From 6f2a817d9dd08e2d47dba49b0281708fe0d94f9e Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Tue, 25 Apr 2000 13:21:42 +0000 Subject: [PATCH] bind/sasl cleanup PRIOR TO moving call from backend to frontend --- servers/slapd/bind.c | 66 +++++++++++++++++++++----------------------- servers/slapd/sasl.c | 8 ++++-- 2 files changed, 36 insertions(+), 38 deletions(-) diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 364f803201..a83f5988e6 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -54,9 +54,8 @@ do_bind( ldap_pvt_thread_mutex_lock( &conn->c_mutex ); - /* Force to connection to "anonymous" until bind succeeds. - * This may need to be relocated or done on a case by case basis - * to handle certain SASL mechanisms. + /* + * Force to connection to "anonymous" until bind succeeds. */ if ( conn->c_cdn != NULL ) { @@ -69,6 +68,7 @@ do_bind( conn->c_dn = NULL; } + conn->c_authc_backend = NULL; conn->c_authz_backend = NULL; ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); @@ -172,16 +172,23 @@ do_bind( Debug( LDAP_DEBUG_ANY, "do_bind: unknown version=%ld\n", (unsigned long) version, 0, 0 ); send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, - NULL, "version not supported", NULL, NULL ); + NULL, "requested protocol version not supported", NULL, NULL ); goto cleanup; } + /* we set connection version regardless of whether bind succeeds + * or not. + */ + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + conn->c_protocol = version; + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + if ( method == LDAP_AUTH_SASL ) { if ( version < LDAP_VERSION3 ) { Debug( LDAP_DEBUG_ANY, "do_bind: sasl with LDAPv%ld\n", (unsigned long) version, 0, 0 ); send_ldap_disconnect( conn, op, - LDAP_PROTOCOL_ERROR, "sasl bind requires LDAPv3" ); + LDAP_PROTOCOL_ERROR, "SASL bind requires LDAPv3" ); rc = SLAPD_DISCONNECT; goto cleanup; } @@ -190,8 +197,8 @@ do_bind( Debug( LDAP_DEBUG_ANY, "do_bind: no sasl mechanism provided\n", 0, 0, 0 ); - send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED, - NULL, "no sasl mechanism provided", NULL, NULL ); + send_ldap_result( conn, op, rc = LDAP_PROTOCOL_ERROR, + NULL, "no SASL mechanism provided", NULL, NULL ); goto cleanup; } @@ -200,7 +207,7 @@ do_bind( "do_bind: sasl mechanism=\"%s\" not supported.\n", mech, 0, 0 ); send_ldap_result( conn, op, rc = LDAP_AUTH_METHOD_NOT_SUPPORTED, - NULL, "sasl mechanism not supported", NULL, NULL ); + NULL, "SASL mechanism not supported", NULL, NULL ); goto cleanup; } @@ -227,7 +234,10 @@ do_bind( assert( conn->c_authstate == NULL ); #endif } + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + } else { + /* Not SASL, cancel any in-progress bind */ ldap_pvt_thread_mutex_lock( &conn->c_mutex ); if ( conn->c_authmech != NULL ) { @@ -240,22 +250,24 @@ do_bind( free(conn->c_authstate); conn->c_authstate = NULL; } + free(conn->c_authmech); conn->c_authmech = NULL; } - } - conn->c_protocol = version; - ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + } - /* accept null binds */ - if ( ndn == NULL || *ndn == '\0' ) { + /* accept "anonymous" binds */ + if ( cred.bv_len == 0 || ndn == NULL || *ndn == '\0' ) { /* - * we already forced connection to "anonymous", we just - * need to send success + * we already forced connection to "anonymous", + * just need to send success */ send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL, NULL, NULL ); + Debug( LDAP_DEBUG_TRACE, "do_bind: v%d anonymous bind\n", + version, 0, 0 ); goto cleanup; } @@ -266,11 +278,7 @@ do_bind( */ if ( (be = select_backend( ndn )) == NULL ) { - if ( cred.bv_len == 0 ) { - send_ldap_result( conn, op, LDAP_SUCCESS, - NULL, NULL, NULL, NULL ); - - } else if ( default_referral ) { + if ( default_referral ) { send_ldap_result( conn, op, rc = LDAP_REFERRAL, NULL, NULL, default_referral, NULL ); @@ -306,10 +314,6 @@ do_bind( method, mech, &cred, &edn ); if ( ret == 0 ) { -#ifdef HAVE_CYRUS_SASL - int ssf = 0; -#endif - ldap_pvt_thread_mutex_lock( &conn->c_mutex ); conn->c_cdn = dn; @@ -322,8 +326,8 @@ do_bind( ndn = NULL; } - Debug( LDAP_DEBUG_TRACE, "do_bind: bound \"%s\" to \"%s\"\n", - conn->c_cdn, conn->c_dn, method ); + Debug( LDAP_DEBUG_TRACE, "do_bind: v%d bind: \"%s\" to \"%s\"\n", + version, conn->c_cdn, conn->c_dn, ); ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); @@ -331,21 +335,13 @@ do_bind( send_ldap_result( conn, op, LDAP_SUCCESS, NULL, NULL, NULL, NULL ); -#ifdef HAVE_CYRUS_SASL - if ( conn->c_sasl_context != NULL && - sasl_getprop( conn->c_sasl_context, SASL_SSF, (void **)&ssf ) - == SASL_OK && ssf ) { - /* Enable encode/decode */ - ldap_pvt_sasl_install( conn->c_sb, conn->c_sasl_context ); - } -#endif } else if (edn != NULL) { free( edn ); } } else { send_ldap_result( conn, op, rc = LDAP_UNWILLING_TO_PERFORM, - NULL, "Function not implemented", NULL, NULL ); + NULL, "bind function not implemented", NULL, NULL ); } cleanup: diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index 433cb9d9e4..2139080d7d 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -162,7 +162,8 @@ int sasl_bind( callbacks[cbnum].id = SASL_CB_LIST_END; callbacks[cbnum].proc = NULL; callbacks[cbnum].context = NULL; - + + /* create new SASL context */ if ( sasl_server_new( "ldap", NULL, be->be_realm, callbacks, SASL_SECURITY_LAYER, &conn->c_sasl_context ) != SASL_OK ) { send_ldap_result( conn, op, LDAP_AUTH_METHOD_NOT_SUPPORTED, @@ -185,6 +186,7 @@ int sasl_bind( NULL, errstr, NULL, NULL ); } } + if ( sc == SASL_OK ) { char *authzid; @@ -199,7 +201,7 @@ int sasl_bind( if ( strcasecmp( authzid, "anonymous" ) == 0 ) { *edn = ch_strdup( "" ); } else { - *edn = ch_malloc( strlen( authzid ) + sizeof( "authzid=" ) ); + *edn = ch_malloc( sizeof( "authzid=" ) + strlen( authzid ) ); strcpy( *edn, "authzid=" ); strcat( *edn, authzid ); } @@ -214,7 +216,7 @@ int sasl_bind( */ conn->c_bind_in_progress = 1; send_ldap_sasl( conn, op, LDAP_SASL_BIND_IN_PROGRESS, - /* matched */ NULL, /* text */ NULL, /* refs */ NULL, /* controls */ NULL, &response ); + NULL, NULL, NULL, NULL, &response ); } Debug(LDAP_DEBUG_TRACE, "<== sasl_bind: rc=%d\n", rc, 0, 0); -- 2.39.5