:" prefix */ + is_dn = 0; + } else { + rc = dnNormalize2( NULL, dn, &dn2 ); + free(dn->bv_val); + if ( rc != LDAP_SUCCESS ) { + *dn = slap_empty_bv; + return rc; + } + *dn = dn2; + } + + /* Attach the "dn:" prefix if needed */ + if ( is_dn == SET_DN ) { + c1 = ch_malloc( dn->bv_len + sizeof("dn:") ); + strcpy( c1, "dn:" ); + strcpy( c1 + 3, dn->bv_val ); + free( dn->bv_val ); + dn->bv_val = c1; + dn->bv_len += 3; } - *dnptr = dn; return( LDAP_SUCCESS ); } @@ -249,7 +266,7 @@ slap_sasl_authorize( const char **user, const char **errstr) { - char *authcDN, *authzDN; + struct berval authcDN, authzDN; int rc; Connection *conn = context; @@ -281,24 +298,24 @@ slap_sasl_authorize( #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, "slap_sasl_authorize: conn %d Using authcDN=%s\n", - conn ? conn->c_connid : -1, authcDN )); + conn ? conn->c_connid : -1, authcDN.bv_val )); #else Debug( LDAP_DEBUG_TRACE, "SASL Authorize [conn=%ld]: " - "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN,0 ); + "Using authcDN=%s\n", (long) (conn ? conn->c_connid : -1), authcDN.bv_val,0 ); #endif - *user = authcDN; + *user = authcDN.bv_val; *errstr = NULL; return SASL_OK; } rc = slap_sasl_getdn( conn, (char *)authzid, &authzDN, FLAG_GETDN_AUTHZID ); if( rc != LDAP_SUCCESS ) { - ch_free( authcDN ); + ch_free( authcDN.bv_val ); *errstr = ldap_err2string( rc ); return SASL_NOAUTHZ; } - rc = slap_sasl_authorized( authcDN, authzDN ); + rc = slap_sasl_authorized( &authcDN, &authzDN ); if( rc ) { #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_INFO, @@ -311,8 +328,8 @@ slap_sasl_authorize( #endif *errstr = "not authorized"; - ch_free( authcDN ); - ch_free( authzDN ); + ch_free( authcDN.bv_val ); + ch_free( authzDN.bv_val ); return SASL_NOAUTHZ; } @@ -327,8 +344,8 @@ slap_sasl_authorize( #endif - ch_free( authcDN ); - *user = authzDN; + ch_free( authcDN.bv_val ); + *user = authzDN.bv_val; *errstr = NULL; return SASL_OK; } @@ -614,7 +631,7 @@ int slap_sasl_bind( struct berval *dn, struct berval *ndn, struct berval *cred, - char **edn, + struct berval *edn, slap_ssf_t *ssfp ) { int rc = 1; @@ -631,13 +648,13 @@ int slap_sasl_bind( "sasl_bind: conn %ld dn=\"%s\" mech=%s datalen=%ld\n", conn->c_connid, dn->bv_len ? dn->bv_val : "", - conn->c_sasl_bind_in_progress ? "" : conn->c_sasl_bind_mech, + conn->c_sasl_bind_in_progress ? "" : conn->c_sasl_bind_mech.bv_val, cred ? cred->bv_len : 0 )); #else Debug(LDAP_DEBUG_ARGS, "==> sasl_bind: dn=\"%s\" mech=%s datalen=%ld\n", dn->bv_len ? dn->bv_val : "", - conn->c_sasl_bind_in_progress ? "":conn->c_sasl_bind_mech, + conn->c_sasl_bind_in_progress ? "":conn->c_sasl_bind_mech.bv_val, cred ? cred->bv_len : 0 ); #endif @@ -650,7 +667,7 @@ int slap_sasl_bind( if ( !conn->c_sasl_bind_in_progress ) { sc = sasl_server_start( ctx, - conn->c_sasl_bind_mech, + conn->c_sasl_bind_mech.bv_val, cred->bv_len ? cred->bv_val : "", cred->bv_len, (char **)&response.bv_val, &reslen, &errstr ); @@ -698,15 +715,6 @@ int slap_sasl_bind( ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); } - /* Store the authorization DN as a subjectDN */ - if ( *edn ) { - i = 2; - do { - i++; - (*edn)[i-3] = (*edn)[i]; - } while( (*edn)[i] ); - } - send_ldap_sasl( conn, op, rc, NULL, NULL, NULL, NULL, response.bv_len ? &response : NULL ); diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index 8d6b121006..760cf2f7f8 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -330,27 +330,29 @@ static int sasl_sc_sasl2dn( BackendDB *be, Connection *conn, Operation *o, * entry, return the DN of that one entry. */ -char *slap_sasl2dn( char *saslname ) +void slap_sasl2dn( struct berval *saslname, struct berval *dn ) { char *uri=NULL; struct berval searchbase = {0, NULL}; - struct berval dn = {0, NULL}; int rc, scope; Backend *be; Filter *filter=NULL; - slap_callback cb = {sasl_sc_r, sasl_sc_s, sasl_sc_sasl2dn, &dn}; + slap_callback cb = {sasl_sc_r, sasl_sc_s, sasl_sc_sasl2dn, NULL}; Operation op = {0}; #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl2dn: converting SASL name %s to DN.\n", saslname )); + "slap_sasl2dn: converting SASL name %s to DN.\n", saslname->bv_val )); #else Debug( LDAP_DEBUG_TRACE, - "==>slap_sasl2dn: Converting SASL name %s to a DN\n", saslname, 0,0 ); + "==>slap_sasl2dn: Converting SASL name %s to a DN\n", saslname->bv_val, 0,0 ); #endif + dn->bv_val = NULL; + dn->bv_len = 0; + cb.sc_private = dn; /* Convert the SASL name into an LDAP URI */ - uri = slap_sasl_regexp( saslname ); + uri = slap_sasl_regexp( saslname->bv_val ); if( uri == NULL ) goto FINISHED; @@ -361,7 +363,7 @@ char *slap_sasl2dn( char *saslname ) /* Massive shortcut: search scope == base */ if( scope == LDAP_SCOPE_BASE ) { - dn = searchbase; + *dn = searchbase; searchbase.bv_len = 0; searchbase.bv_val = NULL; goto FINISHED; @@ -387,8 +389,7 @@ char *slap_sasl2dn( char *saslname ) ldap_pvt_thread_mutex_init( &op.o_abandonmutex ); op.o_tag = LDAP_REQ_SEARCH; op.o_protocol = LDAP_VERSION3; - op.o_ndn.bv_val = saslname; - op.o_ndn.bv_len = strlen(saslname); + op.o_ndn = *saslname; op.o_callback = &cb; op.o_time = slap_get_time(); @@ -406,13 +407,13 @@ FINISHED: #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, "slap_sasl2dn: Converted SASL name to %s\n", - dn.bv_len ? dn.bv_val : "" )); + dn->bv_len ? dn->bv_val : "" )); #else Debug( LDAP_DEBUG_TRACE, "<==slap_sasl2dn: Converted SASL name to %s\n", - dn.bv_len ? dn.bv_val : "", 0, 0 ); + dn->bv_len ? dn->bv_val : "", 0, 0 ); #endif - return( dn.bv_val ); + return; } typedef struct smatch_info { @@ -443,7 +444,7 @@ static int sasl_sc_smatch( BackendDB *be, Connection *conn, Operation *o, */ static -int slap_sasl_match( char *rule, struct berval *assertDN, char *authc ) +int slap_sasl_match( char *rule, struct berval *assertDN, struct berval *authc ) { struct berval searchbase = {0, NULL}; int rc, scope; @@ -506,8 +507,7 @@ int slap_sasl_match( char *rule, struct berval *assertDN, char *authc ) ldap_pvt_thread_mutex_init( &op.o_abandonmutex ); op.o_tag = LDAP_REQ_SEARCH; op.o_protocol = LDAP_VERSION3; - op.o_ndn.bv_val = authc; - op.o_ndn.bv_len = strlen(authc); + op.o_ndn = *authc; op.o_callback = &cb; op.o_time = slap_get_time(); @@ -546,7 +546,7 @@ CONCLUDED: * DN's passed in should have a dn: prefix */ static int -slap_sasl_check_authz(char *searchDN, char *assertDN, struct berval *attr, char *authc) +slap_sasl_check_authz(struct berval *searchDN, struct berval *assertDN, struct berval *attr, struct berval *authc) { const char *errmsg; int i, rc; @@ -557,25 +557,25 @@ slap_sasl_check_authz(char *searchDN, char *assertDN, struct berval *attr, char #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, "slap_sasl_check_authz: does %s match %s rule in %s?\n", - assertDN, attr->bv_val, searchDN )); + assertDN->bv_val, attr->bv_val, searchDN->bv_val )); #else Debug( LDAP_DEBUG_TRACE, "==>slap_sasl_check_authz: does %s match %s rule in %s?\n", - assertDN, attr->bv_val, searchDN); + assertDN->bv_val, attr->bv_val, searchDN->bv_val); #endif rc = slap_bv2ad( attr, &ad, &errmsg ); if( rc != LDAP_SUCCESS ) goto COMPLETE; - bv.bv_val = searchDN+3; - bv.bv_len = strlen(bv.bv_val); + bv.bv_val = searchDN->bv_val + 3; + bv.bv_len = searchDN->bv_len - 3; rc = backend_attribute( NULL, NULL, NULL, NULL, &bv, ad, &vals ); if( rc != LDAP_SUCCESS ) goto COMPLETE; - bv.bv_val = assertDN+3; - bv.bv_len = strlen(bv.bv_val); + bv.bv_val = assertDN->bv_val + 3; + bv.bv_len = assertDN->bv_len - 3; /* Check if the *assertDN matches any **vals */ for( i=0; vals[i].bv_val != NULL; i++ ) { rc = slap_sasl_match( vals[i].bv_val, &bv, authc ); @@ -609,7 +609,7 @@ static struct berval sasl_authz_src = { static struct berval sasl_authz_dst = { sizeof(SASL_AUTHZ_DEST_ATTR)-1, SASL_AUTHZ_DEST_ATTR }; -int slap_sasl_authorized( char *authcDN, char *authzDN ) +int slap_sasl_authorized( struct berval *authcDN, struct berval *authzDN ) { int rc = LDAP_INAPPROPRIATE_AUTH; @@ -622,14 +622,14 @@ int slap_sasl_authorized( char *authcDN, char *authzDN ) #ifdef NEW_LOGGING LDAP_LOG(( "sasl", LDAP_LEVEL_ENTRY, - "slap_sasl_authorized: can %s become %s?\n", authcDN, authzDN )); + "slap_sasl_authorized: can %s become %s?\n", authcDN->bv_val, authzDN->bv_val )); #else Debug( LDAP_DEBUG_TRACE, - "==>slap_sasl_authorized: can %s become %s?\n", authcDN, authzDN, 0 ); + "==>slap_sasl_authorized: can %s become %s?\n", authcDN->bv_val, authzDN->bv_val, 0 ); #endif /* If person is authorizing to self, succeed */ - if ( !strcmp( authcDN, authzDN ) ) { + if ( dn_match( authcDN, authzDN ) ) { rc = LDAP_SUCCESS; goto DONE; } diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 4c1e7c0819..8fde5e3647 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -824,7 +824,7 @@ typedef enum slap_style_e { typedef struct slap_authz_info { ber_tag_t sai_method; /* LDAP_AUTH_* from */ - char * sai_mech; /* SASL Mechanism */ + struct berval sai_mech; /* SASL Mechanism */ struct berval sai_dn; /* DN for reporting purposes */ struct berval sai_ndn; /* Normalized DN */ @@ -1462,7 +1462,7 @@ typedef struct slap_conn { /* only can be changed by binding thread */ int c_sasl_bind_in_progress; /* multi-op bind in progress */ - char *c_sasl_bind_mech; /* mech in progress */ + struct berval c_sasl_bind_mech; /* mech in progress */ struct berval c_cdn; /* authentication backend */ -- 2.39.5