From 8a5423ea8d1b74b54002dfd66af7d41cb171ff1b Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 18 Apr 2002 12:26:36 +0000 Subject: [PATCH] deleted sasl_external_x509dn_convert; X509 DNs are always converted to normalized LDAP DNs now. Changed dnDCEnormalize to dnX509normalize, added dnX509peerNormalize, based on new ldap_X509dn2bv() etc. --- servers/slapd/config.c | 4 ---- servers/slapd/connection.c | 2 +- servers/slapd/dn.c | 42 +++++++++++-------------------------- servers/slapd/proto-slap.h | 5 +++-- servers/slapd/sasl.c | 23 +++++++------------- servers/slapd/schema_init.c | 14 ++----------- 6 files changed, 26 insertions(+), 64 deletions(-) diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 2865316814..94f0b91c1f 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -57,7 +57,6 @@ char *slapd_args_file = NULL; int nSaslRegexp = 0; SaslRegexp_t *SaslRegexp = NULL; -int sasl_external_x509dn_convert; #ifdef SLAPD_RLOOKUPS int use_reverse_lookup = 1; @@ -677,9 +676,6 @@ read_config( const char *fname ) return 1; } - } else if ( strcasecmp( cargv[0], "sasl-external-x509dn-convert" ) == 0 ) { - sasl_external_x509dn_convert++; - /* set UCDATA path */ } else if ( strcasecmp( cargv[0], "ucdata-path" ) == 0 ) { int err; diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index 41828b6aca..5cb8f524aa 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -1201,7 +1201,7 @@ int connection_read(ber_socket_t s) c->c_ssf = c->c_tls_ssf; } - authid = (char *)ldap_pvt_tls_get_peer( ssl ); + authid = dnX509peerNormalize( ssl ); slap_sasl_external( c, c->c_tls_ssf, authid ); } connection_return( c ); diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c index 40064a47fa..3c68a0b98a 100644 --- a/servers/slapd/dn.c +++ b/servers/slapd/dn.c @@ -831,38 +831,20 @@ dnIsSuffix( } /* - * Convert a DN from X.500 format into a normalized DN + * Convert an X.509 DN into a normalized LDAP DN */ int -dnDCEnormalize( char *dce, struct berval *out ) +dnX509normalize( void *x509_name, struct berval *out ) { - int rc; - LDAPDN *dn = NULL; - - out->bv_val = NULL; - out->bv_len = 0; - - rc = ldap_str2dn( dce, &dn, LDAP_DN_FORMAT_DCE ); - if ( rc != LDAP_SUCCESS ) - return rc; - - /* - * Schema-aware rewrite - */ - if ( LDAPDN_rewrite( dn, 0 ) != LDAP_SUCCESS ) { - ldap_dnfree( dn ); - return LDAP_INVALID_SYNTAX; - } - - /* - * Back to string representation - */ - rc = ldap_dn2bv( dn, out, LDAP_DN_FORMAT_LDAPV3 ); - - ldap_dnfree( dn ); + /* Invoke the LDAP library's converter with our schema-rewriter */ + return ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 ); +} - if ( rc != LDAP_SUCCESS ) { - rc = LDAP_INVALID_SYNTAX; - } - return rc; +/* + * Get the TLS session's peer's DN into a normalized LDAP DN + */ +char * +dnX509peerNormalize( void *ssl ) +{ + return ldap_pvt_tls_get_peer_dn( ssl, (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 ); } diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 0e0939eac9..3559936721 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -404,7 +404,9 @@ LDAP_SLAPD_F (void) build_new_dn LDAP_P(( LDAP_SLAPD_F (void) dnParent LDAP_P(( struct berval *dn, struct berval *pdn )); -LDAP_SLAPD_F (int) dnDCEnormalize LDAP_P(( char *dce, struct berval *out )); +LDAP_SLAPD_F (int) dnX509normalize LDAP_P(( void *x509_name, struct berval *out )); + +LDAP_SLAPD_F (char *) dnX509peerNormalize LDAP_P(( void *ssl )); /* * entry.c @@ -999,7 +1001,6 @@ LDAP_SLAPD_V (int) global_idletimeout; LDAP_SLAPD_V (int) global_schemacheck; LDAP_SLAPD_V (char *) global_host; LDAP_SLAPD_V (char *) global_realm; -LDAP_SLAPD_V (int) sasl_external_x509dn_convert; LDAP_SLAPD_V (char *) default_passwd_hash; LDAP_SLAPD_V (int) lber_debug; LDAP_SLAPD_V (int) ldap_syslog; diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c index fb5e698141..a6bcb45099 100644 --- a/servers/slapd/sasl.c +++ b/servers/slapd/sasl.c @@ -173,22 +173,17 @@ int slap_sasl_getdn( Connection *conn, char *id, int len, /* An authcID needs to be converted to authzID form */ if( flags & FLAG_GETDN_AUTHCID ) { - if( sasl_external_x509dn_convert - && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len - && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) - && id[0] == '/' ) - { - /* check SASL external for X.509 style DN and */ - /* convert to dn: form, result is normalized */ - dnDCEnormalize( id, dn ); + if( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len + && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) { + /* X.509 DN is already normalized */ do_norm = 0; is_dn = SET_DN; } else { /* convert to u: form */ - ber_str2bv( id, len, 1, dn ); is_dn = SET_U; } + ber_str2bv( id, len, 1, dn ); } if( !is_dn ) { if( !strncasecmp( id, "u:", sizeof("u:")-1 )) { @@ -449,9 +444,8 @@ slap_sasl_authorize( equal = !strcmp( auth_identity, requested_user ); /* If using SASL-EXTERNAL, don't modify the ID in any way */ - if ( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len - && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) - && auth_identity[0] == '/' ) { + if ( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len + && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) { ext = 1; realm = NULL; } else { @@ -582,9 +576,8 @@ slap_sasl_authorize( /* Convert the identities to DN's. If no authzid was given, client will be bound as the DN matching their username */ - if ( conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len - && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) - && authcid[0] == '/' ) { + if ( conn->c_is_tls && conn->c_sasl_bind_mech.bv_len == ext_bv.bv_len + && ( strcasecmp( ext_bv.bv_val, conn->c_sasl_bind_mech.bv_val ) == 0 ) ) { ext = 1; xrealm = NULL; } else { diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 85e9f2526f..ff204a1903 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -3480,16 +3480,6 @@ asn1_integer2str(ASN1_INTEGER *a, struct berval *bv) return ber_str2bv( p, 0, 1, bv ); } -/* Get a DN in RFC2253 format from a X509_NAME internal struct */ -int -dn_openssl2ldap(X509_NAME *name, struct berval *out) -{ - char buf[2048], *p; - - p = X509_NAME_oneline( name, buf, sizeof( buf ) ); - return dnDCEnormalize( p, out ); -} - /* * Given a certificate in DER format, extract the corresponding * assertion value for certificateExactMatch @@ -3522,7 +3512,7 @@ certificateExactConvert( X509_free(xcert); return LDAP_INVALID_SYNTAX; } - if ( dn_openssl2ldap(X509_get_issuer_name(xcert), &issuer_dn ) != LDAP_SUCCESS ) { + if ( dnX509normalize(X509_get_issuer_name(xcert), &issuer_dn ) != LDAP_SUCCESS ) { X509_free(xcert); ber_memfree(serial.bv_val); return LDAP_INVALID_SYNTAX; @@ -3636,7 +3626,7 @@ certificateExactMatch( } asn1_integer2str(xcert->cert_info->serialNumber, &serial); - dn_openssl2ldap(X509_get_issuer_name(xcert), &issuer_dn); + dnX509normalize(X509_get_issuer_name(xcert), &issuer_dn); X509_free(xcert); -- 2.39.5